Phishing Attack: A Comprehensive 5 Step Guide

Introduction

Phishing is a cyber-attack performed to steal users’ sensitive information by making fraudulent use of electronic communication like emails, instant messages, or text messages. A phishing attack is executed by deceiving or duping the users to click a malicious link, masquerading as a trusted entity. The goal is to install the malware in the victim’s system, which might freeze the system or reveal sensitive information like credit card details, login ids, passwords, etc.

Table of Content –

  1. What is a phishing attack?
  2. Real-world examples of phishing attack
  3. What are the different types of phishing attacks?
  4. What are the different phishing techniques? 
  5. How to avoid a phishing attack?

1. What is a phishing attack? 

Phishing techniques can heavily cost the victims leading to devastating losses like stealing funds, unauthorized purchases, and identity theft. Phishing targets are not just individual users but are also the Government or Corporate networks. These are larger cyberattacks that breach the security perimeters of a Government or Corporate’s closed network by distributing malware inside it for gaining privileged access to the sensitive data. 

2. Phishing Attack Example from the Real World

  • In 2016, hackers managed to get the Gmail password of Hillary Clinton’s campaign chair, John Podesta.
  • In 2016, the University of Kansas employees was targeted through phishing emails and were tricked to hand over access to their paycheck deposit information. 
  • Another popular phishing attack example is when employees of Sony were targeted. Phishing emails were sent by hackers posed as company colleagues (name and title picked from Linkedin accounts). Reportedly, this phishing attack cost Sony around $100 million, and more than 100 terabytes of company data were stolen. 
  • Even Google and Facebook fall prey to cybercrime. A hacker, who posed as a computer part vendor, sent fake invoices between 2013 and 2015 and tricked the companies to pay more than $100 million. 
  • Since MHA made Aarogya Setu mandatory, phishing scandals in India have seen a 700% rise.                        
  • According to the 2019 Verizon Data Breach Investigations Report, nearly a third of all cyber breaches involved phishing.

3. What are Different Types of Phishing Attacks?

Here are some of the most common types of phishing attacks, through which crooks attempt to target victims:

A) Email phishing attack

An email phishing attack is the most common. Here, the hacker sends thousands of malicious emails with generic requests using a fake email address that mimics a genuine organization. The hacker attempts to trick the email receivers, by substituting characters like ‘m’ in the domain part with ‘r’ and ‘n’ as ‘rn’ put together mimics the letter ‘m’.

Another technique used by hackers to mimic a domain name is by writing the organization’s name in the local address. For instance, ICICI@domainregistrar.com, so that in the recipient’s inbox only the word ‘ICICI’ appears and he can be deceived into believing that it is a genuine mail from ICICI.

B) Spear phishing

Spear phishing is also a kind of email phishing attack. However, in this category, the hacker already has some information about the victim, like the name, job organization’s name, or bank name. Using that information, he creates a more personalized email for the victim. So, it targets users specifically with the hope of duping them to click a malicious link.

C) Whaling

Whaling attacks target senior executives. The goal is the same, but a subtler technique is used in whaling. Bogus tax-return form sent through email is one variety of whaling, as herein criminals get access to a host of useful information.  

D) Smishing and vishing

In Smishing and vishing, the method of communication is telephone text messages, and calls (respectively), instead of emails. Content of smishing and vishing are the same as with email phishing, just that it involves a telephonic conversation. Frauds, posing as an investigator, credit card agent, insurance, or bank agents increasingly use vishing to target people with the hope of deceiving them to send money to their criminal accounts.

E) Angler phishing

It uses social media to reach out to the targets using phishing attack websites, fake URLs, posts, and tweets, with the same goal of persuading them to download malware or divulge sensitive information. 

4. What are the Different Phishing Attack Online Techniques? 

There are numerous phishing techniques, listed below are some of the most popular ones. 

A) Deactivation alarms

‘Your Netflix account is about to deactivate’, ‘Renew your subscription’, ‘Your password is expiring’, these kinds of deactivation scare emails are quite common. Crooks send these fraud emails with malicious links from genuine-looking domains. On clicking the lick, several things can happen, the victim might get tricked to divulge the credit card information under the illusion that he is renewing some subscription. Or, he might be redirected to some site, wherein he is asked to feed the old password to create the new one, this way the password may get licked.

B) Look-alike websites

This is a follow-up to the deactivation scare emails. Clicking on the links often leads the target to fake websites that are look-alike of the original ones. It is hard to distinguish the fake one from the original, but if the domain name is closely observed, one can see the phish points, like a replacement of letters, etc. 

C) Receiving monetary prize or donation

This technique is also very common, and many have fallen for it. The popular Nigerian scam is a real example of this. Here, the targets receive an email with long and detailed text explaining why they have been selected for a monetary prize or a donation. Then, the targets are either provided with an email through which they can contact the concerned people or will be asked for bank details, so that money can be transferred directly.

D) Tech support scams

Here, the targets receive tech support emails in the name of genuine organizations like Microsoft, featuring a toll-free number. If they call the number, they get connected to a crook, posing as tech support. He makes them download software for remote access, scans their computer, finds too many viruses, sells them a software program to clean the system. All this is done to get hold of their credit card details. 

E) Save a friend

This scam is executed through social media accounts. Crooks hack a social media account and then send messages to others in the friend list narrating a fake story of some horrible consequence like a dying friend or relative, who can be saved only if the target offers monetary help. 

5. How to Avoid Phishing Attack?

Cybersecurity is the prevention against a phishing attack. At a personal level, users need to become more aware of these kinds of attacks and behave more responsibly. Some of the key prevention measures that they must follow are:

  • Before clicking any link in a mail, always check the sender’s email closely. The domain part of the email should be genuine with the organization’s name. An email address with the organizational name at the local part is a fake email address.
  • On landing into a website from an email link, one must closely check the domain to see if it is an original or duplicate website. It is always better to directly visit a website from Google or by typing a URL, then following an email link. 
  • No genuine tech support provider will approach a system owner for troubleshooting a technical issue, until and unless the user himself asks for tech support. So, on receiving upfront tech support emails, it is better to avoid them.  
  • Unexpected money is too good to be true, so such emails are 100% always fake and phishing emails. 
  • One shouldn’t send money to any friend believing their emails or messages from their personal social media account. Rather call and confirm with them or their family over the phone. 

Conclusion

In addition to these preventative measures at a personal level, one can also counter a phishing attack with the aid of web application security solutions. Access management and web application security solutions are a must for Government organizations and corporate firms. 

Nowadays, Govt. bodies and Enterprises have become increasingly serious about their data security. Thus, they look for robust solutions and cybersecurity experts to strengthen the security perimeters of their network. With this growing demand for offensive cybersecurity technologies, the career prospect in this field has also become quite bright. If you are looking forward to building a career as a cyber security expert, then you can specialize in relevant technologies and concepts by pursuing our Master Certificate in Cyber Security (Red Team) offered by Jigsaw Academy, in partnership with HackerU. It is the first program in offensive technologies in India which allows learners to practice in a real-time simulated environment. 

Related Articles

loader
Please wait while your application is being created.
Request Callback