What is Phishing?

Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.

 

The information is then used to access important accounts and can result in identity theft and financial loss.

 

Phishing Methods

Phishing attempts most often begin with an email attempting to obtain sensitive information through some user interaction, such as clicking on a malicious link or downloading an infected attachment.

 

• Through link manipulation, an email may present with links that spoof legitimate URLs; manipulated links may feature subtle misspellings or use of a subdomain.
• Phishing scams may use website forgery, which employs JavaScript commands to make a website URL look legitimate.
• Using covert redirection, attackers can corrupt legitimate websites with malicious pop-up dialogue boxes that redirect users to a phishing website.
• Infected attachments, such as .exe files, Microsoft Office files, and PDF documents can install ransomware or other malware.

Phishing scams can also employ phone calls, text messages, and social media tools to trick victims into providing sensitive information.

 

Types of Phishing Attacks

Some specific types of phishing scams use more targeted methods to attack certain individuals or organizations. 

 

1. Spear Fishing

Spear phishing email messages won’t look as random as more general phishing attempts. Attackers will often gather information about their targets to fill emails with more authentic context. Some attackers even hijack business email communications and create highly customized messages.

 

2. Clone Phishing

Attackers are able to view legitimate, previously delivered email messages, make a nearly identical copy of it—or “clone”—and then change an attachment or link to something malicious.

 

3. Whaling

Whaling specifically targets high profile and/or senior executives in an organization. The content of a whaling attempt will often present as a legal communication or other high-level executive business.

 

 

Prevent Phishing Attacks:

Though hackers are constantly coming up with new techniques, there are some things that  you can do to protect yourself and your organization:

 

To protect against spam mails, spam filters can be used. Generally, the filters assess the origin of the message, the software used to send the message, and the appearance of the message to determine if it’s spam. Occasionally, spam filters may even block emails from legitimate sources, so it isn’t always 100% accurate.

The browser settings should be changed to prevent fraudulent websites from opening. Browsers keep a list of fake websites and when you try to access the website, the address is blocked or an alert message is shown. The settings of the browser should only allow reliable websites to open up.

Many websites require users to enter login information while the user image is displayed. This type of system may be open to security attacks. One way to ensure security is to change passwords on a regular basis, and never use the same password for multiple accounts. It’s also a good idea for websites to use a CAPTCHA system for added security.

Banks and financial organizations use monitoring systems to prevent phishing. Individuals can report phishing to industry groups where legal actions can be taken against these fraudulent websites. Organizations should provide security awareness training to employees to recognize the risks.

Changes in browsing habits are required to prevent phishing. If verification is required, always contact the company personally before entering any details online.

If there is a link in an email, hover over the URL first. Secure websites with a valid Secure Socket Layer (SSL) certificate begin with “https”. Eventually, all sites will be required to have a valid SSL.