What is phishing and why is it called that? That’s a pretty easy one, really: The act of stealing someone’s credentials is sort of like fishing in water. There’s a group of targets, bait that is known to be of interest to them and a pretty good chance of at least catching something, even if it’s not the original meal you were after.

Fishermen adjust the bait and tackle they use depending on the situation. They don’t use the same tactics at a farm pond and for deep sea fishing. Similarly, cybercriminals typically use different bait and exploits depending on what they’re after. They might be looking for login credentials, credit card numbers or medical information.

Gone Phishing

In past decades, most attacks were carried out by hobbyists and malcontents trying to see what they could get away with. They mostly wanted to prove they could actually perform an exploit — for bragging rights, if you will. Today, we’re dealing with professional bad guys who work 9 a.m. to 5 p.m. with the primary goal of separating you from your information, and often your money. The value of whatever they’re after will determine just how serious they are and how much effort they put into catching you up in their nets.

The typical phishing attack aims to steal credentials that can be used to log in to other sites. In other words, they want your bank site logins, your investment account ID and password, even your game site ID if that game has something that can be traded for real cash.

Attackers use various sets of emails or IDs stolen in larger scams or breaches. For example, if fraudsters get their hands on the credentials of a company admin, that company’s entire user list of emails and other information may be put up for sale on the black market.

The More You Gnome

Let’s say that there is a set of emails known to be stolen from a company that makes lawn chairs. Maybe an attacker wants to get contact data from people that buy lawn chairs because he knows that they tend to have accounts on another site that sells garden gnomes. Our guy really likes gnomes.

The bad guy makes up an email that tells people who bought lawn chairs that their garden gnome account has been compromised and they need to login again to change their password. He’ll even give them a fake link to the garden gnome password reset webpage. If the lawn chair buyers click on the link, they go to a page that lets them enter their ID and password to reset it.

Of course, the fake site will just error out and tell them to try again later. However, our bad guy now has their gnome IDs and passwords, and can have little humanoid garden ornaments sent to his house on the victims’ dime.

Since many people use the same credentials for multiple accounts, fraudsters can use stolen information to log in to everything from banks and credit unions to gnome stores and social media accounts. Some even use the same user ID and password for their checking account that they use to log in to Facebook. Bad idea!

It’s Nothing Personal

Don’t click on every link you see in an email. If a bank sends you a notice to respond by clicking on something, don’t do it. Type the bank site name into your browser and control how you get to the site. Then examine the page to see if there is really a message on which you need to act.

Don’t reuse passwords! This is a biggie. If you happen to get phished through one site, don’t make it easy for them to use that ID and the password all over the world. Be suspicious; if someone you know sends you an email asking for help or money, contact them in another way to verify.

Unfortunately, the big takeaway here is that bad guys are, in fact, out to get you. It’s typically nothing personal — you’re just one email address in a list of millions of users.

Read the white paper: Adapt to new phishing threats and assess websites automatically

More from Fraud Protection

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

What to do about the rise of financial fraud

6 min read - As our lives become increasingly digital, threat actors gain even more avenues of attack. With the average person spending about 400 minutes online, many scammers enjoy a heyday. Old impersonation scams continue to deceive people every day, as con artists and hackers are armed with advanced technologies and sophisticated social engineering tactics. According to the Federal Trade Commission, financial fraud increased by over 30% from 2021 to 2022, with total losses surpassing $8.8 billion. This ever-evolving threat will continue to…