Phishing: Do not take the bait

Cybercriminals use fake emails or phone calls in order to collect company information, personal data, or login credentials to be used for gaining unauthorized access to computers or applications. Once they are in, they try to obtain confidential information, sell the login credentials and/or sensitive information, or gain profit – for example via ransomware.

To extract information or to convince the victim to do something in their favour, cybercriminals will play on something the victim believes into or impersonate a trusted person by playing on authority, a sense of urgency, or by leveraging on human instinct to help each other out.

Email phishing

The classic type of phishing is through email. Cybercriminals send an email which appears legitimate asking the victim to open an attached file or to click on a link. The attachment usually downloads a malware and installs it on the victim’s computer or mobile phone. The link redirects to a website, which at first time seems unharmful but in reality is trying to steal sensitive information, like credentials and password in order to gain access to an organisation’s accounts or its collaborators’, social, personal and/or banking accounts. Clicking on a link could also trigger an automatic download of a malicious software (a malware) into the device.

Phone phishing (and smishing)

Another type of phishing also used nowadays is the phishing through phone. Either by sending an SMS (which is called smishing) or through a phone call, the ultimate goal remains the same: cybercriminals will try to get access to an organisation’s information and/or to its collaborators’ personal accounts and misuse them. Through text, they can send a link and lure the victim into clicking on it to enter credentials and password. Through call, they can try to manipulate the victim in order to get personal information and use them later to access their professional, social media and bank accounts or other personal information.

Several techniques are used by cybercriminals to make sure their victim opens the wrong attachment or click on the wrong link. A few tips are gathered in this article to help avoid getting scammed by a phishing attempt. The main questions collaborators should ask themselves are the following:

• Is it unexpected?

You received a message for no reason: you did not buy anything, have not had contact with them for a long time, etc. Investigate further.

• Is it urgent?

Stay calm: did you really get a first reminder to pay? Do you know that 'friend in need'?

• Do you know the person who sent the e-mail?

Check the e-mail address, and also check for spelling errors. However, beware: a legitimate e-mail address is no guarantee.

• Do you find the request strange?

An official body will never ask you for your password, bank details or personal details via e-mail, SMS or over the telephone.

• Where does the link you need to click on lead to?

Hover over the link with your mouse. Is the domain name, the word before “.be”, “.com”, “.eu”, “.org”, etc. and before the very first slash "/", really the organization’s name?

An example:

• For the link www.safeonweb.be/tips, the domain is safeonweb.
• For the link www.safeonweb.tips.be/safeonweb, 'tips' is the domain and you are redirected to another website.
• Is there a QR code in the message?

If a QR code is shown, check carefully which website it refers to. When you scan the code, you will see the url. Check the domain as described above.

• Are you being personally addressed?

Be wary of messages using general and vague titles, or your e-mail address to address you.

• Does the message contain many linguistic errors?

Although seasoned cybercriminals tend to use language correctly, language errors or a foreign language can indicate a suspicious message.

• Is the message in your Spam / Junk folder?

If so, be extra careful. You can also mark suspicious messages as Spam or Junk to warn others.

• Is someone trying to make you curious?

Everyone would be curious about messages with a link reading "Look what I read about you ..." or "Are you in this picture?", but do not be tricked.

• Are you asked to make a payment?

If you are asked to make a payment that you are not expecting, always be careful. Is the account number the same number you usually use to pay that organisation or person? If not, do not make the payment. Often phishing emails use foreign account numbers or ask to make payments through a crypto wallet. This is suspicious.

If you are in doubt about a payment, check with your bank first, or with the organisation claiming the payment by contacting them. Do not do this through the contact details in the mail, but go directly to the website of the organisation itself.

How to react to a phishing email?

1. Do not reply to it, do not open any attachment and do not click on the links
   The most important thing to do when getting a phishing email or text is to not follow-up on it.
2. Reach out directly to the sender
   If after all the tips given, you still cannot tell if it is a phishing email or not, check directly with the person involved via a different mean. If the email sender seems to be a colleague, a client or a provider, call that person to see if they really need your help on something. If it is from another organisation, check their official website entering their official address yourself in the address bar.
3. Never share bank information requested via text or email
   Keep in mind that no banks will ever provide a direct link to log into a bank account via text or email, and they will never ask for pin or secret codes, whether in writing, or by phone.
4. Report the phishing attempt and delete the email/text
   The phishing email or text should be reported to the IT responsible and to the relevant national authority (suspicious@safeonweb.be (EN); suspect@safeonweb.be (FR); verdacht@safeonweb.be (NL/DE)) and immediately deleted. When a message is already in the Spam folder, it should definitely not be trusted.

What to do if you get scammed?

1. Report the incident immediately to your IT responsible.
2. Warn your collaborators, client and providers that they might be getting a message from someone impersonating you but that they should not trust it.  
3. Change all the passwords that were given (if any) on all the accounts they are being used.  
4. If the scam was about bank details and you notice that money was stolen from your account, file a complaint with the police.  
5. Immediately call Card Stop on +32 78 170 170 and make sure to check your account statements. If you identify any suspicious activity, immediately call your bank so they can help you out.
6. Scan your device: We recommend that you carry out a scan of your computer to make sure there are no viruses installed.