Know and protect yourself: the main types of fraud in the digital environment
Written by
Juliana Roman (See all posts from this author)
23 de June de 2021
To be protected in the digital environment, we need to know what risks we are exposed to. However, let’s be honest, the internet has some complicated terms, right? After all, what are phishing and whaling? What is ransomware and credential stuffing? In addition to the fact that most of us do not know their meanings and what impacts they cause to us, users, the terms in English do not help Portuguese-speaking natives. So, read on and discover the meanings with me!
Frauds in the digital environment
According to the survey “Panorama of cyber threats in Latin America”, carried out by Kaspersky, Brazil is the country with the most attempts of cyberattacks in the region and in second place is Mexico. Directing the gaze to the global context, Brazil is in 7th position among the countries that most receive data attacks related to the user’s personal or financial security.
A study by TransUnion sought to understand the impacts of the coronavirus pandemic on Internet consumers. To this end, it interviewed, in the period between June 11th and July 6th, 2020, more than 7,800 people in Brazil, Canada, Colombia, Hong Kong, the United Kingdom, United States of America (USA). Among the questions made to the 450 Brazilian consumers interviewed were questions such as: “Have you ever been the target of any digital fraud during the period of social isolation?” and, in case of an affirmative answer, “which scam was used?”.
In the specific case of Brazil, among the types of digital fraud, the one that affected most respondents was credit card theft and fraudulent charges (26%). In Canada (30%), the USA (31%), UK (30%) and Hong Kong (37%), the most common scam was phishing. In Colombia, most victims were scammed by third-party vendors hosted on online retail sites.
Overall, from this survey of information, it was found that phishing, that is, attempt to unlawfully acquire someone else’s personal data was the primary digital fraud scheme worldwide in the period related to covid-19. Among the total survey respondents who reported being targeted by digital scams worldwide, 27% of respondents said they had experienced this type of fraud during the pandemic period.
According to data presented by the platform, “I can trust this website”, which checks the credibility of websites and marketplaces, approximately 46% of the websites consulted were unreliable. In addition, in 2020, there were more than 3.4 million attempted cyberattacks in Brazil. Regarding the topic, it is essential to highlight that the Cyber Crimes Law, enacted in 2012, deals with electronic media offences, including internet scams such as phishing.
Cyberspace Fraud Alphabet: Malware, Ransomware, and Credit Stuffing
Malware
The term “malware” is an abbreviation for “malicious software”. It refers to a type of computer program designed to infect a legitimate user’s computer, such as by damaging the device or stealing personal data. How malware works, or what it does, differs from file to file. The most common classes of malware are viruses, trojans, spyware, worms, ransomware, adware and botnets.
Ransomware
It is a type of malware that does not steal data but encrypts it. Thus, it prevents the holder from accessing their data unless they pay a ransom for them. The term also derives from a semantic game: “ransom” would be ransom, and “ware” refers to malware. According to a Getapp report, 28% of interviewed companies suffered a ransomware attack in 2020. Of those, 75% chose to pay the ransom.
Credential stuffing
Credential refers to credentials, the username and passwords we use to access different websites, software, and services. Stuffing, in this case, refers to mass testing. Credential stuffing is the practice of testing the same credential on multiple sites and platforms to see if the user has repeated it. An example of the case is Spotify, the company was the target of fraud, and the credentials of 350,000 users were leaked in 2020.
Alphabet of cyberspace fraud: phishing and its main types
Phishing
Phishing is a cybercrime technique that tries to mislead the user and manipulate him to obtain his confidential information. A phishing attack has three components (i) the attack is carried out through electronic communications such as email or over the phone; (ii) the scammer pretends to be a trusted individual or organization and (iii) is intended to obtain sensitive personal information such as login credentials or credit card numbers.
The term phishing is named after a semantic game: phreaking + fishing = phishing. The cybercriminal will “fish” their victim on the internet. Phishing ph comes from “phreaking” or “phreaks”, which refers to enthusiasts who experimented with telecommunications networks to find out how they worked.
Let’s get to know the main types of phishing:
Blind phishing
In “blind phishing” occurs via mass email firing. It is common for the email to contain a biased link or attachment so that the recipient can download a virus on your computer.
Smiley
Accomplished through SMS shots to cell phones. These are often messages that prompt the victim to make immediate decisions, for example, saying that he or she won an unexpected lottery or was selected in a specific benefit program.
Scam
“Scam” phishing scams are based on trying to get victim information via contaminated links or files. Contact with the potential victim can be via phone, email, text message or social media.
Phishing clone and spear phishing
In clone phishing, there is a kind of cloning of another website to attract users and induce them to behave as if they were in a safe and known environment. Spear phishing is when the attack targets a specific person or group of victims and aims to access a particular database to obtain sensitive information, confidential files or financials.
