Phishing is a form of fraud in which an attacker masquerades as a reputable entity or person in email or other communication channels. The attacker uses phishing emails to distribute malicious links or attachments that can perform a variety of functions, including the extraction of login credentials or account information from victims.
Deceptive phishing is popular with cybercriminals, as it is far easier to trick someone into clicking a malicious link in a seemingly legitimate phishing email than it is to break through a computer's defenses. Learning more about phishing is important to learning how to detect and prevent it.
How phishing works
Phishing attacks typically rely on social networking techniques applied to email or other electronic communication methods, including direct messages sent over social networks and SMS text messages.
Phishers may use social engineering and other public sources of information, including social networks like LinkedIn, Facebook and Twitter, to gather background information about the victim's personal and work history, interests and activities. These sources are usually used to uncover names, job titles and email addresses of potential victims, as well as other additional information. This information can then be used to craft a believable email.
Typically, a victim receives a message that appears to have been sent by a known contact or organization. The attack is carried out either through a malicious file attachment that contains phishing software, or through links connecting to malicious websites. In either case, the objective is to install malware on the user's device or direct the victim to a fake website set up to trick them into divulging personal and financial information, such as passwords, account IDs or credit card details.
Although many phishing emails are poorly written and clearly fake, cybercriminal groups increasingly use the same techniques professional marketers use to identify the most effective types of messages.
How to recognize a phishing email
Successful phishing messages are difficult to distinguish from real messages. Usually, they are represented as being from a well-known company, even including corporate logos and other identifying data collected from the misrepresented company.
However, there are several clues that can indicate that a message is a phishing attempt. These include:
Types of phishing
Cybercriminals continue to hone their skills in making existing phishing attacks and creating new types of phishing scams. Some common types of phishing attacks include:
Spear phishing attacks are directed at specific individuals or companies, usually employing information specific to the victim that has been gathered to more successfully represent the message as being authentic. Spear phishing emails might include references to co-workers or executives at the victim's organization, as well as the use of the victim's name, location or other personal information.
Whaling attacks are a type of spear phishing attack that specifically targets senior executives within an organization, often with the objective of stealing large sums. Those preparing a spear phishing campaign research their victims in detail to create a more genuine message, as using information relevant or specific to a target increases the chances of the attack being successful.
Because, a typical whaling attack targets an employee with the ability to authorize payments, the phishing message often appears to be a command from an executive to authorize a large payment to a vendor when, in fact, the payment would be made to the attackers.
Pharming is a type of phishing that depends on DNS cache poisoning to redirect users from a legitimate site to a fraudulent one, and tricking users into attempting to log in to the fraudulent site with personal credentials.
Clone phishing attacks use previously delivered but legitimate emails that contain either a link or an attachment. Attackers make a copy -- or clone -- of the legitimate email, replacing any number of links or attached files with malicious links. Victims can often be tricked into clicking the malicious link or opening the malicious attachment.
This technique is often used by attackers who have taken control of another victim's system. In this case, the attackers utilize their control of one system to pivot within an organization using email messages from a trusted sender known to the victims.
Phishers sometimes use the evil twin Wi-Fi attack by standing up a Wi-Fi access point and advertising it with a deceptive name that is similar to a legitimate access point. When victims connect to the evil twin Wi-Fi network, the attackers gain access to all transmissions to or from victim devices, including user IDs and passwords. Attackers can also use this vector to target victim devices with their own fraudulent prompts.
Voice phishing is a form of phishing that occurs over voice communications media, including voice over IP (VoIP) or plain old telephone service (POTS). A typical vishing scam uses speech synthesis software to leave voicemails purporting to notify the victim of suspicious activity in a bank or credit account and solicits the victim to respond to a malicious phone number to verify their identity -- thus compromising the victim's account credentials.
Another mobile device-oriented phishing attack, SMS phishing uses text messaging to convince victims to disclose account credentials or install malware.
Phishing attacks depend on more than simply sending an email to victims and hoping that they click on a malicious link or open a malicious attachment. Attackers use several techniques to entrap their victims:
How to prevent phishing
To help prevent phishing messages from reaching end users, experts recommend layering security controls, including:
In addition, enterprise mail servers should make use of at least one email authentication standard to confirm that inbound email is verified. These can, for example, include the DomainKeys Identified Mail (DKIM) protocol, which enables users to block all messages except for those that have been cryptographically signed; and the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol, which provides a framework for using protocols to block unsolicited email more effectively.
There are several resources on the internet that provide help in combating phishing. The Anti-Phishing Working Group Inc. and the federal government's OnGuardOnline.gov website both provide advice on how to spot, avoid and report phishing attacks. Interactive security awareness training aids, such as Wombat Security Technologies' PhishMe, can help teach employees how to avoid phishing traps, while sites like FraudWatch International and MillerSmiles publish the latest phishing email subject lines that are circulating the internet.
Phishing scams come in all shapes and sizes. Users can stay safe, alert and prepared by knowing about some of the more recent ways that scammers have been phishing. A few examples of more modern phishing attacks include:
Digital payment-based scams
These happen when major payment applications and websites are used as a ruse to gain sensitive information from phishing victims. In this scam, a phisher masquerades as an online payment service (such as PayPal, Venmo or TransferWise).
