December 07 2022
The Net is Cast

“Congratulations, you have just won a million!” Does it sound familiar to you? If not – congrats – you are one of a few lucky ones. The ones who have never faced a cyber attack, called phishing.

The Net is Cast

"Congratulations, you have just won a million!" Does it sound familiar to you? If not - congrats - you are one of a few lucky ones. The ones who have never faced a cyber attack, called phishing.

By Austėja Obolevičiūtė and Lucia Brozmannová

Yet beware, even the smartest person on the Earth can become a victim of a phishing attack. Or at least that’s what an experienced cyber security specialist Renata Danieliene says. 

“Whether I’m a student or a president – I can become a victim of a phishing attack”, says Danieliene.

So, when your luck is on its well-deserved vacation, it is very useful to know how phishing attacks work and how to repel them. 

But can phishing really be that dangerous? What can one risk when pushing the button in the pursuit of claiming their “won a million”? Let’s find out.

Phishing the world

Phishing is a wicked phenomenon because it has no boundaries between neighborhoods, cities, countries or continents. That’s right – same phishing attacks can appear and try to deceive people on multiple screens all over the world. For example, despite being far from each other, Slovakia and Lithuania share very similar experiences with phishing scams

Just in 2021 there were 1 187 registered phishing cases in Lithuania. Presumably, even more people, despite having experienced a cyber attack, did not report about it. The Cyber Security Report shows that in 2021, up to 432,000 cases of attempts to “obtain information” (such as phishing) were registered in Slovakia. According to the National Security Office, this is one of the most frequent attacks.

In order to gain a better insight on how people fall prey to the scammers, we asked a well-known Lithuanian cyber security specialist, Dr. Renata Danieliene, who also is the executive director of VšĮ “Information Technologies Institute”, and a Slovakian cyber security expert Matej Spišák, to guide us through. 

“Phishing is a fraud done by using internet tools”, explains Dr. Renata Danieliene. And while phishing describes a fraud, the term itself is a very clever word play. 

“It’s because it sounds very similar to fishing. Fishing is the act of casting a certain bait and aiming to catch a fish, in this case, meaning to catch a victim who will give the information”, Danieliene describes.

Due to such attacks, victims get their data leaked, experience financial loss and can even lose important personal files, projects and business customer information. Companies suffer a reputation loss, which directly leads to a loss of customers as well. 

What does not bring joy either – phishing is evolving fast, as the fish (us) gets harder and harder to catch. 

“If scammers didn’t evolve, we’d all probably be able to recognize most of those attacks and not fall for them. However, they do improve and adapt to various events, such as war, pandemic, data protection law and similar”, says Danieliene. 

Please add Spišak photo also.

Dr. Renata Danieliene

Different range of hooks

As phishing is cyber fishing, it also needs different hooks for different prey. 

The Lithuanian expert says that some hooks are cheap and are intended for a wide range of possible victims, others cost more, but can help to catch a more refined, “selected fish”.

“Whether it would be about a prince with a million, receiving an inheritance, or writing to you that some of your systems are down, or that, for example, your email box is overflowing and you need to click on a link to unblock your mailbox – there is no difference. It is just a very cheap way”, Danieliene points out. 

An example of a general phishing attack

Yet she adds: “When a scammer sends the same letter to many people, the chances of someone taking the bait are high.”  

Such an attack was observed by Diana (name is changed at her request). Luckily, she was able to identify it on time. It was an advertisement from the Slovak Post office, which was being spread through social networks – an offer to win some undelivered parcels after typing in her personal data. 

In this case, a cyber security expert Matej Spišák draws attention to the too-good-to-be-true offers. 

“It is unlikely that an institution such as the post office would give out free packages that it failed to deliver”, he said.

Phishing Attacks  Source: Shutterstock

If you find this bait easy to recognize, don’t be so laid back yet – there are many more types of attacks that aim at the selected fish. Ms Danieliene calls those “the targeted attacks”. 

“The fraudster gathers more specific information about that person, finds out what he does, what his hobbies are, what his character is. And after that they can attack either the same person, purposefully, by writing with a certain context, or they can try to hack the people from his environment, knowing how he behaves and what he writes, how he communicates”, Danieliene stresses.

A victim to such an attack happened to be a Slovakian woman named Anna (name is changed at her request). Anna registered on Vinted, an online bazaar, where users sell, buy and exchange things. After a few hours, she received an email saying that someone had bought one of her clothes. “It was my first sale and I didn’t know how the site worked.”

Anna clicked on the “confirm sale” button in the email and was then redirected to a website. There was a request to enter data from her payment card, including information on how much funds she has in the account. 

“They explained that they need this data to verify the validity of the card. I didn’t realize that it doesn’t work like that and I filled in the data”, Anna remembers.

An example of a targeted phishing attack

Her money disappeared from the bank. Immediately after that she started looking for information on the Internet. When she found out that she became the victim of a fraud, she called the bank to block her card. 