Whaling
In general, whaling is aimed at fraud targeted at specific people who hold high professional positions. The technique is intended to gain access to confidential data or money. The term comes from the word “whale”, which means “whale” in English.
Vishing
This technique uses voice mechanisms to apply scams on the internet. In general, voice calls address urgent issues requiring the victim to take action quickly and provide information.
Pharming
Through pharming, traffic from a legitimate website is manipulated to direct users to fake websites that may install malicious software (malware) capable of collecting personal data on victims’ computers.
Reading Tips
Regarding the prevention of internet fraud, we must be aware and informed. Therefore, I made a selection of three books that can help to understand the subject better.
The first tip is the book “Hunting Cyber Criminals: A Hacker’s Guide to Online Intelligence Gathering Tools and Techniques”, which addresses the main techniques required by cybersecurity professionals. The book covers reports and case studies which allow for a greater understanding of the subject. It’s a good book tip if you work or want to work in the field.
The second tip is the book “Cyber War: The Next Threat to National Security and What to Do About It. The American author shows that actions involving the use of computers and attacking computer systems have already been employed in initiatives characterized as “actions of State”, both in times of peace and on the battlefield. According to the book, the use of computational weapons can compromise the smooth running of military actions — offensive or defensive — and also impact the civilian population and the functioning of society. In fact, this book has a translation into Portuguese: “Guerra Cibernética: a Próxima Ameaça à Segurança e o que Fazer a Respeito”!
The third book on the list is “Click Here to Kill Everybody: Security and Survival in a Hyper-connected World,” which addresses Internet of Things (IoT) threats, exploring the security implications and risks of hyperconnection. In addition, the author presents ideas for public policies that can be implemented in risk prevention.
Another very interesting and super didactic reading tip is the “Safety Booklet for the Internet” published by the Information and Coordination Center of Ponto BR (NIC.br). In the “Malicious Codes” issue, you will find information about the main types of malware and the precautions to be taken to avoid being a victim of online scams. In the “Electronic Commerce” section, you can learn about the main risks involved in e-commerce and know what precautions should be taken to avoid them. Best of all: the booklet is free to access online!
Finally, a quick and simple guide entitled “How to keep your network safe at home: PC/laptop and your cell phone” published by Editora Senac. According to the author, reading the material teaches you how to safely browse the internet, not have your device infected by malware and how to protect your wifi network.
Conclusion
Advances in information and communication technologies (ICTs) have broadened the reach of the means of communication. Given the exponential use of the internet, we can see how the physical world also expands into the virtual.
We must be aware of fraud in the digital environment, because several relationships are established through the network, including purchase and sale. In this sense, the same precautions we take when buying a product in a physical store must be applied when the purchase is made via e-commerce. For example, do you frequent stores in unsafe places or that do not provide enough information about the quality of the product? I hope not. Therefore, you should also be aware of these signals when trading over the internet.
I end the text with that famous phrase that everyone says, but no one knows the author: “living is a risk”. So, pay attention to the tip: whether in physical or virtual space, we must always (re)know the risks to prevent them from happening.
The views and opinions expressed in this blogpost are those of the author.
Illustration by Freepik Stories.
Written by
Juliana Roman (See all posts from this author)
Research leader in personal data protection and researcher at the Reference Institute on Internet and Society (IRIS). Master of Laws from the Postgraduate Program of the Federal University of Rio Grande do Sul (UFRGS 2022), linked to the Center for European and German Studies (CDEA). Conducted field research in Amsterdam, Netherlands, during the Master’s to support a comparative study carried out in the dissertation. Specialization in Consumer Law by the Consumer Law Center (CDC) of the Faculty of Law of the University of Coimbra (UC 2021). Postgraduated in Digital Law at Fundação Escola Superior do Ministério Público (FMP 2021). Holds a Bachelor of Laws from the Pontifical Catholic University of Rio Grande do Sul (PUCRS 2019). Collaborator in the research project “Personal Data Protection in the Americas”, conceived in partnership by the CNPq Research Group “Observatories of the General Data Protection Law and the Civil Rights Framework for the Internet”, linked to the University of São Paulo (USP), and by the CNPq Research Group “Mercosul, Consumer Law and Globalization”, linked to UFRGS. Held an international mobility period at the Universidad Internacional de Cataluña, Barcelona, Spain (UIC 2017). During graduation, she studied a foreign language in Vancouver, Canada. She was a scientific initiation fellow of the BPA Program (PUCRS 2016-2018). Provided voluntary legal advisory services at the University Legal Advisory Service (SAJU UFRGS) – Consumer Law (G7) – during 2019 and 2022. Works and researches in the areas of personal data protection and privacy, IT Law, cryptography, Information and Communication Technologies (ICTs) and Consumer Law.