Scammers are an unconscionable yet resourceful bunch. The fact that the world now operates within a data-driven and data-dependent landscape has not deterred them from their illegal activities. Rather, they have adapted well to the technologies offered by the digital age and readily integrate contemporary tools into the strategies that they use to deceive individuals and organizations that are trying to carry out honest transactions. One of the many strategies that scammers have up their sleeves—and is particularly popular in the Philippines—is phishing, a practice wherein a bad actor attempts to solicit sensitive information like passwords and credit card numbers from a targeted individual by pretending to be a legitimate institution.
Phishing is an extremely common crime that targets buyers and sellers alike. According to the international consortium Anti-Phishing Working Group (APWG), phishing attacks hit an all-time high in December 2021 and have tripled in number since early 2020. Globally, more than 300,000 attacks were recorded at the tail end of 2021, 17.3% of which targeted the ecommerce and online retail industry. Phishers often use the information they’ve acquired from their target to steal these people’s identities, to drain their finances, or to ruin their credit by opening accounts and credit lines under the victim’s name. Falling victim to phishing can also lead to loss of intellectual property, data breaches, compliance-related fines, and reputational damage among individuals and institutions.
Email is the most common channel that phishers use to trick their target into providing them with sensitive information. In fact, 90% of IT professionals are of the belief that email phishing poses the most significant security threat to their respective organizations. Still, there are scammers that use other means of reaching their target. Some phishers use SMS, while others send phishing messages through more sophisticated means such as video conferencing and work messaging platforms, cloud-based file-sharing platforms, and even social media. There’s the very real possibility of getting phished even if you’re using communication channels other than email.
There are endless variations of phishing scams, and it’s likely that the strategy that phishers use will continue to evolve with technology and social norms. However, it’s clear that phishers are after information that will enable them to access restricted data or resources. They do this through social engineering, which is the use of psychological manipulation and the exploitation of human weaknesses to gain confidential information or to trick people to do specific actions. Phishers often impersonate legitimate individuals and organizations to make unwitting accomplices out of honest people. They trick victims into thinking that they’re dealing with their bosses, officemates, or financial services providers, for example, to ease them into revealing sensitive information.
Merchants based in the Philippines have also become a target for scammers and phishers. Because of this, entrepreneurs who are navigating different modes of communication—digital or not—to carry out their day-to-day operations must have practical and effective strategies in place to protect themselves, their livelihood, and the people they work with from falling victim to phishing efforts. Here are some of the safety and security measures against phishing that you should implement in your business:
One of the basic skills of a successful entrepreneur is making the most of a business opportunity. Sellers and merchants must be able to field inquiries from their customers and present their goods as an option to buyers as quickly as possible. Phishers and other scammers know this, which is why they frequent the communication channels that merchants and their customers use. Naturally, people will avoid using marketplaces that they deem to be unsafe. To encourage merchants and consumers alike to keep on conducting business, online and digital marketplaces invest in the security of every transaction that takes place on their platforms.
Grab, for one, makes use of a variety of security and safety features to ensure that its users are safe from scammers and frauds. GrabPay, the digital wallet developed by the company, protects customers and merchants alike from phishers and scammers by verifying accounts and ensuring that there are real people behind the transactions that make use of each wallet. Among the GrabPay security measures that users can depend on are its PIN, biometric payment features like fingerprint scanning and face ID authentication, and an in-app chat function that’s connected to its support team.
By sending and receiving payment through GrabPay and sticking to tried-and-tested marketplaces and platforms that use similar security features, merchants and customers alike can be sure that they’re carrying out legitimate transactions. They can rest assured that the individuals they’re interacting with are looking to conduct fair and honest trades and can be made accountable for their actions.
Forewarned is forearmed, and this applies to phishing and other types of scams as well. Phishers are after sensitive information that they can use to take advantage of individuals and organizations. To get what they want, they simulate everyday interactions where it seems sensible to reveal confidential details. To solicit information, phishers commonly use the following tactics:
By taking on the role of technical support representatives, phishers attempt to make their victims comfortable with the idea of sharing information like credit card details and passwords, and also with the idea of entering the said details into a phishing website or of downloading malicious files that could compromise their data.
