PHISHING
Phishing attacks have been around since the Internet started and they won’t go away any time soon. Phishing attacks are exploited through humans. In this electronic document we study different aspects of phishing attacks and use some possible defenses as counter-measures. We initially discuss about the different categories of phishing attacks and then refers some examples of phishing attacks. We also focus on current statistical data of the phishing attacks to project the severity of the issue. In conclusion we will mention different methods on how to spot phishing emails and how to prevent phishing attack.
What is phishing?
Phishing is cybercrime in which a computer user or users are communicated by email, telephone or text message by someone pretending as a legitimate institution or individual to trap individuals into disclosing sensitive data such as username and password, banking and credit card details.
Types of Phishing:
1. Spear phishing: It is a phishing attack that intentionally targets explicit individual or group inside an organization.
2. Vishing: It is when malicious actor makes voice calls to phone users and ask them to provide sensitive personal information.
3. Smishing: It is just a SMS version of phishing. Instead of an email victim gets a text message on his/her smartphone.
4. Whaling: It is a phishing attack which focuses on higher authorities in an organization
How Phishing is Carried Out?
In the process of phishing, firstly an e-mail is sent to a user or a group of users from the cyber criminal. Attacker mostly use mass-mailing technique.
Once the user receives the email and opens the particular phishing e-mail, they’ll find a link in that email which will make them think that the particular email is legitimate and is from a trusted organization at a glance.
If the user clicks on the link mentioned in the email, the link will redirect the user to a phishing website where the user will be asked to enter his/her login credentials or confidential information.
This will result into exposing user’s login credentials or the confidential information to the attacker.
Thus, by using these login credentials or confidential information the hacker will log in into any legitimate website and will access user’s personal sensitive information.
Phishing Email And Phishing Website Example:
Below are the phishing e-mail samples for email users which gives you a clear idea about phishing email.
Here’s an example of the Office 365 phishing email. The email shown in (Figure 2) looks like an authentic email from Microsoft Office 365 but the actual fact is that it is a phishing email. If you click on the ‘Verify Now’ link it will redirect you to a phishing website which looks like a genuine Microsoft office 365 login page (Figure 3).
The landing page will give you an option to fill in your login credentials. Once you fill in the details, your details will be exposed to the attacker and he/she will be able to use them on genuine Microsoft office 365 login page.
Here is another example of Phishing, the below image (Figure 4) shows an email from Netflix. This email contains a clickable button which says ‘Click here to verify your account’ and has an embedded link which will redirect user to a phishing website which looks like actual Netflix’s login page (Figure 5)
Phishing Statistics:
· Email phishing rate is 1 in 1,846 e-mails.
· 71.4% of the attacks included spear-phishing e-mails.
· The number of spear phishing campaigns for employees has grown by 55%.
· In 2016, 3 out of 4 organisations were victim of phishing e-mails.
· Just 3% users report their management about phishing e-mails.
· 90 % of data breaches are caused by Phishing attacks.
· The moderate financial cost of a mid-size corporate data breach caused by phishing is £1.3 million.
· At least one time in the same year 15% of successfully phished individuals will be targeted again.
· Every month there are more than 1.5 million new phishing websites are launched.
· 76% business have confirmed that they were victim of a successful phishing attack in 2019.
· In 2019, phishing e-mails are increased by 65%.
· Targeted users open 30% of phishing e-mails.
· In 2017, Keepnet labs performed a phishing simulation campaign across 128 companies.
· There were total 126,000 phishing emails that were sent to the 128 company’s employee. The outcome of that phishing simulation test was awful.
· 48.2% of these Phishing emails were opened by the targeted employees.
· 31.5% employees clicked on the malicious links which were present in those phishing emails.
· Approximately 8% employees submitted their sensitive information i.e. login credentials on malicious links which were present in simulated phishing emails.
Impacts Of Phishing:
Impacts of phishing can be severe to moderate and they are as follows:
· Identity Theft — Identity theft consists of intentional use of the identity of another person, usually for a financial benefit, credit or other benefits in the name of the other person and perhaps for the profit or loss of another person. One of the major problems of identity theft is that you can often be responsible for the crimes committed by the fraudster.
· Theft of Personal Sensitive Information — The phishing attack can lead to theft of personal information wherein the attacker can access the user’s personal details like bank details and credit card details.
· Loss of Usernames and Password — During the Phishing attack the attacker may have access to your username and password and he/she may use it for against you for your loss.
