JÁMBOR TÓTH KOLLÁTH & PARTNERS

There are countless types of these scams, but we believe it is of the utmost importance to raise awareness of the different types of deception in cyberspace and the potential dangers they pose. In this article we will focus on cyberfrauds, using their generic term: phishing.

PHISHING - WHAT IS IT?

Phishing is a form of online fraud that aims to steal sensitive information from a target, such as passwords or bank details (the most common being bank account and credit card details), which are usually intended to be used by the phisher to sell goods.

With the development of computer technology, phishing has taken many forms . Each type can be distinguished from the other by different characteristics, such as what is being 'attacked', what is being sought from the would-be victim and how it is being done. Identifying these types based on their different characteristics is of paramount importance for proper protection.

TYPES OF PHISHING - WHAT TO LOOK OUT FOR?

The most common and one of the most recognisable types is email phishing. In terms of its history, it has been around since the 1990s and can be considered the very first manifestation of phishing. When we talk about email phishing, the attack takes the form of an email to the targeted party, in which the personal data of the target person is somehow obtained by the fraudster. The content is difficult to categorise, as the subject and object of the unauthorised request for personal data is different for each email, no two emails are the same. It is common for the email to inform the targeted person that an account associated with their email address has been compromised and that they need to take urgent action to recover the account. A notable feature of this type of phishing is that the fraudulent email may contain a link which, when clicked on, redirects the user to another website, sometimes deceptively well designed, sometimes suspiciously strange looking, which obliges the user to give up their details. The wording of this type may not be so sophisticated. The sentences are full of grammatical errors, such as incorrect use of commas or lack of semicolons. Furthermore, the linguistic wording of the letter does not necessarily reflect the Hungarian language, but rather resembles another language that has been sloppily translated into Hungarian by mirror translation.

Spear phishing is another type of phishing worth mentioning. It is not usually individuals who are targeted, but groups of people and organisations that manage small or large financial processes, or even senior managers responsible for these processes. Companies, banks and NGOs are usually among the main targets of harassment, and it is therefore of the utmost importance for these organisations to be alert to such attacks. Another common tactic is impersonal attacks: phishing operators collect personal information about the target in advance, mainly related to the victim's private life, and use this information to blackmail the victim. Blackmail is most often directed at a senior person in a company and can be threatening, manipulative or misleading.

Whaling is an improved version of the aforementioned harassment. As its name suggests, the main targets are "big whales", metaphorically speaking, persons who have a special and great influence. These people are usually CEOs of multinational companies and celebrities, but over time the targeting has broadened to include politicians, inventors, influencers and models. The methodology is no different, with whalers using the same techniques of impersonation and blackmail. However, the form of the attack is designed to get the target's attention as much as possible, given the fact that these people are carefully filtering the emails and messages addressed to them. This could be a court summons, for example, or even a forged order to wind up the person's company. Legal attacks are particularly common in the case of whaling, as psychologically a legal issue is the best way to get the attention of these senior executives.

The next type to be mentioned is voice-based attacks or phone fraud ("vishing": a combination of "phising" and "voice" as sound). The aim is invariably to extract personal or sensitive data, but this is done over the course of a phone call. The mainaim of the scammeris to deceive the victim as effectively as possible: in each case, he lies about his true identity. In each case, he tries to convince the target that it is in his interest to voluntarily disclose important data. He often presents himself as an administrator who, after preliminary research, belongs to the very body (e.g. bank, telecom company, mobile operator) whose customer is the victim. You may call the bank, lying that the customer's bank account details have been made public, and to avoid further data leakage, provide additional details to resolve the suspected fraud. The target may receive a phone call from a number that has been encrypted by the caller due to authenticity and the seriousness of the situation, and then the caller threatens the unwitting victim to release his/her kidnapped relative(s) in exchange for a substantial sum of money. The victims of these calls are usually elderly people, as their generation is the most exposed to the new challenges brought by the development of technology and the most emotionally unstable, according to the fraudsters, especially when it comes to their family members. The encryption of the caller ID also serves the purpose of making it impossible to trace/trace the phisher, regardless of the success or failure of his/her attempt, avoiding possible prosecution and detection. Of course, the techniques explained above, such as psychological manipulation and emotional blackmail, are equally present, but there are also specific methods that fall within this type of fraud. One example is spoofing, which is a perfect way of copying the telephone number of an institution, which is listed elsewhere, thus increasing its credibility. Wardialing is the ability to access a large number of numbers at once by automatic dialling. Phone scams are already present on some more independent platforms, such as WhatsApp or Viber . When signing up to such platforms, it is important to bear in mind that your phone number could be available to anyone, as it is stored in the platform's database and could fall into the hands of skilled hackers in the event of a major data leak.

Smishing, or SMS-based phishing, is a type of fraud that takes the form of text messages between the phisher and the data owner. The name is a combination of the words "phishing" and SMS. It is essentially identical to email phishing, the only difference between the two types of phishing is the interface. Fraudsters often exploit services that usually notify users via SMS or communicate with them via text messages. Examples include sending a confirmation message of an online order, notifying the winner of a prize draw via SMS, or even a message containing a confirmation link to register an account.

LEGAL SOLUTIONS - WHAT CAN WE DO, WHO CAN WE CONTACT?

Before we turn to the remedies for phishing, it is important to clarify which laws currently in force in Hungary are applicable.

