Phishing is a cyber attack used to fetch personal information, data or passwords by sending emails with malicious links or attachments.
This attack generally uses disguised emails often pretending to be sent by a known or a trusted person or the company that you work with and traps you into clicking on a link or opening an attachment or filling forms asking for your personal details. As soon as you follow the guidelines, the details are extracted and used to access personal accounts resulting in identity theft and financial loss.
How to catch a Phish?
There are certain methods by which you can identify phishing attacks:
- These emails generally seem too good to be true. The information sent may look like an important government guideline or a communication for winning a lottery or a prize.
- If the guidelines in an email ask you to act fast, something suspicious is on its way.
- You may detect a spelling error or a changed name in a hyperlink, which is a good indication of a malicious activity.
- Attachments not making sense confirm a phishing attack.
Phishing and its kinds
- Spear phishing – Drafting an email targeting a particular person is called spear phishing. Attackers identify their targets and send emails addressing an important issue. For example, a phisher can pretend to be a co-worker from some other department demanding some personal information or a bank transfer.
- Whaling – Whaling is a kind of phishing attack that targets CEOs or people in top management such as company board members. This attack is generally aimed to collect high valued and confidential information which only a member of the senior management can provide. A high-end research is required to gather information about the victim while performing this attack.
- Business Email Compromise (BEC) – Attackers target employees in finance and accounting departments via Business Email Compromise (BEC) scam. Such attacks are carried over by fake email ids of CEOs or other members of top management asking for money transfers into unauthorized accounts.
- Clone phishing – Clone phishing is a type of attack where a message is replicated to trick the victim into identifying it as real. The attacker either changes the link or the attachment that was there in the original message. Since the message is generally resent, there is always a reason provided by the attacker to the victim on why the mail has been resent.
- Vishing – Vishing refers to voice calls or messages that one receives wherein the instructions seem to be coming from a bank or a finance company asking for personal information such as their account information or PIN for security.
- Snowshoeing – Snowshoeing refers to spreading spam emails across several IP addresses to weaken spam filters. More the number of IP addresses, lesser becomes the capacity of filters.
As per RSA Quarterly Fraud Report, phishing amounts to 48% of the total cyber security attacks recorded for the period between January 1, 2018 to March 31, 2018. It also states that Canada, the United States, India and Brazil are the countries most attacked by phishing.
Averting phishing attacks
- Check any URL sent in an email thoroughly before clicking on it. If it looks suspicious, never click on it.
- Check if any URL redirects you to another identical website.
- To protect your system from malicious or spam emails, spam filters must be used. Spam filters corner fraud emails from legitimate ones and drop them into a different folder altogether for us to differentiate.
- If you feel that an email has been received from an untrusted source, do not reply on that mail, rather send a new mail to the sender and verify if the email received is original.
- It is imperative to be aware of proper browsing techniques. This helps you in suspecting malware or malicious links and attachments thus preventing you from becoming a victim.
Phishing is a major concern for individuals as well as organisations. Cyber security courses catering to Phishing and Whaling are in high demand and provide lucrative job offers. These courses can also be pursued to protect personal systems or information. Among others, CISSP and CEH certification courses are the best that one can opt for.