What are Capital Asset Pricing Models (CAPM)?
A capital asset pricing model, known as CAPM, outlines the relationship between systematic risk and the expected return of the asset, explaining …
Search engine phishing is a type of cyberattack where fraudsters manipulate search engine results to promote fake or malicious websites. These sites (which appear to represent actual businesses or services) are created to steal the victim’s sensitive data.
Search engine phishing is also known as SEO poisoning and takes advantage of our tendency to view search engines as a dependable source of accurate and trustworthy information.
Here’s a step-by-step process that explains how search engine phishing works in practice.
In step one, a cybercriminal creates a fake website that mimics an authentic site. To make the site look as convincing as possible, the criminal also incorporates the authentic site’s layout and branding.
Common targets include banks, tech support services and eCommerce platforms.
Next, criminals promote the site to have it appear at the top of the search results. The site must appear in a prominent position for the scam to be effective as just 0.63% of users venture onto the second page of Google’s search results.
Sites may be promoted in several ways:
Users search for a service such as online banking or tech support and enter keywords as usual. Since the use of search engines has become so habitual, many users never question the safety of the information they provide.
Users then click on the fraudulent link and expect to be directed to the legitimate site.
Instead, however, they land on the fake site where their login credentials and other personal information are stolen. In the example above, Bank of America customers are prompted to enter their usernames and passwords on a fake login page.
Other scams may involve malware. In 2022, bad actors tricked users into downloading a free productivity app infected with malware called Batloader. The malware was extremely difficult to detect and was later used to infect systems with ransomware and obtain privileged access to target organisations.
It’s also worth noting that once a user clicks on a compromised search result, they may subject themselves to other types of phishing attacks. These include clone phishing, spear phishing, smishing and pharming – where users are directed to malicious sites even after entering the correct URL.
The victim’s information is then collected and used to commit fraud, identity theft or subsequent phishing attacks. Data may also be sold on the dark web.
In the aftermath of search engine phishing, criminals may redirect the victim to the real website to avoid suspicion that an attack has taken place.
Spotting search engine scams can be tricky, but here are three common telltale signs.
Offers that seem too good to be true are typically seen in eCommerce.
Examples of such offers include:
We noted earlier that unusual URLs are used to promote search engine scams. They’re also one of the most definitive signs of search engine phishing.
So what constitutes an unusual URL?
Most are variations of the legitimate business’s address that criminals hope are subtle enough to avoid detection.
Variations include:
Unusual URLs can be extremely effective.
Over the space of 3 months in 2021, Chase Bank became the sixth most spoofed brand in the USA after phishing URLs impersonating the bank rose 300%. Behind the rise were so-called “phishing kits” that criminals buy, sell and use to create their attacks.
Fake websites tend to be characterised by various obvious and less obvious factors.
These include:
Mitigating search engine phishing requires both proactive and reactive measures.
To start, companies can monitor search engine results for any fraudulent sites mimicking their brand and notify authorities. This may include the Australian Cyber Security Centre (ACSC), Scamwatch and the search engine itself.
If a user lands on a suspected phishing site, it is crucial they click away immediately and notify the relevant financial institution(s) if any payment information was entered.
Multi-factor authentication (MFA) should also be enabled by default for key accounts.
With the explosion in popularity of remote work, browsers have become a popular means of attack for fraudsters.
According to LastPass, 62% of employees use unmanaged devices, which makes safe browsing habits a key line of defence.
Tools like Google Safe Browsing warn employees when they attempt to visit malicious sites or download dangerous files.
Firms that desire an advanced level of security can also opt for:
Password managers can also be an effective defence. A little-known benefit of these tools is that they won’t autofill a user’s login credentials if the website address does not match one already stored.
Education and awareness campaigns for both customers and employees are critical.
Companies can teach users how to recognise phishing sites and stress the importance of verifying URLs, suspicious links and the presence of a HTTPS connection, among many other measures.
If in doubt, it may also be useful to:
Summary:
A capital asset pricing model, known as CAPM, outlines the relationship between systematic risk and the expected return of the asset, explaining …
Control risk is the risk that a company’s internal controls will not properly protect or detect material misstatements. An internal control is …
A disbursement is the act of paying out money, typically in relation to business or financial transactions. It involves the distribution of …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.