Phishing attacks have increased exponentially in recent years. From this perspective, the term "phishing" has become tremendously popular. Not a day goes by that we don't wake up to news about a phishing attempt against companies or anonymous citizens through increasingly imaginative mechanisms.
The objective is always to get the victim to carry out an action that allows the cybercriminal to obtain some kind of benefit, be it in the form of an economic transaction, access to information or control of computer systems.
Starting from this premise, the victim's action becomes one of the key steps when a phishing attack achieves its objective. For this reason, the strategies used by cybercriminals make use of techniques that are increasingly imaginative.
Users' suspicion of links that appear in emails has led cybercriminals to resort to alternative mechanisms to gain the trust of their victims.
Phishing techniques have been detected that make use of Google search recommendations that target deliberately crafted websites that have previously achieved high suitability ratings using SEO techniques.
Exclusive encrypted information for the recipient
The mistrust of a victim is combated using precisely the concern for trust. Phishing techniques have been detected that make use of Google search recommendations.
From here, cybercriminals try to convince their victims with access to resources that are apparently encrypted and customized for them. In this way, recipients perceive a false sense of security.
The usual thing about these attacks is that, through an email, the criminal convinces his victim, for example, that a file contains encrypted confidential information and that only he or she could decrypt it by entering her username and password.
MFA for undefined uses
The use of double authentication mechanisms is increasingly widespread. The financial sector, for example, within compliance with the European PSD2 regulation, uses it on a regular basis. But he's not the only one. More and more, email accounts, access to commercial applications or even social networks implement double authentication mechanisms that reduce the risk that password theft can entail.
The examples of use of this type of technique are multiple. One of the most obvious is a message indicating that an email account or a bank account has been blocked. The victim is then asked to provide the verification code that will be sent to them as proof of identity for the unlocking of the victim. Immediately afterwards, the victim will receive a verification code, sent by the real service that the cybercriminal wants to access, and which, if necessary, the user will provide to the criminal. The end result is known to all.
Surely we could extend the list of phishing attack techniques as long as we like; but they will all have a common denominator: social engineering will play a leading role during the process. In fact, it is a key element. An element that can only be combated through the continuous awareness of the users themselves.