
Phishing es una táctica común utilizada por los ciberdelincuentes para obtener información confidencial de las víctimas.
La mayoría de los ataques de phishing se envían a través de correos electrónicos, pero también pueden llegar a través de mensajes de texto, redes sociales, o incluso llamadas telefónicas.
Un ataque de phishing típico implica que el ciberdelincuente envía un correo electrónico que parece ser legítimo, pero que contiene un enlace o un archivo malicioso que, cuando se abre, permite al ciberdelincuente acceder a la cuenta de la víctima.
La clave para prevenir estos ataques es ser cauteloso con los correos electrónicos que recibimos y no dar credenciales personales a nadie.
Related reading: Que Es Google One Y Para Que Sirve
Recognizing Phishing
Phishing is a sneaky way for scammers to trick you into giving away sensitive information. Be cautious of emails that seem too good to be true.
A suspicious email may have discrepancies in the domain name, such as a misspelled or unfamiliar address. This is a red flag.
Incoherent domain names are a sign of phishing. For example, if an email claims to be from a well-known brand, the domain name might not match.
Phishing emails often contain typos or grammatical errors, making them stand out from legitimate communications.
Here are some signs that an email might be a phishing attempt:
• Discrepancies in the domain name
• Typos or grammatical errors
• Unknown senders or unusual greetings
• Brief and vague content
• Unusual requests or demands
• Suspicious attachments or links
Be wary of emails that induce fear or create a sense of urgency. Legitimate organizations won't ask for sensitive information via email.
If you're unsure about an email, don't click on the link or provide any information. It's always better to err on the side of caution.
Types of Phishing Attacks
Phishing attacks come in many forms, and it's essential to know what to watch out for. Phishing by email is a common type of attack where a sender pretends to be a legitimate company or person to trick you into following a malicious link or downloading a infected file.
Smishing and vishing are similar to phishing by email, but they use SMS and phone calls instead. Smishing sends fake messages to your phone, while vishing uses fake phone calls to try and get you to reveal sensitive information.
Phishing anglers are a type of attacker that poses as legitimate organizations on social media to get you to reveal personal information. They often offer fake rewards or discounts to lure you in.
Spear phishing is a targeted attack where the attacker knows some personal details about you and uses that information to make the attack more convincing. Whaling is a type of spear phishing that targets high-level executives and managers.
Clone phishing is a type of attack where the attacker sends a fake email that looks like it's from a trusted source, such as a bank or a well-known company. This is often used in business email compromise (BEC) attacks.
Pharming is a type of attack where the attacker takes control of a website's DNS server to redirect users to a fake website, even if they type in the correct URL.
Here are some common types of phishing attacks:
- Phishing bancario: suplantan a una entidad financiera legítima para obtener información bajo excusas como: bloqueo de cuenta, actividad sospechosa en la cuenta, cargos en cuenta, etc.
- Phishing a entidades públicas: suplantan a través del correo electrónico a entidades y organismos públicos bajo cualquier pretexto, como devolución de impuestos, pago multa de tráfico, obtención de ayudas, etc.
- Vishing (Phishing por voz): los atacantes se hacen pasar por figuras de autoridad (p. ej., funcionarios del banco, fuerzas del orden) por teléfono para asustar a las personas y lograr que compartan información sensible o transfieran fondos.
- Smishing (suplantación de identidad por SMS): similar al vishing pero a través de SMS, smishing envía mensajes fraudulentos en los que se insta a los destinatarios a hacer clic en enlaces maliciosos o a compartir datos personales.
Protecting Against Phishing
The first line of defense against phishing is your judgment. Train yourself to recognize the signs of phishing and practice safe computing whenever you check your email, read Facebook posts, or play your favorite online game.
Most modern browsers have ways to verify if a link is secure, but it's essential to be cautious. Don't open emails from unknown senders, and never click on a link within an email unless you know exactly where it will take you.
Malwarebytes Labs recommends several key practices to protect yourself against phishing attacks:
- No abras correos electrónicos de remitentes que no conoces.
- Nunca hagas clic en un enlace dentro de un correo electrónico a menos que sepas exactamente a dónde te lleva.
- Si le piden que facilite información sensible, compruebe que la URL de la página empieza por "HTTPS" en lugar de sólo "HTTP". La "S" significa "seguro". No es una garantía de que un sitio sea legítimo, pero la mayoría de los sitios legítimos utilizan HTTPS porque es más seguro.
- Active la autenticación multifactor (MFA): Utiliza MFA siempre que sea posible para añadir una capa adicional de seguridad.
- Observa el certificado digital de un sitio web.
