what is Phishing?

Leave a Comment / Cyber Security

From making calls to carrying out online transactions, we use the internet for a variety of purposes. Nowadays, everything can be done through the internet with a click. As technology has made our lives simpler, we can also see the rise of cybercrimes, one of the most common among them being Phishing.

What is Phishing?

Phishing is a form of fraudulent activity where the attacker pretends to be an entity or a person whom we trust. In other words, the attacker uses the reputed entity’s name in a malicious way to steal login credentials or account information from users like us. Attackers can also send malicious links or attachments through email. 

How Phishing Works?

Phishing works by tricking the user to click a malicious link or attachment that has been sent by an attacker. However, it could be sent via email, SMS, or even via Messenger in any of the social networking sites that you use. Take a look at the below image. 

The attacker disguises like a trusted entity or individual and sends messages requesting the victim’s credentials or sends attachments that could harm the victim’s computer. 

When the victim clicks on the link, he/she is redirected to a fake webpage that exactly matches the look and feel of the real applications. The victim thus ends up trusting the fake page and enters his/her sensitive information. This is how a hacker steals the credentials.

Types of Phishing

1. Email Phishing:

This is a type of phishing where the attacker sends a generic email to thousands of users at the same time hoping that someone may click on the link, download the file or follow the instructions according to the mail.

2. Spear Phishing:

Phishing attempt targeted at a specific person or company refer as spear phishing. It is done to gain unauthorized access to specific critical information.

3. Whaling:

Whaling refers to spear-phishing that directs to the senior executives like managers or CEOs. This is one kind of sophisticated attack where the attacker spends a lot of time doing research about the person. and to craft a message that would target key people in an organization who may be able to handover juicy information.

4. Vishing:

Vishing or Voice Phishing is a similar scam where the attacker impersonates staff from any trust entity or support personnel and demands the user’s credentials over a phone call. The attacker may claim that the victim’s debit/credit card is blocked and then ask for an OTP send by the bank to enable it. Vishing also sometimes uses Fake- Caller ID and a pre-recorded message to make it seem legitimate.

5. Smishing:

Smishing or SMS Phishing is another type of phishing in which the phishers will try to lure you to click some links by putting attractive reward money offers, highly discounted products, free distribution of products, etc. Clicking on that link may take you to a fake website that may ask you to enter your credit card details to claim a particular reward or to enter your bank details promising money transfer to your account.

6. Angler Phishing:

This is a relatively new technique where whenever you post any review or complaint regarding a particular bank or service, the spammers disguise as the bank’s support staff and contact you. They may also ask for your information to verify your identity. At such times, it is safer to directly contact your bank rather than following their instructions.

7. CEO Fraud Phishing:

This phishing attack not only targets high-level executives to get information from them, like whaling but also tries to steal confidential information and money from colleagues by impersonating the victim. The main target of this kind of attack is someone who is responsible to make bank transfers of the organization, someone who has access to confidential data, or someone from the finance department.

8. Search Engine Phishing:

This phishing attack uses real search engines. The attackers create a fake website containing various discounts, free products, etc, and use Search Engine Optimization (SEO) techniques so that the search engine includes their fake website in the results whenever a user searches for something. Clicking on the website may make you a victim of phishing if you enter confidential details on it. 

How to perform a Phishing attack?

The steps involved in performing a phishing attack are:

  1. Create a fake web application by cloning a well-known site such as Facebook. Clone the login page so that you can get the credentials. Popular site cloning tools include SEtoolkit, Weeman, SocialFish.
  1. Send the link of the cloned site to the victim and ask him to login by using the link.  
  1. When the victim clicks on the link and enters his credentials, you will get his credentials.

How to avoid phishing scams?

1. Awareness about Phishing:

Awareness does not only mean knowing the names of the types of phishing.

but also includes gathering knowledge about the phishing techniques that are emerging and also understanding how the messages are crafted.

2. Be Vigilant:

Whenever you receive a mail, message, or phone call, be sure to check whether it is from a legitimate entity. Remember that your bank or any service provider will never ask for your confidential information like OTP.

3. Install Anti-Phishing toolbars:

Anti-Phishing toolbars can be installed in your browser which will help you check for malicious sites.

it alert you whenever you visit a site that contains malicious content.

4. Set up Multi-Factor Authentication:

Multi-factor Authentication helps to provide an extra layer of security in the form of security questions, OTPs, biometrics, etc. apart from the login id and password.

5. Check the website’s security:

Whenever you are directed to any website, verify that the URL of the website starts with ‘https’ and there is a closed lock sign beside it. If you get any warning that the site contains malicious content, do not open the site.

6. Do not share confidential information online:

As mentioned earlier, banks and service providers will never ask you to share confidential information. You must never provide any confidential information on any social media or through email. This can be a potential danger to your information.

7. Always hover on links before clicking them:

When you hover on links, it will display the URL of the page to which it will direct you. Then, you can check whether the website is legitimate or fake.

8. Use antivirus software:

An antivirus software alerts you if the downloaded attachments contain any malicious contents and will prevent damage to our system. Anti-spyware and firewalls must be used to protect the system from any attacks.

9. Keep your system updated:

Security patches and updates are released periodically to patch any loopholes present in a system. An updated system is less prone to attacks and the system will be able to deal with any new security risks.

10. Educate your parents and elders:

Your parents and elders may not be aware of these advancements in a short span of time. It is our responsibility to educate them regarding these attacks and also help them so that they do not become a victim of phishing.

How to Report Phishing:

  1. If you receive any such suspicious messages, emails or calls, you can report to https://us-cert.cisa.gov/report/
  1. thus, If you come across any duplicate or cloned web pages, you can report to Google Safe Browsing at https://safebrowsing.google.com/safebrowsing/report_phish/
  1. If you feel that you might have disclosed any confidential information earlier, you can visit https://www.identitytheft.gov/ and follow the instructions.

written by: Shruti Iyer

Reviewed By: Sayan Chatterjee

If you are Interested In Machine Learning You Can Check Machine Learning Internship Program
Also Check Other Technical And Non Technical Internship Programs

Leave a Comment

Your email address will not be published. Required fields are marked *