HOW TO RECOGNIZE AND AVOID PHISHING ATTACKS?
What is Phishing Attack?
Phishing attacks are fraudulent attempts to obtain sensitive information such as usernames, passwords, and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website that matches the look and feel of the legitimate site.
Phishing is an example of social engineering techniques used to deceive users. Users are lured by communications purporting to be from trusted parties such as social networking websites, auction sites, banks, emails/messages from friends or colleagues/executives, online payment systems or IT administrators.
Attempts to deal with phishing incidents include legislation, user training, public awareness, and technical security measures (the latter being due to phishing attacks frequently exploiting weaknesses in current web security).
The word is created as a homophone and a sensational spelling of fishing, influenced by phreaking.
Phishing attempts directed at specific individuals or companies is known as spear phishing. In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success of the attack.
The first study of social phishing, a type of spear-phishing attack that leverages friendship information from social networks, yielded over 70 percent success rate in experiments.
Within organizations, spear phishing targets employees, typically executives or those that work in financial departments that have access to the organization’s sensitive financial data and services.
Threat Group-4127 (Fancy Bear) used spear phishing tactics to target email accounts linked to Hillary Clinton’s 2016 presidential campaign. They attacked more than 1,800 Google accounts and implemented the accounts-google.com domain to threaten targeted users.
The term whaling refers to spear-phishing attacks directed specifically at senior executives and other high-profile targets. The content will be likely crafted to target an upper manager and the person’s role in the company – an executive issue such as a subpoena or customer complaint.
Catphishing and catfishing
Catphishing (spelled with a “ph”) is a type of online deception that involves getting to know someone closely in order to gain access to information or resources, usually in the control of the mark, or to otherwise get control over the conduct of the target.
Catfishing (spelled with an “f”), a similar but distinct concept, involves a person creating a social network presence as a sock puppet or fictional person in order to finagle someone into a (usually) romantic relationship. This usually begins online, with the hope or promise of it progressing to real-life romance. This is never the objective of the perpetrator; in general, they are seeking access to the mark’s money or resources, or to receive gifts or other consideration from the victim. Occasionally, it may be a form of self-serving attention-getting.
Clone phishing is a type of phishing attack whereby a legitimate, and previously delivered email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original. Typically this requires either the sender or recipient to have been previously hacked for the malicious third party to obtain the legitimate email.
Auditing firms and accountants are often phishing targets. It is usually through email, so text analysis is a common way to analyse phishing emails.
Not all phishing attacks require a fake website. Messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the phisher, and provided by a voice-over IP service) was dialed, prompts told users to enter their account numbers and PIN. Vishing (voice phishing) sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organization.
SMS phishing or smishing uses cell phone text messages to deliver the bait to induce people to divulge their personal information. Smishing attacks typically invite the user to click a link, call a phone number, or contact an email address provided by the attacker via SMS message. The victim is then invited to provide their private data; often, credentials to other websites or services. Furthermore, due to the nature of mobile browsers, URLs may not be fully displayed; this may make it more difficult to identify an illegitimate login page. As the mobile phone market is now saturated with smartphones that all have fast internet connectivity, a malicious link sent via SMS can yield the same result as it would if sent via email. Smishing messages may come from telephone numbers that are in a strange or unexpected format.
In June 2018, the Orange County Social Services Agency (SSA) warned residents of a texting scam that attempts to obtain cardholder information of CalWORKs, CalFresh, and General Relief clients throughout California.
Need any Help – Contact Us