What is a Phishing Attack?
In this digital era, everyone is moving rapidly towards the cyber world. In this race of digitizing almost everything, people tend to neglect the security part of it and hence are becoming very much vulnerable to cyberattacks, especially the social engineering ones. Keeping human errors in mind, these phishing attacks are generated and launched. People tend to neglect the details, thinking of it as hectic and unproductive work. This is where a cybercriminal comes into play, and he generates an attack using these neglections, such as phishing attacks. In these attacks, cybercriminals play with victims’ minds and manipulate them to get the desired outcome. These kinds of attacks are categorised as ‘Social Engineering Attacks’.
Phishing is also a social engineering attack. In these attacks, the attacker tricks the victim to click on a link or to download some file. The victim does this because the attacker impersonates himself as a trusted source. After clicking that link, if the victim enters some sensitive details, the attacker gets all that information. In case of downloading, that file may contain some ‘Malicious software’ wrapped with a genuine file. If the victim downloads that file, unknowingly he will download that malicious software in the background. Phishing not only affects the victim but also his company or organization.
‘Phishing’ sounds like ‘fishing’ and even uses the same technique to allure people as someone uses a baited hook to allure fishes while fishing. In the case of phishing, the baited hook is an email/message embedded with a link/file. The attacker delivers it to a person or people and waits for them to bite it and if he succeeds in that then he will redirect them to himself for his benefit only.
Types of Phishing:
Email Phishing:
In Email Phishing, the attacker sends a malicious link or document via email to a person. The email seems to be originated from a trusted source, such as from the IT department or the manager of the organization he is working at. The person is, then, tricked to open that malicious link/document as if it is urgent and needs some actions to be taken as soon as possible.
Suppose a person gets a pdf embedded email from his manager with the subject as URGENT but with some fishy details. Since it is an URGENT mail that seems to be sent by the manager, the person neglects the other details of that email and downloads the embedded pdf. As soon as he clicks on the download button, he downloads additional malicious software in the background along with the pdf. Due to this, the attacker created a backdoor on his computer and hence successfully carried out the email phishing attack. This negligence of that person can lead the attacker to attack his company’s network, or taking over the person’s system and making it a part of a botnet (a robot network, used for many malicious activities).
Again, suppose a person gets a link embedded email, with doubtful details, from the IT department of the company he is working at. The subject of the email reads as ‘Urgent Password Update’. The details suggest that he has not changed his password according to the company’s ‘Password Update Policy’ and he needs to click the link to update his password as soon as possible. Instead of accessing his employee account from the company’s website, he uses the link to do it and changes the password. Now, what happened is that he unknowingly revealed his username and password to the attacker. Again, the attacker will be able to compromise any portion of the network by logging in as him and escalating his privilege.
According to https://www.knowbe4.com/phishing , more than 90% of successful hacks and data breaches start with phishing scams.
Spear Phishing:
Usually, the Phishing links are intended for random people, but if it is intended for a particular group or person then it is called Spear Phishing. If the attacker needs some information or access that is limited to a group or a person then he goes for the Spear Phishing attack. In Spear Phishing, the attacker selects a particular target, sends him that malicious email, tricks him to open that link/file and if that link/file is opened, the attacker will have what he wanted.
Suppose a system administrator gets an email from his service provider saying that there is an offer of getting an additional month of service for free if logged in and verification is done. Instead of ‘yourservice.com/xx’, sysadmin got the link as ‘yorservice.com/xx’ in that email. So, as he clicks the link and logs in with his credential, the attacker gets his credential. Now, the attacker can easily get the desired information or access.
The only difference between ‘Phishing’ and ‘Spear Phishing’ is that Spear Phishing is a targeted phishing attack. As a person can point the tip of a spear on one person at a time, Spear phishing does the same to have its target narrowed down to a specific person or a group.
The only difference between ‘Phishing’ and ‘Spear Phishing’ is that Spear Phishing is a targeted phishing attack. As a person can point the tip of a spear on one person at a time, Spear phishing does the same to have its target narrowed down to a specific person or a group.
Smishing or SMS Phishing:
Source-Image
Voice Phishing or Vishing:
In Voice phishing, the attacker uses the calling option to trick people by impersonating himself as a reliable source. The attacker will either ask for the sensitive information or will send a message containing a link and will direct the person to follow certain steps if the link is clicked. Both the ways the attacker will try to gain sensitive information about the person.
