How to avoid phishing?

Smartphone use is an integral part of our daily lives. However, still not everyone realises that it can be dangerous if it is not properly protected.

According to the latest data from CERT Polska (a team operating within the structures of NASK - the National Research Institute), phishing, i.e. a technique in which attackers attempt to obtain private information such as passwords, bank account numbers and personal data, is still the most frequently used method on the list of threats in the area of cybercrime in Poland. The phishing mechanism is based on impersonating trusted sources, such as banks, companies or government institutions. In 2020, 7,622 cases were reported, while in 2021, the number of phishing attempts in Poland almost tripled to 22,575 documented attempts.

Currently, the most popular forms of mobile phishing are the creation and promotion of fake apps, where attackers design fake versions of popular apps such as banks or social networks. They publish these on online services to encourage users to download them to their devices. The use of Google Ads to promote such fake solutions has also been in the news recently. Google Ads display the search results at the top of their page, the unaware user clicks on the link, hoping to download the application they are looking for, but in reality installs malware. Ads for fake graphics applications Gimp, Blender or even Signal messenger have recently been identified.

Text messages (SMS) and emails are another form of phishing. Attackers send these with a message prompting recipients to enter private information, send links to fake websites or attachments with infected files. In order to encourage people to click on the links they send, attackers use emotions, usually fear, by informing them that "you need to pay the electricity bill because it will be switched off tomorrow", "check why your package has been blocked at the switchboard". They also take advantage of people's naivety and ignorance, as in the case of the launch of the new Lidl app, where fraudsters fabricated the Google Play app shop website.

The fake site featured a 'fake' Lidl Plus Voucher Activation app for £350, to make the app more credible, the scammers replaced the lowercase L in the malicious domain with an uppercase i, which looks almost identical l-I. Installing the malicious app allowed people to steal money from payment cards and take control of a smartphone. A similar technique was used in January 2021, when hackers sent out information via text message about a package waiting at a nearby parcel machine, encouraging people to install the fake inPost app. Stimulating people's curiosity is also a common practice used by cybercriminals, where victims received messages asking "Is that you in the video?" or "See all your data stolen, it's online at this address".

The final type of phishing is attacks on wi-fi networks, where fraudsters provide fake wi-fi wireless access points that look like trusted networks to entice users to connect to them. Cybercriminals use a variety of methods and tools. The ingenuity and creativity of fraudsters is increasing, moreover, often aided by artificial intelligence solutions, in such cases, even a very attentive user can easily be fooled. Well-designed and prepared phishing is really difficult to recognise.

It is important to follow a few simple security rules to protect not only your private information and data, but also your money, time, nerves and health. Smartphones are treasure troves of information about us - from personal notes, private photos, under sensitive data. If this information is disclosed or misused, it can have serious consequences. So it's worth taking the time and effort to make sure our smartphone is safe and protected.

Among the basic rules that almost every phone user knows about, although not everyone follows, are:

  • use strong passwords or biometric unlocking and, where you can, two-step (two-factor) login,
  • do not install applications from unknown sources,
  • regularly update software and applications,
  • use anti-virus, firewall and even VPN applications,
  • use unknown Wi-Fi networks as little as possible,
  • do not share private information such as passwords and personal data, pins or card security codes,
  • do not click on suspicious links, even if they are in text messages from known numbers of institutions and organisations.