On the website of India Today, you must have come in many reports about the increasing threat of online scams in our country. Every other day, the incidents of new scam are reported, in which the scammers found online to the users are ignored with losing money. Not only the individual, these online fraudsters are also targeting companies to steal money from them. They send a fishing link to get sensitive information from people and companies and use information to go to bank accounts.

But how are these scammers managed to dodge people and who is sensitive to fishing scams? And in fact what is this fishing attack or fishing scam?

Before I explain how these scams are, what do I mean the word. Fishing word is a change of fishing word. Just as fishing involves using fodder for fishing, in fishing, scammers try to woo individuals on the Internet to get sensitive information – mainly for financial advantage. This bait can be used to target either a general internet user or a high-profile executive. Depending on the target, scammers use various phishing techniques, adopting their strategies to take advantage of weaknesses and steal money.

How is a fishing attack?

While on hunting, cyber criminals tricked people to reveal sensitive information such as login credentials, financial descriptions or personal data. This work is often done using fake emails, messages or websites that look valid. In fact, fishing can also occur through phone calls.

For example, there have been cases where individuals received calls from scamsters as close relatives, who claim to be in emergency and request money. There are also incidents where people received calls from fake customer aid officers about failed delivery, asked for an OTP. In both scenarios, the victims feel pressure and believe that it is a valid call and the end to lose their money after providing sensitive details.

The goal of fishing attacks is simple. Casting a wide net into the digital ocean like a fisherman, scammers hope that at least some people will fall into their trap. While some fishing attacks are broad and random – such as the bulk phishing messages sent in this hope that some individuals will answer – others are more targeted. When scammers target specific individuals or organizations, it is known as Spear Fishing.

Spear Fishing: A more targeted approach

As the name suggests, Spear Fishing is a target attack – to use a spear to catch a special fish after seeing its movements. Unlike normal fishing attacks, Spear Fishing depends on the personalization, making it difficult to detect.

The scam is more sophisticated and usually begins with a cyber criminal that collects detailed information about its goal through social media, leaks or stolen databases, or the company’s websites. Once they have enough details, they send an analog email that seems highly relevant and authentic. These emails often have malicious links, which when clicked, install malware or redirect the user to the fake login page. Finally, scammers achieve access to confidential business systems or bank accounts.

Whale Fishing: Catching Big Fish

You must have seen in the headlines about the whale fishing attacks, where companies report losing crores after cheating. Although it is still a phishing attack, this method especially targets high-profile individuals such as CEOs, CFOs and senior officials (large fish in the big bank) for significant financial advantage. Since these officials often have access to more sensitive company information, scammers exploit them to get admission in large amounts.

The strategy is the same. The attackers first collect information about the person or company and then they connect with the target using that information. They disguise themselves as reliable colleagues – such as legal advisors, fellow officers, or professional partners. In the conversation they send messages via email that often contain immediate requests. Email often forces recipients to function quickly without verification, eventually transferring money to scammers.

For example, in a recent case in Maharashtra, Scammers approached an accountant with an large firm via WhatsApp. He claimed that this was the new number of owner of his business partner. And as the accountant believed in disguise, the scammers pressured him to pay immediately for a business project. Assuming that this is a real trading deal, the accountant transferred the entire amount. This was only when the company realized that the owner had not requested any money that came to light.

How to protect yourself from taking fodder

Online scammers are out there, spreading their nets to catch the victims. So, how can you avoid fodder and stay safe? With the rapid refinement of the fishing attacks, individuals and organizations should be cautious and take safety measures to protect their data and finance.

For persons:

• Never click or download on attachment to unfamiliar emails or messages.
• Always verify the source of email and SMS before clicking on the link or downloading the enclosure.
• Enable two-factor authentication (2FA) to add an additional layer of safety.
• Do not share sensitive information like OTP or password with unknown persons.
• If you receive calls from people presenting as customer support officers, CBI officials, or bank representatives, hang immediately. Verify their identity by visiting the official website or by contacting the institution directly.
• Remember, legitimate organizations never ask for sensitive information on the phone.

For businesses:

• Whale fishing cases are increasing, and organizations should educate employees about fishing risks through regular cyber security training.
• Apply email authentication measures such as SPF, DKIM and Dmarc to prevent spuofing and flag fraudulant email.
• Restrictive access to sensitive data, ensuring that only authorized personnel can access only financial and confidential company information.
• Constant monitoring and report of suspected activity, encourage employees to mark suspicious emails, and apply safety software to detect anomalies.