Common denominator of practicing cybercriminals vishing, smishing And phishing it is the will to obtain the personal data of the victims in order to be able to use them to steal money.
Vishing: the scam on the phone!
Through this type of scam, data and credit cards are stolen from thousands of customers.
But what are we talking about? Vishing comes from the union of two English words, voice (voice) and phishing (scam) and scam attempts take place through telephone where they ask us for personal and protected data.
How does vishing work?
Imaginary call centers of our hypothetical credit institution warn us that one of our credit cards has been the object of a scam or an attempted scam. Therefore, the fraudulent telephone operator asks us for various personal information, such as the card pin to try to protect the victim's data and verify any suspicious withdrawals.
The voice call creates a sense of urgency for the user who, for this reason, is induced to provide confidential information.
Moreover, the victims are also led to believe that it is their own institution precisely by the fact that the caller knows the number of the card that they say they want to check. Number that, through sophisticated social engineering techniques, has already been stolen by criminals.
Other times they exasperate us by offering us super advantageous contracts, leveraging savings, when in reality these are very expensive contracts (the additional costs are never reported to us).
Other times, again, they activate contracts by stealing consent without our knowledge.
Unfortunately, it has also happened that important telephone companies have entrusted mandates to "third party" companies in order to falsify contracts.
This occurs in a very subtle way: the scammer on the phone asks the customer a few simple questions (usually personal questions that require a "yes" answer, for example: am I talking to Mrs. Maria Furfaro?); in doing so, when the customer answers that fateful "yes", the telephone operator records it and uses it at a later time for stipulating the telephone contract.
To withdraw, the best way is to ask for a copy of the voice recording from the company that appears to have concluded the contract with us. If the company does not accept the request of the user who asks for a copy of the recording with which he placed a telephone order, he would be committing an offense and the Privacy Guarantor could be contacted to obtain satisfaction. Clearly, in the vast majority of cases, the company, knowing that it is wrong or not having that data recorded at all, can only accept the termination of the contract.
In other cases, with vishing they even go as far as identity theft.
But today a cyber attack also takes place through the 'smishing', or phishing that works Street sms.
The word smishing comes from the combination of "SMS", ie text messages that are sent via mobile phone, and "phishing", ie scam.
In this case, cybercriminals send messages that try to trick the recipient into opening a malware-laden attachment or opening a malicious link. Just like with emails.
Only this time the message will arrive on our smartphone and, perhaps, we will be asked, even with the promise of a discount or promotion, to contact a certain telephone number or connect to a certain site. It is almost always a clone site, similar to that of the bank.
The problem is that we're less wary on mobile, and while Apple's iOS mobile technology has a good reputation for security, there's no single mobile operating system that can protect itself against attacks like phishing.
Often, we use the cell phone while we're on the move and this is an additional risk factor: it's much easier to make mistakes when you're distracted!
Maybe we respond without thinking or download scam links to redeem non-existent vouchers.
The phishing what's this?
It is both a civil and a criminal offence. It consists of the fraudulent "social engineering" technique aimed at stealing personal and sensitive information such as personal data and passwords to act on online current accounts, credit card codes and so on.
Usually, via sending emails chain to a large number of unknown users containing messages, information and images formulated to influence the recipient's psychology, the victim is induced to connect to web pages that only appear to come from real entities, institutions or companies.
The recipient of the mail is urged to enter their credentials for access to restricted areas, especially home banking, by clicking on the links prepared ad hoc by the phisher himself, or redirected through the viruses that the phisher has infected on the victim's computer to alter the management of IP addresses, to a bogus web domain that will capture the bank access keys of the victim, providing for emptying his account.
From the point of view of the tort, the conduct of the phisher constitutes an extra-contractual liability which obliges the compensation of pecuniary and non-pecuniary damages caused to the victims.
There is, for example, the liability of the credit institution, which is obliged to pay compensation for the damages suffered by account holders, on the assumption of an inadequacy of the "security measures, technically suitable and known on the basis of technical progress" aimed at "avoiding withdrawals fraudulent (so-called phishing)” (Court of Palermo n. 81/2010; Court of Syracuse, 15.3.2012), or the liability of the telephone operator, on the assumption that, in terms of banking offenses committed through the network, the task of detecting any suspicious activity by promptly notifying the user (Court of Benevento, n. 1506/2009).
Furthermore, the civil liability of the phisher is accentuated by further multiple violations sanctioned by the "privacy" legislation.
In criminal matters, however, depending on the case, there may be the crime of fraud, unlawful processing of personal data, computer fraud, unauthorized access to a computer or telematic system, unlawful use of credit and payment cards, damage to information and IT or telematic systems, false declaration or attestation on the identity or personal qualities of one's own or others, impersonation, etc.
Given the absence of an organic discipline on the subject, one can rely on the protection offered by civil and criminal law and by special laws.
Alternatively, the user can also contact the Financial Banking Arbitrator (ABF), a body introduced by art. 128-bis of law 262/2005 ("Banking Law"), for the out-of-court settlement of disputes between customers, banks and other intermediaries concerning banking and financial transactions and services.
Recourse to the ABF obviously does not preclude access to ordinary civil proceedings, given that the decisions of the same are not binding.
However, whoever receives these e-mails and thinks he is a victim of phishing, in addition to not clicking on the links, must contact the postal police reporting the facts and indicating the header of the message received so as to activate all the necessary checks and take the appropriate measures.
I have already told you more about phishing in this article to which I refer you -> http://www.avvmariafurfaro.it/2019/05/01/cose-il-phishing-e-come-difendersi/
So what to do if we are victims?
As always, in these cases the Postal Police comes to the rescue, advising to "be wary of telephone numbers that we do not know and through which we have received requests regarding personal data, bank details or unlock codes".
However, as a general rule, we don't have to never provide access credentials to our online banking services. Indeed, in the event of such requests, we must immediately report it to the Postal Police, also to receive further advice, also specifying what data the criminals possess in order to be able to protect ourselves following possible scams.
Also, if it's vishing, we need to take note of the company that is calling and call back soon after, using the official channels (i.e. from the numbers on their website etc).
Of course, we must never open and download links that have been forwarded to us.