The treatment of phishing as a criminal offence is primarily based on the provisions of the Criminal Code (Act C of 2012, Btk.) . According to Article 375 of thePenal Code, "whoever, for the purpose of unlawful gain, enters data into an information system, alters, deletes or renders inaccessible the data processed therein, or interferes with the operation of the information system by performing any other operation, and thereby causes damage, shall be punished for the offence by imprisonment for up to three years."

Among the offences against the information system, the Criminal Code. Article 423 of the CriminalCode regulates fraud committed by using an information system: "whoever enters an information system without authorisation by violating or circumventing technical measures for the protection of the information system or remains in the information system in excess of the limits of his access authorisation or in violation of the same, shall be punished by a misdemeanour with imprisonment of up to two years." In addition, Article 219 penalises the misuse of personal data, which is also applicable to phishing attacks.

The European Union's General Data Protection Regulation (GDPR) is also relevant in the context of data protection legislation, which sets out strict requirements for data controllers and processors. The provision of relevance to us in relation to phishing is Article 32(1), which sets out the security obligations of controllers and processors: 'The controller and the processor shall implement appropriate technical and organisational measures to ensure the security of processing, taking into account the state of the art, the cost of implementation, the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.'

This means that companies must put in place appropriate safeguards to prevent phishing attacks, and if they fail to do so, they could face heavy fines and other sanctions.

In the light of these legal provisions, we can now turn to the legal options and tools that can be used to remedy the problems posed by phishing:

Report fraud immediately. If someone is a victim of phishing, the case must be reported to the authorities immediately. In Hungary, the National Cybercrime Institute (NKI) deals with cases of cybercrime, and the police can also be contacted at the local police station.

If banking data has been compromised, the bank or financial institution concerned should be contacted immediately. Most banks offer the possibility of temporarily blocking the card or account to minimise further damage.

If security measures have not already been taken, these steps should be taken immediately. Immediately changing the passwords of affected accounts , activating two-factor authentication (2FA), and scanning devices for security and anti-virus can be essential steps to mitigate the damage. These should be done even if no damage has already occurred, as they can potentially serve as a preventive measure.

Victims can also pursue their claims through civil action. If the fraud has resulted in financial loss, a claim for compensation can be made against the perpetrator, if he or she can be identified. In some cases, the service providers involved in a phishing attack may also be liable if they have failed to ensure adequate protection measures.

There is also the possibility of involving various authorities and experts. Data breaches can be investigated by the National Authority for Data Protection and Freedom of Information (NAIH), which can be contacted with a complaint if our personal data has fallen into unauthorised hands. In addition, the assistance of an experienced IT security professional or a lawyer can help to deal with the situation.

Our law firm regularly deals with cases where bona fide individuals have been victims of phishing fraud. Our young and talented lawyers provide expert support and advice on data protection law issues and legal solutions to cyber-attacks. If you have been harmed by phishing, feel free to contact our experienced lawyers who will be happy to assist you in pursuing effective legal action.

INSIGHT - PHISHING ON VINTED

Phishing is not only affecting banking services or social media, but is also increasingly occurring on online marketplaces. One recent target is Vinted, which is particularly attractive to fraudsters because of its popularity.

Vinted is an increasingly popular online marketplace where individuals can sell and buy clothes, shoes and accessories. Recently, however, an increasing number of users have reported falling victim to phishing scams on the platform. Fraudsters use sophisticated methods to obtain unsuspecting users' personal and banking details, often by sending fake payment links or by sending messages that appear to be official in order to trick them into giving their details.

One of the most common methods is to send a message to the seller claiming that the purchase price has already been paid, but that they need to provide their bank details on an external site to release the funds. In other cases, buyers are tricked by being directed to a fake Vinted site where they have to save their bank card details to make the supposed payment. These sites are often perfect copies of the official platform, making it difficult to spot the scam at first glance.

In order to avoid similar fraud, it is worth following some basic precautions , which have already been explained in the previous paragraphs:

1. Only make payments and communicate within the official Vinted platform. If someone sends you an external link to make a payment, it is likely to be fraudulent.

2. Check the URL. Fake sites often have a small discrepancy in the address (e.g. "vinted-secure.com" instead of the official "vinted.com").

3 . Vinted never asks users for these.

4. Watch out for suspiciously cheap offers. If someone is trying to buy too quickly or offering an unrealistically high price for a product, be wary.

FINAL

Phishing is one of the most pervasive and dangerous online threats in the modern world, constantly evolving and using increasingly sophisticated methods to target unsuspecting users. Awareness and compliance with basic cybersecurity measures are essential to avoid these traps.

Whether it is email, phone or other types of phishing, the best defence is always prevention. Ignoring suspicious messages from unknown senders , protecting our identities and banking details, and using two-factor authentication can significantly reduce the risks. In addition, if you do become a victim, do not hesitate to report the incident immediately to the authorities and the service providers involved, or to take legal action.

Legal protection is key in the fight against phishing. If you ever feel that you have been a victim, do not hesitate to seek legal help. Our law firm will help you every step of the way to protect your rights and get the compensation you deserve.

In a world of digitalisation, cybersecurity is no longer just a technical issue, it is a shared responsibility. With a little care and caution, we can make a big contribution to protecting our data and the data of others. 

Author: Csanád Répássy