- Para añadir esa protección, si recibes un correo electrónico de una fuente de la que no estás seguro, navega al enlace proporcionado manualmente ingresando la dirección web legítima en tu navegador.
- Pasa el ratón sobre el enlace para ver si es un enlace legítimo.
- Si sospechas que un correo electrónico no es legítimo, toma un nombre o parte del texto del mensaje e introdúcelo en un motor de búsqueda para ver si existen ataques de phishing conocidos que utilizan los mismos métodos.
Impacts Businesses
A successful phishing attack can lead to severe and long-lasting consequences for businesses. Financial losses can result from a compromised corporate bank account.
Pérdida de datos puede ocurrir si el phishing conduce a un ataque de ransomware. A reputation damage can occur if a company suffers a data breach that requires public disclosure.
Ciberdelincuentes pueden vender datos robados en la web oscura, incluso a competidores sin escrúpulos. Informing regulatory bodies or government agencies about data breaches can lead to fines or other penalties.
Investigaciones de delitos cibernéticos can involve the company, taking a lot of time and attracting negative attention.
Related reading: O Que É Uma String
Protect Against Attacks
Be cautious when opening emails from unknown senders. Don't open emails from people you don't know. Malwarebytes Labs recommends this as a key practice to protect against phishing attacks.
Ninety percent of phishing attacks can be prevented by using your judgment. Train yourself to recognize phishing signals and practice safe computing habits. This includes being careful when reading emails, browsing Facebook, or playing online games.
To verify if a link is secure, check if the URL starts with "HTTPS" instead of "HTTP". The "S" stands for "secure" and indicates a legitimate site, but it's not a guarantee.
Active two-factor authentication (MFA) whenever possible to add an extra layer of security. Even if phishers get your password, they'll need to pass additional verification steps to access your account.
Don't click on links within emails unless you know where they lead. Hover your mouse over the link to check if it's a legitimate link. If you're unsure, navigate to the website manually by typing the URL in your browser.
If you suspect a phishing email, take a screenshot or copy the text and search for known phishing attacks using a search engine.
Here's a summary of key practices to protect against phishing attacks:
- Don't open emails from unknown senders.
- Verify if a link is secure by checking the URL starts with "HTTPS".
- Active two-factor authentication (MFA) whenever possible.
- Don't click on links within emails unless you know where they lead.
- Hover your mouse over the link to check if it's a legitimate link.
- Take a screenshot or copy the text and search for known phishing attacks.
What to Do If You're a Victim
If you're a victim of phishing, it's essential to act quickly to minimize the damage. Change your passwords immediately if you provided login information.
Contact your bank or financial institution as soon as possible if you shared financial details like credit card numbers or signature keys. They'll help you secure your account.
Run a virus scan on your device with an antivirus software if you clicked on a suspicious link or downloaded an attachment. This will help detect and remove any malware or viruses.
Keep an eye on what information is circulating online about you, and use egosurfing to monitor your digital presence. This will help you detect if your private data is being used without your consent.
If you find any unauthorized data about yourself, exercise your rights and report it to the relevant authorities. The Agencia Española de Protección de Datos provides guidelines on how to do this.
Share your experience with friends and family to help them avoid similar scams. You can also share information on social media to raise awareness about the dangers of phishing.
Prevention and Recommendations
To avoid falling victim to phishing scams, there are some essential steps you can take. Verificá por otra vía quien realmente se está contactando, or verify the identity of the person contacting you through a different means.
One simple yet effective way to protect yourself is to configurá un doble factor de autenticación, or set up two-factor authentication, on the services that offer it. This adds an extra layer of security to prevent unauthorized access.
Before responding to a suspicious message, take a moment to verificá los siguientes datos del mensaje. Check if the sender's account or domain is unknown or doesn't match the expected domain. For example, if a message claims to be from a bank, make sure the email address matches the bank's official domain.
Urgency is a common tactic used by scammers to create a sense of panic. Be wary of messages that solicit a acción urgente, or urgent action. Take a step back and think critically before responding to such messages.
If a message asks you to select an enlace, or link, through email, SMS, or social media, it's best to avoid it. Instead, direct yourself to the official website of the institution or service you need to access. Make sure the URL starts with "https" and the appearance, logo, and language match the real institution's image.
Never download archivos desconocidos, or unknown files, as they may contain malware that can infect your device. Similarly, be cautious of requests for información personal or financiera, or personal or financial information, as legitimate institutions will never ask for sensitive data.
Finally, pay attention to the texto, or text, itself. Scammers may use traductores automatizados, or automated translators, which can lead to errors in spelling or grammar. If the message seems too good (or bad) to be true, or if the language is awkward, it's likely a phishing attempt.
Featured Images: pexels.com


