Phishing is a type of Internet fraud, the purpose of which is to gain access to confidential user data, such as logins and passwords. This type of fraudulent action is achieved by conducting mass mailings of emails on behalf of popular brands. The process also includes private messages within various services, for example, on behalf of banks or within social networks. The letter often contains a direct link to a site that is indistinguishable from the present or to a website with a redirect. After a user lands on a fake page, scammers try to induce the user to enter their login and password on a fake page with various psychological tricks. These cyber attackers mimic the user’s target to access a particular site, which allows scammers to access accounts and bank accounts. Phishing is one of the types of social engineering based on users not knowing the basics of network security. In particular, many do not know a simple fact: services do not send letters asking for their credentials, password, and other data.
Phishing in Auditing
It is important to understand the details of what phishing is dangerous for large enterprises and audit processes. For example, there is an enterprise where activities are associated with the sale of IT solutions and audit data (Xiong, Proctor, Yang, & Li, 2017). A certain employee holding a position in the company receives an email. The letter gives a link to the site of an enterprise that is already working with this organization, and the message itself contains a story about the latter.
The employee follows the link, gets to a site that is similar to the website the company works with. Next, he or she enters the username and password from the administrator account, and thus this username and password go to the attacker (Perrault, 2018). As a result, the attacker knows the password for the administrator account of the company that cooperates with the company of the employee. Perhaps in the process of following the link, if the employee’s PC is not protected by antivirus, a virus has come to the computer. In other words, the employees themselves are now a source of damage to another enterprise. Thereby this can lead to a violation of the consent of the two companies, large losses on both sides, as well as to the enrichment of the attacker.
The prevalent number of audit phishing attacks occur during audit planning. Audit planning is an obligatory stage of the audit, which consists of determining the audit strategy and tactics. It also includes the scope of the audit, drawing up a general audit plan, and developing an audit program and specific audit procedures. The auditor’s planning of his or her work helps ensure that important areas of the audit are given the necessary attention. In other words, potential problems are identified, and the work is done with optimal costs in a high-quality and timely manner (Vishwanath, Harrison, & Ng, 2018). Planning allows workers to effectively distribute the work among members of the group of specialists involved in the audit, as well as coordinate such work. The plan includes an in-depth study of client activities, assessing the likelihood of material misstatement in accounting and reporting, and organizing an effective audit.
Types of Phishing Attacks
One of the common types of audit phishing is when attackers create a fake website of a bank or financial institution identical to the official one. Then they do spam mailings, luring customers to a fake website, where they are asked to enter card details. Also, one of the types of phishing is a fraudulent online store. In most cases, prices in this store are significantly lower than market prices. Thus, by paying for purchases in such a store, an individual sends money directly to attackers. This method of fraud, unlike others, is widespread in recent times. Through phone calls, email newsletters, messages in instant messengers and social networks, scammers, under various pretexts, try to get data on the victim’s card. For example, under the guise of a special action or disguising oneself as a bank employee and scaring the victim with unauthorized transactions. The given situation supposedly can be prevented if a person immediately reports all the card details (Xiong, Proctor, Yang, & Li, 2019). Phishing can be represented as direct online contact with a scammer, as well as interaction with programmable bots or entire phishing sites.
Furthermore, there are instances where phishing in auditing can take the form of mirror websites. It’s also a type of phishing, which nevertheless can be put in a separate category due to its increased prevalence. The mirror site can duplicate the Internet bank of the issuing bank of a plastic card or an audit organization (Xiong et al., 2017). Such sites reproduce in detail the original banking and audit web platforms. However, the domain of the mirror site will not coincide with the banking one, and all the data will go to scammers in this way. In addition to site mirrors of banks and auditors, site mirrors of large online stores are also common. Having made purchases, as usual, the victim completes the order, pays it via the Internet, entering his or her card details, and payment for the purchase goes to scammers, and along with the money, all card data (Vishwanath et al., 2018). Attackers can be used for online payments without SMS verification, of which, fortunately, there are fewer and fewer ones, which complicates the life of scammers.
Auditing phishing is a type of fraud through which attackers obtain the personal information of a user of an organization or client, such as logins, passwords, and details of payment documents. Phishing can be spread via email, messaging applications, social and professional networks, and other high-traffic web resources. Phishing can be in the form of a hyperlink leading to a fake website where a client wants to enter the user’s personal data. It can also take the form of a malicious application that may contain the following functionality (Xiong et al., 2017). This process includes intercepting input characters from the keyboard, stealing passwords from the operating system and browsers, recording audio and video, transmitting personal information, and interacting with the attacker server. The biggest damage to phishing is in the financial sector, such as banking and auditing.
Prevention
At present, anti-phishing technologies based on heuristic algorithms and reputation databases are used. There are common heuristic technologies that are used to detect phishing links. For example, the primary protection against phishing in auditing can go through the IP address in the URL. Most legitimate web resources register a domain name, and phishers – cybercriminals who commit phishing attacks – often save on domain registration. As a result of this, on the phishing sites, instead of the domain, the IP address of the malicious web server is indicated in the URL (Xiong et al., 2019). In addition, in the URL, dots are used to indicate a subdomain. Attackers can create domains of the third level and higher in order to make the site address look legitimate. It is important to remember that scammers often use highly suspicious characters. Phishers use special characters in the domain name to trick an inattentive user. Often a person may notice special characters in a phishing page URL.
Having an SSL certificate is also an important factor for auditing security. This certificate indicates the use of a secure connection for secure data transfer between the client and the webserver. SSL certificates come in entry-level, business, and advanced trust levels. Acquiring ExtendedSSL is an expensive pleasure for intruders (Vishwanath et al., 2018). But the certificate of entry-level trust can be obtained free of charge, for example, in the certification center Let’s Encrypt. Most legitimate sites have decent SSL certificates. In addition, it is important to pay attention to the position of the URL and domain in the search engines Google, Bing, and Yahoo (Perrault, 2018). The newly created phishing sites do not have time to be indexed by search robots, as a result of which information about them is missing in the results of search queries.
Conclusion
In conclusion, at the public and private levels of audit enterprises, it is necessary to engage in preventive and educational activities actively. Increasing competence in the field of computer technology for individual users, company employees, which will reduce the risk of becoming a victim of cybercrime, will reduce the incidence of information networks. Computer literacy of the population will help to understand better all the threats associated with working in social networks, online banking, and online shopping. Finally, users need to learn to be less careless to take care of their security. Integrative and integrated approaches in the application of preventive measures by law enforcement agencies can increase the level of information security in auditing and make the prevention of computer crimes more effective. The proposed preventive measures will give a tangible result only in the case of joint actions of audit organizations with civil society institutions.
References
Perrault, E. K. (2018). Using an interactive online quiz to recalibrate college students’ attitudes and behavioral intentions about phishing. Journal of Educational Computing Research, 55(8), 1154-1167.
Vishwanath, A., Harrison, B., & Ng, Y. J. (2018). Suspicion, cognition, and automaticity model of phishing susceptibility. Communication Research, 45(8), 1146-1166.
Xiong, A., Proctor, R. W., Yang, W., & Li, N. (2017). Is domain highlighting actually helpful in identifying phishing web pages? Human Factors, 59(4), 640-660.
Xiong, A., Proctor, R. W., Yang, W., & Li, N. (2019). Embedding training within warnings improves skills of identifying phishing webpages. Human Factors, 61(4), 577-595.