What is Phishing ?
Phishing is Cyber criminal in which the fraudulent attempt to obtain sensitive information, or data, such as usernames, passwords and credit card details by disguising oneself as a trusted entity such as email, telephone or text message. After the victim get your information, then used to access accounts and can result in identity theft and financial losses.
Now a day Phishing attacks increasing regularly due to Covid-19 pendamic.
The first phishing case was filed in 2004 against a Californian teenager who created the fake website “America Online”. With this fake website, he was able to gain many sensitive information from users and use the credit card details to withdraw money from their accounts. Now a days other than email and website phishing, there’s also 'vishing' (voice phishing), 'smishing' (SMS Phishing) and several other types of phishing techniques are using.
Phishing scams and schemes are becoming more creative every day as businesses and individuals find themselves the targets of new tactics.
Some phishing attack reported recently: The impact of phishing attack on Business and Organisations is big cyber criminals attacks. Every day someone has been trapped by phishing.
a). $1.7+ Billion in Losses Resulted from BEC/EAC Crimes in 2019 :- The FBI’s IC3 reported that more than $1.7billion in losses; or more than half of the $3.5 billion in losses reported as lost in 23,775 internet and cyber crime complaints — in 2019 resulted from business email compromise complaints.
b). 88% of Organizations Reported Experiencing Spear Phishing Attacks in 2019.
c). $1.2B Lost to Business Email Compromise and Email Account Compromise.
d). 57% of Organizations Report Experiencing Mobile Phishing Attacks.
e). $3.5 Million Was the Average Cost of Human Error Data Breaches in 2019.
The Phishing Techniques and How it's working :-
Spear Phishing :- While traditional phishing uses a 'spray and pray' approach, meaning mass emails are sent to as many people as possible, spear phishing is a much more targeted attack in which the hacker knows which specific individual or organization they are after. They do research on the target in order to make the attack more personalized and increase the likelihood of the target falling into their trap.
Social Engineering :- Social Engineering is technique of cyber criminal, in which users can be encouraged to click on various kinds of unexpected content for a variety of technical and social reasons. For example, a malicious attachment might masquerade as a benign linked Google Doc.
Email/Spam :- Using the most common phishing technique, the same email is sent to millions of users with a request to fill in personal details. These details will be used by the phishers for their illegal activities. Most of the messages have an urgent note which requires the user to enter credentials to update account information, change details, or verify accounts. Sometimes, they may be asked to fill out a form to access a new service through a link which is provided in the email.
Web Based Delivery :- Web based delivery is one of the most sophisticated phishing techniques. Also known as “man-in-the-middle,” the hacker is located in between the original website and the phishing system. The phisher traces details during a transaction between the legitimate website and the user. As the user continues to pass information, it is gathered by the phishers, without the user knowing about it.
Link Manipulation :- Link manipulation is the technique in which the phisher sends a link to a malicious website. When the user clicks on the deceptive link, it opens up the phisher’s website instead of the website mentioned in the link. Hovering the mouse over the link to view the actual address stops users from falling for link manipulation.
Keyloggers :- Keyloggers refer to the malware used to identify inputs from the keyboard. The information is sent to the hackers who will decipher passwords and other types of information. To prevent key loggers from accessing personal information, secure websites provide options to use mouse clicks to make entries through the virtual keyboard.
Trojan Horse :- A Trojan Horse is a type of malware designed to mislead the user with an action that looks legitimate, but actually allows unauthorized access to the user account to collect credentials through the local machine. The acquired information is then transmitted to cybercriminals.
Malvertising :- Malvertising is malicious advertising that contains active scripts designed to download malware or force unwanted content onto your computer. Exploits in Adobe PDF and Flash are the most common methods used in malvertisements.
Session Hijacking :- In session hijacking, the phisher exploits the web session control mechanism to steal information from the user. In a simple session hacking procedure known as session sniffing, the phisher can use a sniffer to intercept relevant information so that he or she can access the Web server illegally.
Content Injection :- Content injection is the technique where the phisher changes a part of the content on the page of a reliable website. This is done to mislead the user to go to a page outside the legitimate website where the user is then asked to enter personal information.
Search Engines :- Some phishing scams involve search engines where the user is directed to products offers sites which may offer products or services at lower cost. When the user tries to buy the product by entering the credit card details, it’s collected by the phishing site. There are many fake bank websites offering credit cards or loans to users at a low rate but they are actually phishing sites.
Vishing (Voice Phishing) :- In phone phishing, the phisher makes phone calls to the user and asks the user to dial a number. The purpose is to get personal information such as bank account details through the phone. Phone phishing is mostly done with a fake caller ID.
Smishing (SMS Phishing) :- In this phishing, Short Message Service (SMS), mobile based text messaging service. A smishing text, for example, attempts to seduce a victim into unfold personal information via a link that leads to a phishing website.
Malware :- Phishing scams involving malware require it to be run on the user’s computing device. The malware is usually attached to the email sent to the user by the phishers. Once you click on the link, the malware will start functioning. Sometimes, the malware may also be attached to downloadable files.
Ransomware :- Ransomware Encrypted important files or reject access to a device until a ransom has been paid. Ramsomware for PC's is malware that gets installed on a user’s computing devices using a Social Engineering attack where the user gets tricked in clicking on a link, opening an attachment, or clicking on malvertising.
How to Prevent from Phishing ?
Now a days there are different kinds of techniques to combat phishing, including legislation and technology created specifically to protect against phishing.
Phone, website, and email phishing can now be reported to authoritiesas as soon as posible. People can be Learn and trained about phishing attempts through cybersecurity awareness.
Google posted a video demonstrating how to identify and protect yourself from Phishing scams. People also should learn from daily news and someone's has become victims of it.
The Anti-phishing working Group (APWG) produces regular report on trends in phishing attacks.
Some Techniques of preventions :- There are wide range of Technical approaches are available to identify and prevent from Phishing attack.
• Multi-factor authentication.
• Transaction verification.
• Filtering out phishing mail.
• Browsers alerting users to fraudulent websites.
• Augmenting password logins.
• Monitoring and takedown.
• Email content redaction.
Post a Comment