Welcome to Phishing Scams Overview, brought to you by IBM. In this video, we'll learn about the history of phishing scams, we'll learn about how they're conductive, and why they're so effective. Let's get started. Phishing, also known as brand spoofing or carding, is a term used to describe various scams that use primarily fraudulent e-mail messages sent by criminals to trick you into divulging personal information. The criminals use this information to steal your identity, rob your bank account, or take over your computer. Before we go breaking down what phishing scams are and how they impact us, it's good to know where we started. So phishing comes from the analogy that the internet scammers are using e-mail lures to fish for passwords and financial data from the sea of internet users. It was first used by hackers to describe stealing America Online accounts by acquiring their usernames and passwords. Now, while most are done with e-mail, some scams are using instant messaging, fake news bulletins, and social communities like social media, to fool users into divulging personal information. While the term phishing gets thrown around quite a bit, it's actually being used in the general sense. When you look into it, there are actually multiple different types of phishing attacks or phishing scams. First, it's what we defined in the beginning of this video and what we use in a general sense, phishing, the attempt to get information from end-users by some deceit or call to action, something of that which we will get into later. But there's also spear phishing which is actually something that is not done on a mass distribution hoping to catch something. It's a targeted attack to a specific user or group. Then by extension, whaling is specifically spear phishing for high executive levels that would have the most access to any given information, think the C-level executives at any given company. So with that in mind, let's talk about why it's so impactful, and then we'll go from there. So here's how it works. A variety of tactics are used to make the recipient of the e-mail believe that they have received the phishing e-mail from a legitimate user or domain, including using a message from address that looks very close to the legitimate addresses they're used to seeing, or there could be an alarm, a financial lure, or otherwise attractive situation which will expand on the next side that either makes the recipient panic or tempts them into taking action, or they could be sending an e-mail using a legitimate account holder's software or credentials. So if the source or the domain was hacked and somebody was acting as a man in the middle, you would have no way of knowing it was somebody getting your information because you thought it was legitimate. But let's expand into those types of triggers or alarms or lures that so many people fall for. So here's how they get you. There are a lot of tactics threat actors will use to lure you into taking action. Here's a list of some of their most common strategies. I am betting that many of you have experienced or received these in your inbox multiple times. So number one, they say they've noticed some suspicious activity or log in attempts. This is very common coming from service providers, something like Netflix, or your bank, or your university, something that you log in to routinely, you'll get a spoofed e-mail saying, "Hey, we noticed some suspicious activity, please log in to validate," thus giving up your credentials. The second one, claim there's a problem with your account or your payment information. This is something where companies that often handle recurring payments, they can pose as them, or as your credit card, saying that something didn't go through, or your bank. The third one that you must confirm some personal information. This is very broad, it can be used in a lot of different contexts. The next one is including a fake invoice. So this is something where generally, would go hand in hand with a little bit of social engineering. When somebody finds that you're partaking in a service or attend something regularly and they're able to create a fake invoice to e-mail you for you to give up not only your personal identifying information, but your financial information as well. The next one is wanting you to click on a link to make a payment, this is literally just capturing your credit card data. So big one back in the day was PayPal. They sent a lot of links out or there was a lot of phishing scams impersonating or spoofing PayPal. I personally fall for this one back in college and I remember it vividly. The next one, they say you're eligible to register for a government refund. This is particularly topical as COVID-19 put the world in a recession, and here in the United States, there was stimulus checks that were issued out. The bad actors are taking advantage of that, sending phishing e-mails, telling people that they need to register on the fake government website to be able to get their check, and thus giving up their information. The last one is offering a coupon for free stuff, because let's be real, we all like free stuff. So what happens? So these are just some of the most common ways, there are hundreds, and they come in all shapes and sizes. The best thing we can do is educate ourselves and be vigilant. Phishing scams are so effective because spoofed domains can be difficult for users to visually discern. Often, they mirror legitimate domains used by the impersonated company. An authentic looking website can help convince any user to divulge a personal data on a malicious website if it resembles the original closely enough. In an IBM study, they looked at the top 10 spoofed brands out there. Google, far and away, the largest spoofed company. Largely, people thinks that Gmail, their e-mail service, and people trying to get their credentials for those. YouTube which is also technically a Google company, followed by Apple, Amazon, Spotify, Netflix, Microsoft, Facebook, Instagram, and WhatsApp. So you can see all of these, they're services, they are social media, they're things that we actively engage in on a day-to-day basis. It lends to the sense of urgency to want to get these things taken care of because they carry a certain weight in our lives. Outside of bad actors becoming more and more convincing with the e-mails and the companies that they're spoofing and the websites that they're creating, but they're now deceiving what we've always known to be true which is that the HTTPS which the S is for secure, it used to be what we use to identify what was a secure website and that gave us peace of mind. So what it was, HTTPS as a background, is used to secure communications by encrypting the data exchange between a person's browser and the website he or she is visiting. It's especially important on sites that offer online sales or password protected accounts. Studying HTTP on phishing sites provides insight into how phishers are fooling Internet users by turning an Internet security feature against them. So while we've always known to be true that HTTPS meant, "Cool, I'm on a secure site, I'm being safe," in Q4 of 2019, over 70 percent of websites that were hosted by phishers were using HTTPS. They are evolving to catch more of us. So with that, I think the next thing we actually need to do is look at an e-mail and start to identify what we need to be on the lookout for. We'll do that in the next video. We'll see you soon.
