[Part .1] What is phishing?

img-post
Blog

Rédigé par colas Bonvicini , 18 February 2024

Phishing, phishing, scamming – these three words refer to the same thing, a widespread scam on the web. Before going into detail, let’s take a look at the semantics.

The term phishing was defined in 2004 by the Office québécois de la langue française. Yes, the chosen word and definition was born in the French-speaking world, even before it was born in France.

The term filoutage was defined two years later in France, in 2006, by the Commission générale de terminologie et de néologie.

There are several theories as to the authorship of the term Phishing.

1. Phishing is a contraction of the English words “fishing” and “phreaking”, another malicious practice used to define phone line hacking,
2. Phishing is the name given by hackers to this practice, as their expression was “Password Harvesting Fishing”. The first letters of the words “Password” and “Harvesting” were retained, then joined and contracted with the last word “fishing”, giving rise to the term “Phishing”.

Now that you’re comfortable with one of these three terms, let’s get down to business.

Phishing, a widespread malicious practice on the Internet

Phishing, a widespread malicious practice on the Internet

Phishing is one of the oldest and best-known malicious practices in the cyber-scam world.

This technique used by hackers, also known as fraudsters, consists of collecting your personal data in order toimpersonate you, and in most cases, to steal money from you.

1. When did phishing first appear?

The first case of phishing dates back to the mid-90s, with an attack to steal user names and passwords on AOL (an e-mail service), using tools such as “AOHell”.

The principle seems simple, but still works today with a similar logic: A hacker posed as a member of the AOL team, sending an e-mail to another address, that of a potential victim. This message asked the victim to enter their password to “verify their AOL account” or “confirm their bank details”. Once the victim had revealed their password, the attacker could access the account and use it for malicious purposes.

2. What type of fraudulent e-mail or link is phishing?

If there’s one thing you need to remember, it’s that for these hackers, any means is good enough to lower your level of vigilance and get you to click where they want you to.

For most of these attacks, phishing consists in reproducing an e-mail from a source that you “know” yourself, and which you might well consider “reliable” since you consult it more or less regularly. This is what we call a trusted third party. It’s also very common for the sender to pass himself off as an official body (Tax Office, Child Benefit Office…).

Your mail may therefore contain an invitation to click on a link to :

  • make you benefit from an exceptional offer on your usual merchant site,
  • give you VIP access to information related to your interests,
  • ask you to pay a bill you’ve forgotten to pay or to regularize,
  • subscribe to a page that’s too trendy and unmissable not to click on,
  • invite you to open a file attachment (at random, in PDF format) with all the information you’ve been looking for recently in your search engine…

With a little conjurer’s trick, your supposedly “official” e-mail and the “100% secure” link you confidently clicked on turned out to be a dummy e-mail from a malicious source.

So why didn’t anything jump out at you?

Simply because the reproduction of an e-mail from the trusted third party in question has been done well enough to make you believe it. This deception is known as social engineering, or psychological hacking.

Clicking on the link sets the process in motion, and you’ll be phished.

Phishing in France: the most widespread practices

Phishing in France: the most widespread practices

We have compiled a non-exhaustive list of the most widespread phishing attacks in France (in 2021).

1. False child pornography messages.

This scam was the most widespread in 2021. The scam consists of a message posing as a national (police or gendarmerie) or European (Europol or Interpole) public authority, accusing the victim of pedophilia or child pornography. The victim is then asked to pay a substantial fine of several thousand euros to avoid prosecution.

2. False tax or social security refund messages

Calls, e-mails, SMS messages, social networking sites – Ameli.fr is not spared by cybercriminals, who use every possible means to deceive Internet users by posing as the French healthcare system. On its website, Ameli.fr gives a few examples of how not to fall into the trap.

3. Package delivery scam messages

In this case, the victim receives a message by e-mail or SMS, which appears to come from well-known transport companies. Messages received by SMS usually display :

  • a sender name
  • the name of a well-known delivery service,
  • a short 5-digit telephone number (starting with 38) similar to those used by real delivery services.