Generally, these attacks are performed through email, where a fake version of a trusted payment service asks a user to verify their log in details and other identifying information. Usually, they claim that this is necessary in order to resolve an issue with the user's account. Often, these phishing attempts include a link to a fraudulent "spoof" page.
PayPal is aware of these threats and have released informational materials for their customers to reference in order to stay prepared against phishing attacks. They recommend that anyone who receives a suspicious email from an account claiming to be PayPal should not click any links, but instead, use the hovering technique outlined above to see if the link address matches PayPal's actual domain. It is also advised to then separately log in to their account to make sure everything looks like it should.
If a user is unsure of how to spot a fraudulent online-payment phishing email, there are a few examples of how these phishing scams often look. Generally, a phishing email from PayPal has been known to include:
If a person receives one of these emails, they should open their payment page on a separate browser tab or window and see if their account has any alerts. If a user has been overpaid or are facing suspension, it will say so there. Additionally, PayPal urges users to report any suspicious activity to them, so they can continue to monitor these attempts and prevent their users from getting scammed.
Finance-based phishing attacks
These are a common form of scamming, and they operate on the assumption that victims will panic into giving them personal information. Usually, in these cases, the attacker poses as a bank or other financial institution. In an email or phone call, the attacker informs their potential victim that their security has been compromised. Often, the scammer actually uses the threat of identity theft to successfully do just that.
A few examples of this scam include:
Work-related phishing scams
These are especially alarming, as this type of scam can be very personalized and hard to spot. In these cases, an attacker purporting to be the recipient's boss, CEO or CFO contacts the victim, and requests a wire transfer or other fraudulent purchase.
One work-related scam that has been popping up around businesses in the last couple of years is a ploy to harvest passwords. This scam often targets executive-level employees, who likely are not considering that an email from their boss could be a scam. The fraudulent email often works because, instead of being alarmist, it simply talks about regular workplace subjects. Usually, it informs the victim that a scheduled meeting needs to be changed.
From there, the employee is asked to fill out a poll about when a good time to reschedule would be via a link. That link will then bring the victim to a spoof login page for Office 365 or Microsoft Outlook. Once they have entered your login information, the scammers steal their password.
History of phishing
The history of the term phishing is not entirely clear.
One common explanation for the term is that phishing is a homophone of fishing and is named so because phishing scams use lures to catch unsuspecting victims, or fish.
An explanation for the origin of phishing comes from a string -- <>< -- which is often found in AOL chat logs because those characters were a common HTML tag found in chat transcripts. Because it occurred so frequently in those logs, AOL admins could not productively search for it as a marker of potentially improper activity. Black hat hackers would then replace any reference to illegal activity -- including credit card or account credentials theft -- with the string, which eventually gave the activity its name because the characters appear to be a simple rendering of a fish.
In the early 1990s, a group of individuals called the Warez Group created an algorithm that would generate credit card numbers at random in the attempt to create fake AOL accounts. The faked account would then spam other AOL accounts. Some individuals would try to change their AOL screen names to appear as AOL administrators. Using these screen names, they would then "phish" people via AOL Messenger for their information.
In the early 2000s, phishing saw more changes in implementation. The "love bug of 2000" is an example of this, where potential victims were sent an email with a message saying "ILOVEYOU," pointing to an attachment letter. That attachment held a worm that would overwrite files on the victims computer and copy itself to the user's contact list.
Also, in the early 2000s, different phishers began to register phishing websites. A phishing website is a domain that is similar in name and appearance to an official website in order to fool someone into believing it is legitimate.
Today, phishing schemes have gotten more varied, and are potentially more dangerous than before. With the integration of social media and log in methods such as "log in with Facebook," an attacker could potentially commit several data breaches on an individual using one phished password, making them vulnerable to ransomware attacks in the process. More modern technologies are also being utilized now. As an example, the CEO of an energy firm in the U.K. had thought they were speaking on the phone with their boss -- being told to send funds to a specific supplier -- when it was really a phishing scheme that utilized AI to mimic the voice of the CEO's chief executive from their parent company. It is unclear whether the attackers used bots to react to the victim's questions. If the phisher used a bot to automate the attack, it would have been more difficult for law enforcement to investigate.
15 Jun, 2020  0  Comments
Written by Dan Rafter for NortonLifeLock
How serious of a problem is cybercrime? A study by Cybersecurity Ventures predicts these crimes will cost the world $6 trillion a year by... ...Read More
14 Jun, 2020  0  Comments
Online merchants around the world are struggling to maintain services in the face of lockdowns – and dark web vendors are no different from the rest.
Some are warning... ...Read More
13 Jun, 2020  0  Comments
October is National Cyber Security Awareness Month. With schools now back in session, students may be re-establishing in-person friendships and making new ones, with social media being... ...Read More
10 Jun, 2020  0  Comments
Fraudsters have found yet another way to take advantage of the pandemic.
THE COVID-19 PANDEMIC has created prime conditions for scams. From phishing... ...Read More
Sign up to receive our free newsletters!
We do not spam. We value your privacy!
© 2020 Just40days.com. All Rights Reserved. Developed by HariOm Technologies