· Loss of Intellectual Property — Intellectual property is a category of property which comprises immaterial human intellectual creations. There are existing protections, such as copyrights to protect fictitious and artistic works, patents to protect discoveries, and trademarks to distinguish one entity’s products or services from another entity’s goods and services.
· Reputational Damage — Reputational Damage is a potential harm to the credibility of a business to financial capital, social capital and / or market share. Usually reputation-related adverse events include breaches of ethics, safety issues, security issues, lack of sustainability, poor quality, and lack of or unethical creativity.
· Unauthorised Transaction/Credit Card Fraud — During a Phishing attack, your bank and card details are exposed to the attacker and he/she can use this confidential data to make any unauthorised transaction through any website causing a financial loss for you.
· Data Sold to Criminal Third Party — Once the attacker has your sensitive personal data, they can sell that data to any third party leading many such similar attacks on you.
How to Identify Phishing Email?
- Always check e-mail headers.
There can be many fields that might help us to spot a phishing email. This fields can be as follows:
SPF record: It is termed as sender policy framework record.The Sender Policy Framework (SPF) is an email-authentication technique which is used to restrict cyber criminals from sending spoofed email on behalf of any particular domain.SPF allows senders to set which IP addresses are allowed to send emails from their domain.
DKIM record: Domain Keys Identified Mail confirms the sender’s authenticity by connecting the domain name with the email. DKIM provides an encryption key and digital signature that verifies that an email message was not faked or altered.
Reply-to: When you send an email to any user and they click ‘Reply’, the reply message is typically sent to the email address mentioned in the reply-to field.
Return-path: If an email does not reach its destination, the return path shows where receipts from non-delivery or bouncing messages will be sent.
From: This field will specify sender’s email address.
Message-ID: Message-ID is a unique identifier for a digital message, most commonly a globally unique identifier used in email.
2. Don’t blindly trust the display name.
Most of the times cyber criminals spoofed display name with brand name or e-mail id of the legitimate organisation.
3. Always check links which are present inside an e-mail.
Carefully check embedded links in Email, hover your mouse over the embedded links to check whether display links and embedded links are same or not. Attackers spoof display links with legitimate domain links and embed malicious phishing links behind them. The clickable web links does not take to a “trusted domain”.
4. There can be unsolicited file attachment in the e-mail.
Legit business does not send random attachments in e-mail.
5. The website and email address domain do not appear to be genuine.
Attackers use domain name which looks similar to the legitimate domain name to trick users.
6. Check For spelling and grammatical mistakes.
It’s most probably malicious email when an email is poorly written, or written in an awkward language. Legitimate companies pay more attention while writing an e-mail to their customers.
7. The e-mail body asks for personal sensitive information.
Any bank is not going to ask your bank details on an e-mail since they already have it. Similarly, any well-known business or government authority won’t ask to share personal information.
8. E-mail makes an impractical offer or severe threat.
The attacker can provide some complimentary offers and trick you in submitting your sensitive information or they can threaten you that your account will get locked if you don’t submit your confidential information.
9. Email creates a sense of urgency.
Any business will always be polite and humble with their customers, they won’t make scare their customers. So, if you find any email with a sense of urgency then you need to analyse those emails carefully.
How To Prevent Phishing Attacks?
Phishing attacks are successful enough that cyber criminals can make huge profit from it and they are happening almost every day on a large scale. So, in order to protect yourself from phishing attacks below are some basic guidelines which someone needs to follow.
· Organisations must conduct a phishing awareness training with mock phishing scenarios for their employees.
Train employees to identify phishing attacks so that they will avoid clicking on malicious phishing links.
· Check the source of incoming email.
· Always think before you click on any links. Hover your mouse over the links which you feel suspicious before clicking them.
· Enter your sensitive data such as login credentials on secure websites only.
· User should always enter his/her login credentials on a website that begins with “HTTPS”.
· Two factor authentications must be enabled which will help in preventing hackers from accessing compromised user account.
· Browser extensions and add-ons must be enabled which will alert user as soon as they click on any malicious phishing link.
· If you have a doubt regarding any website don’t take risk to share any information on that website. Do not disclose your personal sensitive information on any bogus website this might lead to successful phishing attack.
· Install an anti-phishing toolbar on your browser this will help you to identify phishing page.
· Always update your internet browser.
· Do not open or download any random unwanted attachments which are present in an email.
· Never go to any bank website or government website which ask for your details through the links which are present in an email. Good practice is always accessing these websites by entering their address in a web browser.
· Try to understand email headers this will help you to in finding email spoofing.
· The best way to prevent phishing is to consistently reject any unsolicited email which will ask you to provide confidential information.