This message states that a parcel must be delivered to you and that you must pay postage or shipping costs, VAT or customs duties in order for it to reach you.

A small fee is charged, prompting the victim to pay by clicking on the shared link.

This link will redirect the victim to a fraudulent website, impersonating the delivery company. During the bogus payment process, the victim will be asked for personal information such as identity, postal and/or e-mail address, telephone number and credit card details, all in order to pay the alleged delivery charges or customs.

4. Phishing messages targeting bank accounts and cards

The security of payment methods is at the heart of the cybercriminals’ process, as they used a fake payment security system to further reduce their victims’ vigilance when making an online transaction.

5. The Personal Training Account (CPF) scam is still going strong in mid-March 2022.

By SMS, e-mail or even phone call, scams designed to get you to divulge personal information are usually aimed at hacking into your CPF account, or even forcing you to use your balance. The expiration of your CPF balance is often the argument that prompts the victim to act quickly.

6. Tech Support Scams

The principle is to frighten the victim by sending a message (by SMS, telephone, chat, e-mail, or by the appearance of a message on the victim’s screen blocking his or her computer) indicating :

  • a serious technical problem,
  • a risk of data loss
  • loss of use of equipment

This should lead the victim to contact the so-called official technical support service for assistance. As you can see, pseudo-computer troubleshooting and/or the purchase of the sometimes harmful software recommended by the bogus troubleshooter are not free. As an added element of pressure, if the victim refuses to pay, the cybercriminals reserve the last cards to make the victim comply, ranging from the destruction or loss of files to the disclosure of personal information.

7. SMS phishing, or smishing , concerns all types of profit-making organizations, as well as associations and public authorities. It’s the same principle as e-mail phishing, but the distribution channel is different: you’ll receive this type of phishing by SMS rather than e-mail.

What do hackers do with your data?

Unfortunately, there’s only one possible answer to this question: hackers will do whatever they want with your data.

What do hackers do with your data?

Once you’ve opened this link, your PC will be infected, and your data will be accessible via the malware on your electronic device or in your mailbox, and can be exploited by the hacker(s).

1. What types of data are hackers looking for and stealing?

a- Personal data:

If a hacker, or a group of hackers, can get their hands (and eyes) on your e-mails, then how far can they peel back the clock on your personal life? Don’t forget that when they open your mailbox, they can even access your drafts, archived e-mails and spam.

You don’t have to look far to imagine a hacker gaining access to highly sensitive information, and engaging in blackmail, to :

  • force you to reveal more information about your employer or your administration,
  • make you pay money to keep certain aspects of your past life secret,
  • disclose your search history to your employer or family,
  • to retrieve personal photos of you and/or those around you,
  • to access more and more personal accounts (social networks, Apple or Android logins…)
  • to resell your data on the Dark Web, to other hackers for example…

You can use your imagination to the full, or draw inspiration from the worst-case scenarios in your latest action movie or Netflix series. If everything isn’t real, it’s almost doable.

b- Professional data

You are an individual, and are probably also an employee, or work on behalf of a non-profit organization, or for the administration.

Hackers can target a company’s staff via their professional mailboxes, for example.

There are many reasons for this type of attack.

A hacker could, for example, divulge sensitive company information through your e-mail exchanges, or even make payments if he has access to your company’s bank details.

The hacker(s) could just as easily try to access company networks to spy on them and infect them with malware.

