Phishing

Our lives are becoming more and more interconnected because of the internet. On one side this connectivity has a lot of benefits but viz-a-viz it exposes us to a number of online threats. In today’s vulnerable world the most common and dangerous threat is phishing. Today I will try to elaborate that what is phishing, how does it work, and how can you protect yourself from falling a victim to it.

What is Phishing?

Phishing is typically a type of cyberattack in which attackers deceive people by impersonating to be a legitimate organization or individual. The main target of phishing is to obtain sensitive information by tricking and deceiving the target. The information that is required to be obtained may include usernames, passwords, credit card numbers, and other personal details. Phishing attacks are commonly carried out by sending email, using social media, or through fraudulent websites.

Imagine that you receive an email which apparently is from your bank. The subject email contains a warning of suspicious activity in your bank account. It urges you to click a link and verify your details. This is a classic phishing attempt. Cybercriminals create urgency and fear of a severe loss so that you act according to their wish. Sometimes they promise huge rewards to trick you. Once you click on the given link, it might take you to a fake website which is designed to steal your information, or download malware on your system.

How Does Phishing Work?

Normally phishing attacks have common pattern which I will elaborate below:

Bait:

According to Wikipedia the word ‘Bait’ is any appetizing substance used to attract prey when hunting or fishing, most commonly in the form of trapping, ambushing. In simple words it is a luring message sent by cybercriminals that appears to be from a known and trusted person, a bank, a social media platform, or any online service. This message normally contains some sort of urgency and prompting you to take immediate action.

Hook:

Keeping in mind the concept of fishhook and bait, cybercriminals send a message to the target which includes a hidden link or an attachment. The purpose is that the attacker wants you to click on the link or the attachment. The link then either downloads a malware to your system or it leads to a fake website which is designed to look like a legitimate website.

Catch:

This is the final stage of phishing. Once you are trapped by bait and hook strategy and you enter your personal information on the fake website, the cybercriminals captures it. Then they will use it for certain malicious purposes, such as identity theft or financial fraud.

Types of Phishing Attacks

Email Phishing:

This it the most common form of phishing, in which attackers send fraudulent emails to the targeted person. The idea behind this is to trick recipient so that he or she reveals his/her personal information.

Spear Phishing:

Spear phishing targets specific people or organizations by personalized messages. Again, the main target is to steal sensitive information or to infect the system with malware. It is more sophisticated form of phishing in which cybercriminals send personalized message so that it looks more convincing. However before launching this attack, it requires a lot of research about the target person to gather specific details. So that personalized message is more specific.

Whaling:

While talking about whale fish the concept of a huge animal comes into mind. Similarly targeting high profile individuals like head of states, executives or celebrities e.t.c. is called whaling.

Smishing and Vishing:

Smishing is actually combination of SMS and Phishing. So now we can easily understand that for smishing cybercriminals use SMS message to target the potential victim. Whereas, vishing is combination of Voice call and Phishing which is carried out through voice calls.

Clone Phishing:

One thing must be clear at this stage that phishing is carried out though some type of message either text or voice. In clone phishing attackers create almost identical message that the victim has previously received from a legitimate source. The only difference in this clone and original message is that this clone message contains malicious links or attachments.

How to Protect Yourself from Phishing?

Be Skeptical:

Always be cautious of messages received from unknown sources. The messages seeking personal information or which prompt you to click on links, require special attention. Therefore, before clicking any link received in a message you should verify the sender before taking any action.

Identify Mistakes:

Cybercriminals are often not well educated therefore phishing emails normally contain spelling and gramatic mistakes or generic greetings. Legitimate companies never do that. Therefore you should always recognize that legitimate organizations never send you messages without scrutiny and do not ask for sensitive information via email.

Check URLs:

It is very common that you see a link with a legitimate text but the link behind that text navigates you to a different landing page. Therefore, the easiest way to verify it is to hover over the links to see the actual link or to copy the link and paste it in the address bar of a browser. Moreover, before clicking the link you should ensure that the address starts with “https://” and it has a legitimate domain name.

Update Software:

I always recommend to keep your operating system, antivirus and anti-malware software up to date. Keeping these software up to date will enable them to detect and block latest phishing attempts.

Two Factor Authentication (2FA):

2FA is considered an extra layer of security which requires two steps of verifications before it grants access to your accounts. It is right that all services do not provide 2FA but wherever it is possible 2FA should be enabled to avoid breach into your online account.

Keep Yourself Updated:

To stay safe on online world you must stay informed about the latest phishing tactics. The information that you acquire should not remain confined to yourself; but it should be spread around friends, family, and colleagues.

What to Do If You Fall Victim to Phishing?

You should immediately take following steps if you suspect that you have become a victim of phishing:

Change Password:

The first thing that is required to be done is that if you still have access to your account then change the password of the compromised account and enable 2FA if possible.

Report to Relevant Authority:

In today’s digital world we have different types of online accounts like online banking, credit cards, social media IoTs e.t.c. In case of becoming a victim, you should immediately report to the concerned organization e.g your bank, credit card company, or facebook, google, tiktok, X, Whatsapp e.t.c.

Monitor Your Account Activities:

Always be vigilant about your online account activities. If you notice any suspicious activity in your account, immediately report it to the concerned company to avoid further damages.

Report the Phishing Attempt:

Almost every email provider and messenger app has a reporting mechanism. Particularly you can report for scams, block the sender, and identify spoofs. Therefore, if you receive any suspicious message or email then you should immediately report it to the relevant authorities, such as your email provider or cybercrime investigation agency of your jurisdiction.

Conclusion

Looting someone by luring is not a new phenomenon. It is prevalent since ages. Similarly phishing is a prevalent threat in the today’s digital world. The only remedy is by staying vigilant and educated about latest trends, and following best practices for online security. This is the key factor to avoid the risk of falling victim to attack. On the cost of repetition I would say that in my experience the best defense against phishing is awareness and caution.