Phishing

Phishing messages can be sent en masse to a large number of addresses, but they can also be specifically targeted at a particular individual or the employees of an organisation:

In the case of phishing, a phishing email or message is sent to the victims (usually by mass mailing), containing a link to the phishing site. The data entered on the phishing site can be used by criminals as they see fit – for example, to get into the real online bank account of an unsuspecting person who entered the ‘online bank’ via the phishing site.

The number of phishing emails and messages is growing all over the world, and more and more of them arriving in our inboxes are targeting specifically people in Estonia. Technology companies, email service providers and national cybersecurity authorities are doing their best to work together to protect citizens, but technology can only do so much. To avoid unfortunate consequences, it is important that people would also be able to recognise threats and act correctly.

Phishing emails, text messages, posts, and advertisements

The purpose of the phishing emails, text messages, posts, and advertisements (hereafter referred to generally as ‘phishing’) is to direct the victim to a phishing site and trick them into entering their details. The main means of distribution of phishing messages is through emails and text messages, but links to phishing sites are also embedded in advertisements and social media posts or sent through messaging apps.

As a user can receive phishing links in many different ways, it would be wise to learn about the general characteristics to avoid a phishing attack in a new channel that criminals are adopting.

Usually, the attacker will try to impersonate a company, a service provider, or even a public authority in their phishing attempt. The message usually contains some reference to the organisation’s activities and a web address (which can also be in the form of a tiny URL or a QR code) which, when clicked, directs the victim to a phishing site.

The phishing message is usually phrased in such a way as to cause the user to become anxious, fearful, interested, or greedy (i.e. to put the victim in an emotional state where rational thought is impeded), so that they would click before thinking about it rationally. For example, the message indicates that suspicious activity is taking place on the bank account of the user and that they must quickly log in to their account via the link to stop it. In this case, the user will fear for their money and react immediately.

The main difference between text message and email phishing scams is that email scammers have more opportunities to convince the victim that the scam email is legitimate. For example, scammers can use the exact same design in the email as the company they are impersonating (use the company logo, etc.). In addition, they are able to create email addresses that resemble the legitimate email addresses of the organisation.

How to recognise phishing?

Most of the phishing takes place via email or text message, but a user can also be tricked into entering the phishing site through other means. Below is a table showing the characteristics of phishing messages and emails, which generally apply to other forms of messaging as well (e.g. advertising or direct mail).

Activity	Characteristics of text message phishing	Characteristics of phishing emails
Check the details of the sender of the message. Does the content of the message match the sender?	The text message may have come from a suspicious phone number. Please remember that it is also possible to spoof the sender’s name/number when sending text messages.	The email has not come from the official website address of the service provider. Reputable organisations send emails only from their own domains; for example, the email address of a message from LHV should correspond to the sender (i.e. the sender is @lhv.ee and nothing else). If the email was allegedly sent by Swedbank but the address of the sender is blablabla@africa.com, for example, it is probably a phishing attempt. A phishing email can be sent from a very similar address to the legitimate page, for example @Ihv.ee instead of @lhv.ee (where the lowercase L is replaced with a capital I).
Are there any indications of psychological manipulation in the message? For example, does it try to make the recipient anxious, afraid, or interested?	The message may emphasise speed, curiosity, or fear. For example: we tried to deliver a parcel but failed. Please enter your new details now.	Phishing emails often try to convince you to act quickly and sign in or register. For example: someone is trying to log in to your account or suspicious transfers are made from your account.
Is there a link in the message that you are expected to click? Please note! The web address of the phishing site can also be hidden behind a tiny URL or QR code. Be particularly careful with this and use online tools for expanding tiny URLs.	The text message asks you to click on a suspicious web link where the web address does not correspond to the real website of the institution. The web address can be very similar to the real link, for example www.Ihv.ee instead of www.lhv.ee (where the lowercase L is replaced with a capital I).	The email asks you to click on a suspicious link where the name of the website does not match the website of the institution that supposedly sent the email. The web address can be very similar to the real link, for example www.Ihv.ee instead of www.lhv.ee (where the lowercase L is replaced with a capital I).

What should I do if I receive a phishing email or message?

Examples of phishing messages and emails

Text message phishing

Phishing emails

Here are three phishing emails mimicking Swedbank. The emails claim that the victim’s bank account has been used to make suspicious transfers or an attempt has been made to log in from an unknown device.

Warning signs:

• The name of the sender is Swedbank, but the email address is different. Emails from Swedbank should have the official ending ‘@swedbank.ee’, @swedbank.com’, etc.
• The scammers take advantage of people’s fear that their money has been stolen and try to direct the victim to log into their online bank quickly to stop the ‘suspicious transfer’ mentioned in the email. Because of this manipulation, the user does not notice obvious signs of deception.
• Both emails contain blue web links that you are asked to click. Although you cannot see the URL, you can view the name of the website (where the link will take you) by hovering your mouse over the link. Please note! Do not click on the link.

Phishing through a Facebook post

Phishing through Google advertising

Phishing sites

Generally speaking, a person will not reach a phishing site independently and by accident. Most of the time, we frequent websites we intended to visit – we go to a news portal to read the news, the website of a bank to manage our finances, and we know the correct email address for reading our emails. Usually, we only land on phishing sites through links that reach us via emails and text messages, but it can also happen through advertisements, social media posts, or comments.

If you have clicked on a link in a phishing email, message, or post, you will be redirected to a phishing site. The purpose of the phishing site is to convince the victim to enter their details (user account credentials, card details, etc.) or to enter an ‘internet bank’ so that the scammers could use the details to enter the actual website or make credit card payments.

Phishing sites are generated by automated tools based on the code of legitimate websites, and therefore, their design and content are usually extremely similar to the actual website.

How to recognise a phishing site?

• Make sure that the web address is alphanumerically correct (omniva.ee vs omnivaaa.ee or 0mniva.eu). Please note that the address bar of the web browser in your smart device is usually hidden when you are viewing a page – make a conscious effort to check the web address.
• To verify the correctness of a web address, read it to the left of the slash on the address bar (except for the ‘https://’ slashes), not just from left to right as usual:
  • For example, in the case of the web address ‘https://www.eesti.ee/’ we can see that we are dealing with the eesti.ee domain, which is correct.
  • In the case of the address ‘omniva.ee.popsi7.com/index.php’ you can see that it is not Omniva, but ‘popsi7.com’ instead.
  • The address is sometimes followed by a link to a specific page, e.g. the autumn campaign page ‘https://www.bank.ee/autumncampaign’. In this case, it is the bank’s own page, as the first / (except the ‘https://’ part) refers to ‘pank.ee’.
  • When reading from the left, the subdomains are displayed first; for example ‘mail.google.com’ refers to Gmail, Google’s email service, or ‘www.eesti.ee’ refers to a website (World Wide Web).
  • In summary:

• When in doubt, open a search engine in another window and enter the name of the brand or environment you want. In search engines, the official homepage of the actual brand will be displayed among the first results (make sure you are not looking at a sponsored search result).

What should I do after ending up on a phishing site?

What should I do after entering my details on a phishing site?

Once you have entered your data on a phishing site, the next steps depend on the type of the ‘copied page’ and the data you disclosed:

Examples of phishing sites

All phishing sites can be identified by their odd web addresses. Real websites that are being imitated are also shown for comparison.

Phishing sites mimicking the login page of the LHV bank

A phishing site mimicking the parcel tracking page of Omniva

A phishing site mimicking the login page of MS Outlook