WHAT IS PHISHING AND HOW TO PROTECT YOURSELF AGAINST IT?Karolina Obszyńska Aug 24. 2023
Definition of Phishing
What is phishing? This term refers to a fraudulent technique employed by cybercriminals to extract users' confidential data. This includes information such as:
logins and passwords for various services, debit card numbers, PESEL numbers (Polish national identification number), birthdates, first and last names, addresses, company account passwords, confidential data related to business operations, authentication data for internal company systems - cybercriminals targeting companies might attempt to extract authentication information for internal systems, such as administrative panels, order management systems, warehouses, etc., in order to intercept sensitive data.
The term "phishing" is reminiscent of "fishing," and just like anglers use bait, cybercriminals utilize special "lures" - usually in the form of fake emails, SMS messages, or entire websites masquerading as reputable brands and institutions like banks or telecommunications companies.
Crafted messages are designed to encourage potential victims to click on a link within the message. This link often directs them to a website controlled by fraudsters. At first glance, this site usually appears almost identical to the real website of a genuine company or institution, but in reality, it's a trap. If a user visiting such a "trap page" provides their sensitive data, such as business-related information, it can lead to serious consequences.
Types of Phishing
There is a vast array of phishing attack forms. The most commonly used methods by cybercriminals include:
Email phishing: This is the most popular form of attack. It involves cybercriminals sending fake emails where they impersonate reputable companies or institutions. The email typically requests the user to provide confidential information, such as login details for company systems or credit card numbers.
Spear phishing: A more advanced form of attack, often preceded by a thorough analysis of information about the potential victim. Based on gathered data, cybercriminals create personalized messages tailored to each victim, making the attempt to extract data more convincing.
Whaling: This type of phishing targets high-level individuals within an organization, such as executives, directors, or department heads. The attack involves impersonating, for example, business partners. The unsuspecting victim might download malicious software that compromises their device.
Pharming: This technique involves attackers altering legitimate URLs to fake ones. Users are redirected to fake websites that resemble the original ones.
Smishing: A type of phishing that uses SMS messages. These messages encourage recipients to click on malicious links.
Vishing: A form of phishing carried out through phone calls. In this scenario, attackers impersonate employees of companies, financial institutions, or organizations to extract various forms of data from victims.
Protecting Your Company Against Phishing Attacks
Investing in cybersecurity should be a top priority for any medium to large-sized e-commerce company. To achieve this, regular training sessions should be conducted for all employees so they know how to act to minimize the risk of falling victim to a phishing attack.
The most important methods to enhance a company's cybersecurity and protect against phishing attacks include:
Securing the company network properly. Avoiding clicking on suspicious links. Ensuring database security. Establishing a backup system. Creating a secure remote connection to the company server. Continuous network monitoring. Implementing strong passwords. Introducing two-factor authentication. Filtering and thorough email message verification. Regular software updates. Verifying the sources of messages. Reacting swiftly.
Legal Consequences of Phishing in Poland
What penalties can virtual criminals face for using phishing techniques? What are the legal norms and penalties? It turns out that the Polish Penal Code does not define a separate offense called "phishing."
Currently, individuals who engage in such activities are prosecuted based on the provisions of Article 287 of the Penal Code, which addresses "computer fraud." It states that "whoever, without authorization, interferes with automatic data processing, collection, or transmission of computer data, or modifies, deletes, or enters new computer data records in order to gain financial benefit or cause damage to another person, shall be subject to imprisonment for a term of between 3 months and 5 years." For less severe offenses, the court may impose a fine or restricted freedom of up to one year.