Phishing means, like a baited hook attackers uses malicious email attachments, fake web links to grab sensitive customer information like passwords, credit card numbers, PINs, etc. Phishing is the oldest & simplest form of cyberattack and the most effective one. In other cases, attackers also use popular topics to infringe companies’ trademarks using Phishing techniques.
How Does Phishing Work
Most internet subscribers are vulnerable to phishing attacks. It’s because often they use (i) Windows operating system, (ii) are persuasive, and (iii) do not have security software or antivirus in their system. Let’s have a look at how a phishing attack executes:
- Depending on the type of victim (individual, organization, a large group of users, etc.) firstly, the attacker first collects basic information about the target.
- Secondly, the attacker distributes emails with malicious attachments or constructs a fake eCommerce/ social engineering/ banking website as a trap.
- Thirdly and most importantly, the victim fails to understand these social engineering tricks and opens the email & attachment or visits the fake web link.
- Finally, the RAT (Remote access trojan) is installed in the target system, it is exploited.
- Additionally, RAT tries to access additional computers in that same network
- In conclusion, sensitive information is leaked by the attacker/ phisher
Types of Phishing attack
What is spear phishing?
Depending on the type of victim, phishing turns to spear phishing which is target based attack, not a regular mass email attack. Typically this message contains the recipient’s name and information related to in-depth professional or personal matters.
How does Spear Phishing work
- Initially, the hacker researches the names of employees of an organization and picks a victim.
- IT manager who has full network access
- Finance/ Marketing Manager who approves payment to the suppliers or vendors
- Moreover, from the organization page, or social media research like LinkedIn, Twitter, Facebook profile, the perpetrator gathers sufficient details about the victim.
- After that, perhaps acting superior or department colleague, the attacker sends out an email with a fake malicious link or attachment (for ex. invoice copy) to the victim, using a proper, standard email template.
- As a result, when the victim uses his credential to open the document or the link, the hacker captures his credential to gain the access to the corporate network.
It is very hard to prevent spear phishing attacks as it is target driven; it already has made enough damages to many businesses and governments.spear phishing
What is Pharming?
Pharming starts with fake web links, forged Play store apps. If you click or download any of these apps, malicious codes are injected into your system to poison your DNS server.
To clarify this, your DNS name is your identity and it contains the private IP to public IP mappings vice versa. So, when you login next time your legitimate online banking link might land you to the hacker’s fake webpage using false entries at your DNS cache.
What is Smishing or SMS phishing
Smishing means using SMS texts, hackers spread phishing (malicious links) attacks. That is to say, there’re many gateways between IP networks and SMS networks. Therefore, an attacker can send SMS links from the Internet using Mobile operator’s forms to distribute SMS Phishing attacks.
- Free Netflix Subscription link
- COVID Donation link
- Free COVID Insurance link & many more
What is Vishing
Like Smishing, Vishing is a voice phishing technique performing the same kind of scam. The attacker over the phone pretends as an income tax officer (IRS), or a bank employee, or a policeman.
Eventually, they scare you with some kind of a problem & ask you to pay the fine immediately or insist to share your account details. The criminals gather details about the victim beforehand so it’s become easier to deceive them.
What is a social engineering attack?
People are the biggest vulnerability of any network. Social engineering is the art of persuading to gain illegal access to a building or to a corporate network. It’s certainly not technical hacking rather exploiting human psychology.
Phishing is a kind of social engineering attack. so let’s explain it better.
Commonly social engineering techniques are performed by these people (i) Customer service (ii) Delivery staff (iii) Phone calls (iv) Tech support
Social engineering is dangerous to personal or corporate data. Once a social engineer is able to gain your trust, he can pose an IT helpdesk guy, to snoop on your corporate password to steal sensitive data. Moreover, acting as a delivery staff who forgets his key, a criminal can enter an office building with the help of a staff.
How to protect against phishing attacks
Avoid Phishing Emails
- You should discard emails from an unknown person, unfamiliar address
- Similarly, you should avoid emails containing untrusted attachments – just delete or report phishing.
- For your info, most of the phishing emails generally contain subjects like Prizes, Lottery, Job offers, freebies, etc.
Tips to avoid phishing scams
Strictly follow Govt. approved webpages, mobile App
- Strictly follow Govt. webpages, approved Apps for Covid-19 news and updates
- Be careful about the site visit- try to avoid ‘HTTP://‘ pages, always visit ‘HTTPS://‘ pages
- Avoid webpages with unfamiliar fonts, color, spelling errors
- Try to use office/ corporate computers for online banking, money transferring as they provide end-point protection against any malware, external threats
- Double-check the UPI Id, validate the bank/ merchant name before payment
- It’s better to avoid untrusted Covid-19 links, forwarded messages, any job offers on WhatsApp or SMS
- Be careful about KYC SMS links, don’t share until you verify the link
Before you Accept/ Click
- Don’t click on online widgets, flash images, pop-ups during browsing a webpage
- Don’t Accept cookies from untrusted webpages, click ‘x’ and close
Home PC, Mobile
- It’s mandatory to install authentic antivirus, security apps & update them regularly
- Use WPA2 encryption for your home WiFi router
Avoid untrusted Sites
- Don’t use pirated software, movie download sites, adult sites, untrusted eCommerce platforms
- Periodically scan all files (incl. the zipped, hidden) in your PC, Tablet, Phone
- Check if any site has your default password – if so change it
- Change password for online banking, eCommerce sites, trading platforms every 2-3 month
Avoid public Wi-Fi
- Try not to avoid free WiFi at Airports, Coffee shops, or Railway platforms like areas; and never log in to your online banking page or make any financial transactions