In the real world, the mafia is ruled overwhelmingly by the godfathers. Phishing and Vishing are such godfathers in the world of cybercrime. Nobody can match them in the range and momentum with which they operate. Malware and Ransomware are their ruthless soldiers, blindly following orders. On the orders of the bosses, they fight wherever they can. Without the approval of Phishing and Vishing, most digital crimes would not have been successful. So why, knowing who these most powerful figures in the world of cybercrime are, we have so far failed to limit their influence? Is it because we know who their victims are? First things first.
Each of us is the greatest asset, the most valuable asset - of companies, corporations and institutions. Yes we are their key assets – we, their clients. At least that's what they tell us when advertising their products and services. But are you sure that’s the truth? We use the services of and utilities (gas, electricity, water, television, internet, telephony), provided by institutions (banks, insurance companies) and corporations (postal and courier services), and offices (patent office, tax office, social security office, etc.). We sign contracts. We promise to fulfill our duties with due diligence. We pay for the purchased services and goods. This is our responsibility as a customer, isn’t it? If we do not comply with contracts we are part of, we are threatened with various types of sanctions, that cover most of the text of the contracts that bind us. Also, the tariffs of fees and commissions are also constructed in a way that is not so friendly to us. We pay for foods and services on the basis of the invoices and bills we get.
What shall we do if Phishing and Vishing imitate our suppler? Why are we still responsible for the fact that our supplier has let Phishing and Vishing cheat on us? Do suppliers protect us against Phishing’s and Vishing’s attacks and how they do that? They mostly run social awareness campaigns and post warnings on their websites. Cool. We can feel safe right away. Anyway, the ineffectiveness of this security measures is such that it is not surprising that, according to research conducted at the Warsaw School of Economics, only 4% of bank customers read warnings posted on banking websites.
Campaigns and warnings suggest that in order to verify the sender of the message it is enough to carefully check the address from which we received the message(we know that this "security measure" is easy to get around),or we should check whether the data (e.g. personal) in the invoice attached in the message concern us the and whether attached file is in a safe PDF format. Or, we just have to click the link in the message to go to the supplier's website to log in. Are these really all possible security measures that protect us? Unfortunately, following the above advice may lead us to the fact that in many cases we get something that we did not necessarily expect. We are cheated on. We are mislead by Phishing and Vishing.
Phishing knows how to do this. So, are these the only possible guidelines for message validation? We often hear that they are effective. Then why do our suppliers organize internal cybersecurity training for their employees? Not that we have a problem with training their own employees. Praise them for that. But the question arises whether the employees of our esteemed suppliers are not able to understand the message that is also directed to us - customers? Do they need a special explanation and knowledge of defense methods against cyber attacks? Is there really logic between social campaigns targeting the masses and the special actions of suppliers towards their employees? Unfortunately, it is not about logic here, but about the fact that the sactions undertaken by the suppliers are mostly aimed at ensuring the security of their own organizations. And Phishing and Vishing know very well how we are secured by our suppliers, and that is why we still may lose our data, savings, dreams and memories (photos, videos). Yes, mostly the individual customers of companies, corporations, institutions and offices, are anonymous victims of Phishing’s and Vishing’s attacks.
Is this supposed to be the way things are? Or maybe it is time to apply new solutions that increase our chances in the fight against Phishing and Vishing? Wouldn't it be safer if each of us would receive messages from suppliers containing a personalized eMARKER, which would be known only to each of us individually. There would be as many eMARKERS as there are clients (of a single suppler). Could Phishing guess our eMARKERs? Wouldn't it be safer if the consultant's phone call would be announced with a message containing information about the willingness to talk, and would also be secured with an eMARKER? Could Vishing be able to find all the eMARKERs?
Would the eMARKER, if used and personalized by each of us to secure communication with our suppliers of goods and services defeat Phishing and Vishing? We will be able to find out when, in accordance with the planned NIS2 EU directive , the entities listed in the directive will be required to apply appropriate security measures to protect communication with us. Most likely, our suppliers will time until end of 2022 to implement measures to comply with the provisions of the NIS2 directive. Shall we wait that long? Maybe not, if one of your suppliers will defeat cybercriminals in cooperation with eMARKER and will offer you greater security of electronic communication. So that we will not say again that "you shouldn’t have clicked that link/file or you should have hung up".