Suppose a person gets a call from his bank. The executive tells him that his account has been upgraded to the premium one. Further, he says that some formalities are needed to be done if the person wants to claim that premium account. And then the executive asks either for the confidential bank details along with the OTP or to click the link that is sent to his phone number. So, the attacker will insist on him clicking the link and moving ahead as he suggests. In both cases, he is being trapped. This is how the Vishing Attack is carried out. The attacker can even withdraw all the money from his account.
How to identify a Phishing attack?
There are few things, if anyone notices, he will get to know whether the link is malicious or not. Phishing links always have something fishy if looked at carefully.
- The person should always check the grammar of the message received either by email or phone. Most phishing messages are translated ones, so grammatical mistakes are inevitable. If the message has some grammatical errors, then there might be a chance of it being malicious.
- In the case of a long URL, the person should always check the different segments of the received link. If it is intended to redirect him to Instagram then it must include Instagram’s domain name in the link. If it doesn’t, it may be a malicious one. If he considers it as a legitimate link then he must check for the URL of the page where he has been redirected to. The malicious URL must have some mistake in the domain name and domain extension such as instead of ‘www.instagram.com’ he may get ‘www.insta.com’ or ‘www.instagram.co.in’ or even the link does not include the name of Instagram at all.
- In the case of shortened URLs, the person should add a ‘+’ sign at the end of the URL to check its long URL form. This should be done for URLs containing ‘goo.gl’ and ‘bit.ly’, for example, ‘http://bit.ly/2lgPesi+’ is a shortened form of ‘https://safecomputing.umich.edu/’. After getting the long URL, its genuineness can be checked by the above method.
- The person must check for the message details. If it is malicious mail then the details must contain some suspicious contents. For example, the sender pretends to be the IT Admin of AOT but his mail id does not look like ‘xyz@aot.edu.in’, or if the received mail does not have a proper salutation or a proper subject.
- One thing to keep in mind is that the banks never call their customers regarding OTP, Username, and Password, etc. So, if someone gets such calls, it is malicious for sure.
- The person should also check if he is offered a deal that is too good to be true, then he must be very careful opening that link.
- One of the most important things is that the attacker will give the person a very short deadline. So that he does not get much time to think logically about the legitimacy of the email/message before clicking on the link or downloading the file.
How to remain safe from Phishing Attacks?
Phishing is a social engineering attack where the attacker tests a person’s accuracy on details and calmness. If the person misses any detail within the process, then he will become the victim of this attack.
So, whenever such a mail/message is received, then the person must follow few steps which can help him to safeguard himself against these attacks:
- The person must think before providing any critical information if the link contains the HTTP header in the link such as ‘http://www.xyz.com’ which is not a secure website. This applies to long URLs.
- The person should check that link against the website ‘https://www.phishtank.com’ if he suspects it to be malicious. This is a free website, operated by OpenDNS, which will let him know if the link is flagged as a phishing one. To check for the malicious document, one should use ‘https://www.virustotal.com’, it is a free website of google.
- If these websites flagged the link as malicious, the person is advised not to open the link. Virtual Private Network is made to protect the exchange of information from the attacker if he is not directly involved in the communication. Clicking on the link, the person is sending his confidential details to the attacker, so VPN can do nothing about it.
- If these websites flagged the document as malicious but the person wants to download it, he should do it within his virtual machine. So, even in the worst case, it will compromise his virtual machine only and there are options to recover that machine.
- By any chance, if the person thinks that the mail/message is malicious even if it is not flagged as malicious, he should verify it by contacting directly to the organization or person who sent the mail/message.
- The person should use 2FA, 2 Factor Authentication so that even if his credentials are stolen, he has a 2nd line of defense. 2FA includes two ways to check for the genuineness of the person. After applying the username and password, the person needs to provide the 2nd factor of his authentication. If the username and password are correct then only the 2nd factor comes into play and the person will get access to his account only if he is authenticated by both ways. Normally, people use an authenticator app or an OTP as 2nd factor of authentication. This 2 Factor Authentication will buy him some time to reset the password in due time.
- ‘Not Opening/Downloading the malicious Link/File’ is the last line of defense for anyone against phishing attacks.
Conclusion:
These were the few kinds of phishing attacks, their identifications, and the safeguard mechanisms that a person needs to know. So, even after getting malicious links/documents a person will remain safe from these phishing attacks. Calmness and attentiveness during the whole process will make everyone able to deal with these cyberattacks effectively. Everyone is suggested to keep themselves updated with the whereabouts of the digital world. With cyber education and safe cyber practices, the world is going to be a safer place.