Phishing could therefore be just one building block on the road to harder hacking, and other types of attacks and intrusions such as spear-phishing, ransomware and wipers, to name but a few…

c- Banking data

Your bank card, and therefore your checking account, no longer belongs to you. Well, it doesn’t really belong to you any more, if you consider that a bank account should not be shared with a stranger. With phishing, victims are often led to give their bank details to hackers, thinking they’re paying a bill to the authorities, or to a regular supplier such as an Internet service provider. It can even come from a merchant site, if you enter your bank details thinking you’re finalizing an order placed on Amazon, Ebay, Fnac, Vinted, Wish, Alibaba, Shein and so on.

d- Confidential data and defense secrets

States themselves are equipped with hackers, known as Ethical Hackers. To be more precise, government agencies have cyber defense and cybersecurity departments. The French army also has a cyberdefense department, and a “virtual army” to combat cyberattacks, cybercrime, theft, espionage and all kinds of intrusions at state level.

We began writing this article in mid-March 2022, and in France we are currently spectators of a cyberwar in Eastern Europe and Western Asia. The conflict between Russia and Ukraine is also taking place on the Internet. Keep your secrets in your heads. The more digital media there are containing information, the more accessible it becomes.

The motivations are many, and consequently so are the number of phishing attacks, and the types of phishing have also multiplied!

At Numeryx, we recognized that a large proportion of intrusions could be prevented if you were equipped with a next-generation firewall. That’s why we developed our Asguard firewall.

Worldwide phishing in figures and statistics

Worldwide phishing in figures and statistics

1. Almost half a billion phishing emails were detected in January 2023 alone, with exactly 488.5 million phishing emails, according to Vade
Source : Vade – phishing and malware report Q1 2023

2. According to Zscaler
, phishing attacks will increase significantly by 47.2% in 2022 compared to 2021.Source : Zscaler – 2023 Phishing Report

3. 89% of unwanted messages manage to bypass email authentication methods, according to Cloudflare
Source : Cloudflare – Phishing Threat Report 2023

4. In 2022, 54% of phishing e-mails contained .com links, while 8.9% had .net links, according to AAG-IT
Source: AAG-IT – The latest phishing statistics

5. Phishing emails have increased by 1,265% since the end of 2022 and the launch of ChatGPT, according to SlashNext
Source: SlashNext – The State of Phishing 2023

6. 75% of organizations worldwide have been affected by phishing by 2020, according to Tessian
Source : Tessian – Phishing Attacks Statisctics 2020

7. 96% of phishing attacks are carried out by e-mail, according to Verizon
Source: Verizon (Data Breach Investigations Report 2021

8. Google discovered more than 2.1 million phishing sites in January 2021, a figure that is constantly rising.
Source : Google Safe Browsing (January 2021),

9. 1 in every 4,200 e-mails is a phishing e-mail, according to Symantec
Source : Symantec (Threat Landscape Trends – Q1 2020)

10. PDF is the most corrupted document type attached to phishing e-mails, according to Tessian
Source : Tessian – Phishing Attacks Statisctics 2020

11. The top 3 types of data most compromised in a phishing attack, according to Verizon

  • Identifiers (passwords, user names, PIN codes, etc.)
  • Personal data (surname, first names, postal addresses, e-mail addresses, etc.)
  • Medical data (information on medical treatments, claims, etc.)

Most of the data collected allows cybercriminals to better understand how to move on to the extortion stage.
Source : Verizon Data Breach Investigations Report 2021

12. The top 5 industries most affected by employees, according to Tessian

  • Retail, with around 49 fraudulent e-mails sent to each employee per year.
  • The manufacturing industry, with around 31 fraudulent e-mails sent to each employee per year.
  • Food and beverage, with around 22 fraudulent e-mails sent to each employee per year.
  • Research & Development (R&D) with around 16 fraudulent e-mails sent to each employee per year.
  • Tech with around 14 fraudulent e-mails sent to each employee per year.

Source : Tessian’s 2021 research

13. Over 80% of cybersecurity events involve phishing attacks
Source : Email Threat Report 2020, Teiss

Cybersecurity: what are DRPs and BCPs?
In our ultra-connected world, cyber attacks are becoming an ever-present threat to businesses and organizations of all sizes. Faced with this harsh reality, it is essential for organizations to be prepared not only to prevent these attacks, but also to respond effectively when they do occur. This is where Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) come in. Lire l'article