Beware!! Phishing attacks are made by cybercriminals to grab sensitive information (i.e. banking information, credit card information, stealing of customer data and passwords) and misuse them.
How does a phishing work?
Hackers spread their phishing net to catch different types of phish. Be it a small phish or a big whale, they are always at a profit.
Phishing attacks are done by cybercriminals, who trick the victim, by concealing their identity by masking themselves as a trusted identity and luring them into opening deceptive emails for stealing sensitive information. These attacks are successful because of lack of security knowledge, amongst the masses. In short, phishing attack is a disguised attack made by hacker in a very sophisticated way.
On the contrary Phishing Scams are those wherein thousands of users are targeted at a time by cybercriminals. For e.g. Fake Google Mail’s login page is created and emails are sent stating to check their accounts. Huge scams lead to huge losses. Surveys show a phishing increase of 250 per cent approximately, as per Microsoft. Check out the details.
There are many types of Phishing Attacks and Phishing Scams carried out by hackers. A few of them are:
Many business owners are unaware about the insecure and fraud links and emails. For e.g. the victim gets an e-mail from the hacker to check some unknown transactions in their business bank account, with a fake link attached to a site which is almost as good as real. Without thinking for a second, the victim opens the fake link and enters the account details and passwords. That’s it. You are attacked.
Spear phishing is an email attack done by a foe pretending to be your friend. To make their attack successful, these fraudsters invest in a lot of time to gather specific information about their victims; i.e. victim’s name, position in company, his contact information etc.
They later customise their emails, with the gathered information, thus tricking the victim to believe that the email is sent from a trustworthy source.
Fake URL and email links are attached in the email asking for private information. Spear phishing emails are targeted towards individuals as well as companies to steal sensitive information for making millions.
Here the attacker forges the domain of the company, to impersonate its victims. Since the victim receives an email with the same domain name of the company, they believe that it’s from trusted sources, and hence are victimised.
Before a few years there were only 2 types of phishing attacks.
Email phishing & Domain spoofing. Either the email name was forged, or the domain name was forged to attack victims. But as time flies, cybercriminals come up with various types of attacks which are mentioned below:
Whaling phishing attack or CEO fraud as the name suggests are targeted on high profile individuals like CEO, CFO, COO or senior executives of a company. The attack is almost like spear phishing; the only difference is that the targets are like whales in a sea and not fish. Hence the name “whaling” is given for these phishing attacks.
Fraudsters take months to research these high VIPs, their contacts and their trusted sources, for sending fake emails to get sensitive information, and later steal important data and cash thus hampering the business. Since they target senior managements, the business losses can be huge which makes whaling attacks more dangerous.
VoIP (Voice) + Phishing = Vishing.
Till now phishing attacks were made by sending emails. But when attacks are done by targeting mobile numbers, it’s called Vishing or Voice Phishing.
In Vishing attacks, the fraudsters call on mobile, and ask for personal information, posing themselves as a trust-worthy identity. For e.g. they may pretend to be a bank employee, extract bank account numbers, ATM numbers or passwords, and once you have handed that information, it’s like giving these thieves, access to your accounts and finances.
SMS + Phishing = SmiShing.
Just like Vishing, mode of SmiShing attacks is also related to mobiles. Here the attacker sends a SMS message to the target person, to open a link or an SMS alert. Once they open the fake message or alert, the virus or malware is instantly downloaded in the mobile. In this way, the attacker can get all the desired information stored on your mobile, useful for stealing your money.
Clone means duplicate or identical. Giving justice to the name, Clone Phishing is when an email is cloned by the fraudster, to create another identical and perfect email to trap employees.
Since it’s a perfect replica of the original one, fraudsters take advantage of its legitimate look and are successful in their malicious intentions.
Search engine phishing:
This is a new type of phishing wherein the fraudster makes web site comprising of attractive but fake products, fake schemes or fake offers to attract customers. They even tie-up with fraudulent banks for fake interest schemes. They get their website indexed by search engines and later wait for their prey.
Once a customer visits their page and enters their personal information to purchase product, or for any other purpose, their information goes in the hands of fraudsters, who can cause them huge damages.
Watering hole phishing:
In this type of phishing, the attacker keeps a close watch on their targets. They observe the sites which their targets usually visit and infect those sites with malware. It’s a wait and watch situation, wherein the attacker waits for the target to re-visit the malicious site. Once the targeted person opens the site again, malware is infected in the computer of the person, which grabs all the required personal details or customer information leading to data breach.
Though the cyberhackers who target phishing attacks on individuals or companies are master minds, there are certain precautionary measures, which can prevent them from succeeding. Let’s have a look.
Precautions & Preventions of Phishing Attacks:
- Re-check URL before clicking unknown or suspicious links
- Do not open suspicious emails or short links
- Change passwords frequently
- Educate and train your employees for identifying and ceasing phishing attacks
- Re-Check for secured sites; i.e. HTTPS sites
- Install latest anti-virus software, anti-phishing software and anti-phishing toolbars
- Don’t install anything from unknown sources
- Always opt for 2-factor authentication
- Trust your instincts
- Update your systems with latest security measures
- Install web-filtering tools for malicious emails
- Use SSL security for encryption
- Report phishing attacks and scams to APWG (Anti-Phishing Working Group)
In a nutshell:
The main motto of phishing emails is: Tricking users to click emails or links and cause monetary loss to them. Ongoing training about cybersecurity measures given to all employees from top to bottom will keep them alert against such attacks, thus preventing your business from financial damages.
Riya Sander, Digital Strategist, ClickSSL.net