With this type of theft, cybercriminals can learn more about the victim than the victim themselves: they can steal their credentials to obtain financial, health, social media, subscription information, etc. In short, they can completely strip us naked in one fell swoop.
Phishing (impersonating a legitimate organization to request compromised data, such as our banking credentials) is one of the most common techniques used to steal digital identity. In fact, cybercriminals are increasingly investing in mechanisms to deceive users ( social engineering techniques) rather than in sophisticated technological tools to circumvent the barriers imposed by the financial system. Urgent messages on key dates, sent from a purportedly well-known company's inbox, with a link to a domain almost identical to that of the legitimate organization, and which land us on a corporate clone page, can confuse us so that we end up doing what we shouldn't: giving our credentials to a fraudulent recipient.
There is even a type of Trojan specialized in stealing banking data that uses phishing to steal our credentials, the so-called Trojan Banker, whose use has spread significantly in recent years (more than 1,200,000 attacks in 2024). They often even use hacked accounts to send fraudulent messages in order to increase their credibility.
However, phishing can also occur through proactive user actions, that is, when users browse the web to access various types of services they request, such as booking a hotel room or participating in a contest or promotion. In these cases, attackers will trick us by pretending to be someone else and making very attractive but pressing offers. Otherwise, if the impersonation is done well, there will be no other indication that we may be facing a scam.
For example, in 2024, a type of phishing scam targeted travelers, the goal of which was to confuse them when booking a hotel room. In these cases, the goal was to get travelers to provide their banking information to make the reservation on a website that perfectly replicated the routines of these booking services. Unfortunately, when they arrived at the hotel, not only did they not have a reservation, but their account had been emptied.
So how do we detect a truly successful phishing scam? It all depends on our attention and our sense of smell, but, as a general rule, any message we receive, whether by email, SMS, social media, or voice, urging us to act urgently and offering a link to access a site (even a trusted one) or download a file, is reason enough to be on alert. So much so, that at Rikki, we believe it's best not to obey and, if in doubt, we should contact our provider ourselves and avoid the resources they offer us on a plate.
But if we initiate the action ourselves, like in the hotel reservation example, we must be very careful about the domains where we enter our credentials, and stop if something doesn't fit.
