From the list of malicious activities occurring in the era of digitalization, a phishing attack is one of the most commonly performed by hackers. It is the type of social engineering attack which includes stealing of user’s personal, confidential and sensitive data like login credentials (usernames, passwords), credit card number, network credentials, etc, by pretending as a trusted entity, the hacker sends a malicious link or attachment via SMS or email. The very moment the user clicks on the malicious link or attachment malware gets installed, freezes the system, breaking through the computer defences and reveals all the sensitive information. Advanced persistent threats (APTs) and ransomware cyber-crimes often start with phishing.
Types of phishing:
In such attacks, the email address of the attacker is spoofed in such a way that users believe the email address is legit and received from a trusted party. Attackers also create fake websites using foreign character sets to disguise/misguided URLs. There are a variety of techniques that grow the roots of phishing more deeper.
- Deceptive phishing: It is the most famous type of phishing. In this attack, a wide group of people is targeted and a malicious link is sent in bulk which asks them to enter their login information and credentials which indirectly set a trap.
For eg., a fake email including a malicious link is sent to the user asking the user to click on the link in order to verify bank details, account balance, and statements. Once the user enters his/her username and password it is sent to the attacker and the user is redirected to the bank’s official website.
2. Spear Phishing: In this attack, a specific group of people is targeted. Attackers find their targets mostly from social media sites (Facebook, LinkedIn, Instagram, Twitter, etc) and try to retrieve their personal information and interests. With the help of spoofed email addresses, they reach the target based on their interests and hobbies. This email also includes references to coworkers or executives at the targets’ organisation. Sometimes, the attacker’s may also hijack business email communications and create highly customised messages.
For eg., Attacker, posing as the marketing director sends an email using the organisation's standard email template to the departmental project manager (PM) with a subject line (Updated invoice for Q4 campaigns). The mail includes a link that directs to a password-protected internal document, which is originally a spoofed version of a stolen invoice. To view the PM is requested to log in. This helps the attacker steals his credentials, gaining full access to sensitive areas within the organisation's network.
3. Clone Phishing: In this attack, an identical or cloned email is created by using a legitimate, and previously delivered email containing an attachment or link. The link in the mail is replaced by a malicious link or malware attachments. Since the email appears like the original, victims are often tricked into clicking the malicious link or opening the malicious attachment.
For eg., Attackers often take control of victim’s system and take leverage of their control of one system and use their email messages to send to another victim and exploit the social trust associated with the both the parties
4. Whale phishing: In this attack, mostly the “big fish” in an organisation like senior executives and other high-profile levels are targeted because they are able to access a great deal of company information. Attackers spend time enough time in gathering information about the victim and wait for the right time to steal their login credentials, bank account details or other sensitive information.
For eg., If a high profile victim is in a discussion to purchase some products with a huge amount, attackers take advantage of this moment and send the email as a well-known sender and make the victim respond to the email thereby trapping him.
5. Pharming: In this attack, the user is sent to a Fake Website which looks the same as a professional website and the users are not aware that they are entering details in the legitimate website which is managed by Hackers. This can also be called as Domain Name System (DNS) Based Phishing.
6. Voice Phishing: In this attack, the phone is used as a source and the hacker makes a fake call to the victim pretending as a supplier, operator, support centre or a bank, with the objective of collecting certain personal information.
7. Search Results Phishing (SEO Phishing): Using SEO and SEM techniques, the hacker positions a malicious page above the official one. In such a case, when the victim searches on the internet, clicks on the malicious site which asks some personal or confidential information. Many people often enter details without suspecting anything and easily fall prey to such attacks.
How to fight Phishing?
- The most effective method for countering phishing attacks is activating the Two-factor authentication (2FA).
- Always enforce strict password management policies in an organisation. Ask employees to frequently change their passwords and not to reuse a password for multiple applications.
- It is necessary to check the spelling of the URLs in email links before clicking or entering sensitive information
- Do not send your confidential information about your account in an email.
- Always safeguard your devices with firewall, anti-spyware and anti-virus software and regularly keep updating this software.
- Ignore the emails that include “Too good to be true” offers, Unusual sender, poor spelling or grammar, conveying a sense of urgency (Account shutdown), Unexpected attachments.
- If a mail is received from a trusted source but still it seems suspicious, always contact the sender with a new email.
- Avoid posting personal information (birthday, vacation plans, or your address or phone number) on social media platforms.
Due to increasing corruption and competition among individuals, no one is safe whether it’s between two individuals or organisations. Almost any kind of data can be at a threat leading to commit fraud or acquire access to an organisation's network. All you need is to stay alert and be smart.