What is phishing and how to be safe from it?

Phishing consists in the impersonation of a person or institution that is credible to the user to get hold of personal information. It uses social engineering techniques to get the victim to swallow the bait and follow the cybercriminal's instructions. Threats and information of this kind are intended to alarm the recipient and dull their vigilance while tricking them into logging on to a fake site designed to obtain data. Remember that no self-respecting website will force you to do something by sending you threats. There are as many channels used by such attacks as there are ways of communication. So, there are 4 most common methods – e-mail, SMS, telephone and instant messaging, but also many other channels and variants of this type of scam.

E-mail phishing

This is the most common form of attack, and each of us receives such messages every day. Though most of these, fortunately, go straight to the SPAM folder in our in-boxes, some messages are well crafted and difficult to distinguish from genuine ones.

If you receive a suspicious message from a sender urging you to log in to Allegro (or another website) using a link in the message, beware – it may be a phishing attempt.

The link in such a message doesn’t direct you to a genuine website, but to a fake page that may have been designed to, among other things, get hold of the login data you have entered. What’s more, cybercriminals may want to phish for your personal or bank login details. As a result, you could lose your savings, and your name could be used to take a loan, for example. So, always check what page a link directs you to before you click on it!

Be particularly vigilant if the e-mail contains one or some of the following, in addition to a login link:

• threat to block your account,
• request for personal data confirmation,
• threat to erase your account,
• information about suspicious transactions on your account,
• information about a private message,
• request for an offer that you haven’t published.

First of all, if you receive a suspicious message from bogus Allegro employees, forward it to us using the option [forward as an attachment] or [forward] to phishing@allegro.pl – we will deal with the matter immediately!

SMS phishing

This method is very similar to e-mail attacks. The only difference is the communication channel via which the phisher contacts you. In most cases, these text messages inform you that you have failed to pay a small amount for shipping or your electricity bill. These are “cold messages” sent to unknown recipients, so the victim may receive them even though they haven’t ordered any goods and their bills are settled. This should arouse your vigilance in the first place.

Scammers also use URL shorteners, such as cutt.ly, tiny.pl or bit.ly so that you can’t see what page the link directs you to. Don’t click on them under any circumstances!

Phone phishing

The most common scenario for such an attack is a phone call from the "help desk" of a well-known company – usually a bank or commerce platform. For example, cybercriminals may try to trick you into believing that they have detected an attempt to transfer funds from your bank account or suspicious purchases on your account. Then, to "block these activities", they demand that you give them your account login details or install software allowing them to remotely access your device (TeamViewer and AnyDesk are most commonly used for this purpose). This software is not malicious in itself, but phishers may use it to take control of your computer or smartphone.

If anyone urges you to install additional software other than the company's official application, end the call immediately as it’s a phishing attempt. If you want to make sure that the contact is actually made by your bank, you can call the bank's helpline after hanging up.

Search results manipulation

Phishers often use advertising on search engines such as Google. As a result of advertisements, fake sites impersonating genuine service providers appear at the top of the list of search results. Therefore, always check that the link is correct (i.e. that there are no typos or additional characters) before clicking on it. The best solution is to bookmark frequently visited addresses in your browser and enter websites this way – this will solve the problem of manipulated search results.

What to do to avoid being taken in?

Above all, apply the principle of precaution. If you have any doubts about the authenticity of a message, verify it through another channel. For example, if you get a suspicious e-mail, call the helpline and check if it was the company in question that sent the message to you.

If you aren’t sure what to do in a specific situation, ask more experienced people. No one is infallible, and sometimes one question like this can save you a lot of stress and trouble.

Be extra vigilant especially when visiting websites where you provide your personal information or make payments – make sure you are on a genuine site by checking the address carefully. If the message is written in broken language or looks as though it was translated automatically, delete it. You can assume that it’s an extortion attempt.