To trick their victims into trusting their messages, phishers clone emails, SMS, and other forms of communication from legitimate companies. By changing a few details to the links attached to their messages, phishers can direct businesses and customers to enter their details into a fake domain or download malware to their system.
A more sophisticated phishing method, spearing targets a particular individual within an organization and sends them a personalized message. This message will typically mention a few particular details about the target, such as their name, place of employment, and what they do in the organization, making it look like a credible message from someone trusted by the company.
There are phishers that target high-profile individuals in an organization. This strategy, called whaling, employs subtler techniques, often taking the guise of a busy CEO who’s asking an executive to follow a particular set of instructions. Whaling plays on a person’s reluctance to question the orders of someone in a higher position.
A fairly new strategy, this targets people that often post on social media. For example, a person might post a complaint about a particular product on a social media platform. The phisher takes advantage of this by pretending to be the brand behind the product and soliciting information from the person who complained. Under the guise of trying to make up for the unpleasant experience that the said person had to go through, the phisher attempts to solicit sensitive information from the target.
To trick their victims into trusting their messages, phishers clone emails, SMS, and other forms of communication from legitimate companies. By changing a few details to the links attached to their messages, phishers can direct businesses and customers to enter their details into a fake domain or download malware to their system.
Any of these strategies can be used by phishers who use email, SMS, voice, video, and other modes of communication to reach their targets.
Updating the software, applications, and systems that you use in your business offers a measure of protection against scammers and phishers. It’s a must for businesses of all sizes to install firewalls, antivirus programs, and malware and spyware detectors in the digital tools and platforms that they use to carry out their everyday operations. This measure will help you quickly catch phishers that are attempting to tamper with your system even before they cause damage. It’s also a good idea to regularly update the tools and applications you use to transact with your customers and service providers, as these updated versions often include upgraded security features..
Having a backup of all your files and programs will also not only prove to be useful in times of disasters and emergencies, but it will also help you resume your operations in case a phisher breaches your database and causes trouble or attempts to hold your files hostage. Also, if your business employs remote workers, it’s a must to provide them with programs that will ensure data safety and the integrity of the systems that they use. At the same time, everyone in your team should receive training on how to identify and avoid phishers and what they should do in case they fall victim to scammers.
Human intelligence is the best line of defense against sophisticated phishing schemes. There are programs and applications that can help weed out phishing attempts, but these can only do so much to prevent people from acting upon sophisticated and highly personalized phishing messages. Here’s how each member of your team can protect your business from phishers and other scammers.
There are a few things that you can do to immediately determine whether or not the message you received came from a phisher or someone who wants to do legitimate business with your company. Determine from whom the message came and see closely if they are using techniques to obfuscate their address and website, such as substituting “rn” for “m”, using “|” instead of “l”, or spelling with the number “0” instead of a letter “o”. Some phishers also imitate official addresses and websites more closely only to add numbers, letters, or country abbreviations to their contact details. If you’re on social media, look for the verification icon before you engage with people who are getting in touch with you.
Having a password policy will help the members of your team protect your resources and facilities from unauthorized access. If your team members change their passwords within 3 to 6 months, then there’s a smaller chance that a phisher will be able to access their devices and your network. If your bank or other financial service providers allow multi-factor authentication, use this to prevent unauthorized access to your accounts. This security measure will require at least 2 credentials before anyone can log into your bank account or change any details about you and your business. This safety measure can also be used in other digital channels.
Phishers have a keen understanding of human nature, and they use one’s sense of urgency, hesitation, desire to help, and the fear of being wrong to get the information they need from their victims. Before rushing in to fulfill what looks like everyday requests or mentioning important and sensitive details, take a closer look at the sender, subject line, and what the sender or caller is asking of you. Carefully compare their contact details with the official ones on the cards they issued on their website. If you have any doubts about the transaction, ask for clarification using official channels. Also, steer clear of providing personal and financial information or downloading files over unprotected channels.
Taking security and protective measures against phishers is a must for merchants and consumers alike, especially since the number of phishing attacks has grown tremendously in the past months. It’s an effort that should be done within the system that the company uses to carry out its everyday tasks, but it should also involve the people who are working in the business By using both digital technologies and human knowledge, merchants of all sizes can prevent themselves from falling victim to or experiencing disruptions due to phishing issues.
If you have encountered a phishing attempt, you may send a report to the PNP Anti-Cybercrime Group.