Step 1: The bait
The scammer tailors a message to look like a legitimate one from a major bank or service. Using spoofing techniques the message is sent to numerous recipients in the hope that some will take the bait and fall for the scam.
In phishing and whaling attacks, the scammer first gathers details about the target individual or company. For example, the scammer can harvest information from social media profiles, company websites and internet activity to create a customized message.
In vishing attacks, the scammer might use a computerized autodialer (robocall) to deliver the fraudulent message to many victims.
Step 2: The hook
The victim believes the message is from a trusted source and contains information that entices them to take urgent action e.g. to resolve issues with their account.
If the victim clicks the link in the message, they will unknowingly be re-directed to the scammer’s fake version of the real website. The victim provides sensitive information (e.g. login credentials) which is sent to the scammer.
If the victim opens an infected attachment, a malicious code may get executed and infect their device.
In a vishing attack, if the victim respond by pressing a number from selected options, then they may get connected directly to the scammer.
Step 3: The attack
Credentials stolen—The scammer can now access the victim’s account, e.g. email account to send more phishing emails to the victim’s contacts. If the victim is an IT professional with privileged access, then the scammer can have access to sensitive corporate data or critical systems.
Malware installed—The scammer can use the malicious software to gain control of the victim’s device, to steal their data, or lock access to their files until a sum of money is paid (as in ransomware attacks). Over the past 15 years, ransomware has become one of the most popular types of cybercrime.