Renata Danieliene says that even though people are quick to judge others, sometimes these scams are very hard to recognize.

“It looks very funny until you get it yourself. I caught myself when I got a message that said: look…click…did you hear what someone is saying about you? Click the link and you will see! And you just suddenly stop at that moment, that… Here is the pure message of scammers. And your colleague sends it”, shares Danieliene. 

The expert also notes that people naturally tend to trust authorities without questioning. “People indicated that they would fulfill the instructions sent by a colleague, manager or boss, even if that instruction or request seemed very strange. Because a colleague asks. Because the manager asks”, says Danieliene. 

The cyber experts from Slovakia and Lithuania highlight some clues suggesting a possible scam:

  • A very tempting prize or an offer that just “cannot be refused”
  • A threatening message (for example – “click on that link to update your bank information, otherwise your account will be restricted”)
  • A suspicious sender 
  • Informal email addresses, especially without the last name (always compare the link you received with an original link of the site)
  • Weak language – grammatical errors and typos
  • The sense of urgency (you only have one hour to get it!!!)
Time informing about the expiration of the offer

Fish memory

According to Matej Spišák, scammers often take advantage of people’s inattention.

“In critical situations, a person often turns off rational thinking, is overwhelmed by emotions and isn’t so prudent. Phishing attacks are more common during holidays, when people are waiting for the various packages they ordered. That’s when attackers take advantage of people’s trust and lack of attention”, the expert says.

Additionally, the frauds often try to use the person’s current environmental conditions.

“I meet a person on the street, he says: I am a representative of some company and I am filling out a questionnaire. Would I answer him? Probably would not. But if he cunningly starts to circumvent, then maybe the person will give up. For example, if he sees that I’m in a hurry, or something has happened to me, he can use my emotions again”, explains Danieliene. 

Danieliene also stresses that in order to stay safe, it is vital to refresh the knowledge.

“People tend to forget some information and need to update their memory regularly. So that they would remember and stay cautious”, says Danieliene, who herself conducts various cyber security training.

As people usually become less wary once in a while and tend to forget some important information, to assist the training and to evaluate the efficiency of it, some companies came up with a clever way to get their staff more vigilant. 

“I know of such an organization abroad, where when phishing emails are sent to the employees, if an employee clicks on a link, he must attend training. And in some cases even to take tests with certificates. Training this way is probably more effective”, shares Danieliene.

A Lithuanian example of a “double payment” phishing attack

Here is a list of tips from the experts on how to stay safe in a lake full of phishing rods

  • The safest way to keep your account from uninvited guests is additionally enabling multi-factor authentication
  • Renew your knowledge on cyber security once in a while
  • Slow down and think about the possible outcomes
  • The extension of protection is the use of anti-virus and anti-phishing tools 
  • Do not click on suspicious too-good-to-be-true offers
  • Do not trust the offers that rush you to click urgently
  • Always check the original site before clicking on the ad or typing in your personal data
  • Do not provide your bank or personal details on an unofficial site

Paranoid fish – safe fish? 

Although it is true, wouldn’t such precaution mean that we have to become paranoid about every letter, call or an ad we spot? The answer to this is “better safe than sorry”. 

For such, Ms Renata shares an interesting analogy: “If we go out into the street, is there such a threat that we will get hit by a car?  This is the same threat that we will take the bait of fraudsters. But if we know that we have to look both ways before crossing the road safely, we also have to know certain things, and then that fraudster probably won’t be able to deceive us.” 

That being said, if we know how to protect ourselves better, it might come in handy in many situations. 

So, is the perfect way to stay safe – staying cautious and protecting your own data by not sharing it with others? The answer is a tricky one. 

“Yes, although, on the other hand, as we see, various attacks take place – we are not protected from someone stealing our data. There were certain cases, especially last year, a number of cyber incidents in Lithuania, when data was leaked”, says Danieliene.

So what to do if this happens? According to both experts, these are some things to consider: 

  • if I lose my bank details, it is necessary to contact the bank and to ask for my transaction and the card to be blocked
  • If it is already too late and the bank cannot help, contact the police
  • In case of social networks, contact the administrator to verify that you are the real owner of the account
  • If it is an email sent on behalf of a specific company, inform the company that someone is impersonating them
  • Share information on social media to inform others about an ongoing attack, so that people could avoid it
  • If your data was leaked, change your passwords and never use them again
  • Always have a back-up copy of important files, update it once in a while. This way, you can minimize the damage if someone hacks the device
  • Communicate about the scam and report the incident to the authorities 

For additional tips on how to stay safe, Dr Renata Danieliene recommends browsing the “CyberPhish” project.

This article is part of the International Journalism Lab initiated by Media4Change. The laboratory is part of the project “Digital MIL Lab in Youth Work”. The project is financed under the Erasmus+ program of the European Union.

The authors of the project articles do not coordinate the topics and content of the articles with the sponsors of the project.