What is phishing?

Phishing attacks are something that is very common these days. While its evident that phishing attacks can have several repercussions, not many are aware in terms of what exactly gets classified as a phishing attack or is termed as phishing.

Phishing is a fraudulent attempt executed by an intruder to access any sensitive information by disguising as a trustworthy entity. In most cases, the user never realizes it to be a phishing attack and hence it becomes easier for an attacker to carry on with the phishing attack.

This is a common method used by hackers to deceive users. Phishing is a cybercrime. The term phishing was first introduced in the mid-1990s.

Several individuals, as well as corporates, have been victims of phishing. Newer ways are employed by hackers to deploy phishing attacks.

Types of Phishing

• Bulk Phishing: In bulk phishing, the attacker does not gather much personal information about target individuals. Sometimes this is carried out at random with zero knowledge about the targets. This is one of the most common forms of phishing.
• Spear Phishing: In this, the attacker targets specific individuals or companies but is well-prepared with all the personal details about the target. This increase the probability of success.
• Whaling: This is a kind of spear attack where the attacker targets certain high-profile targets. This could be upper management from an organization.
• Clone Phishing: This is a spoofing technique where the attacker uses a legitimate email address to send an email which appears to be identical to the original sender. Since most details look like the original email, this is referred to as clone phishing.
• Link Manipulation: This is one of the most common and widely used phishing techniques. Misspelled URLs within an email often lead to the spoofed website. Here the attacker creates an URL which looks almost similar to the original one. Internationalized Domain Names (IDN) can be exploited using homograph attacks or IDN spoofing, to create a web address which looks similar to a legitimate web address.
• Filter bypass: Phishing can be prevented using anti-phishing filters. These filters eliminate phishing emails. To prevent from being detected, an attacker can use an image instead of text to carry out phishing attacks. More advanced anti-phishing filters can scan such images using OCR (Optical Character Recognition)
• Website duplication: In certain phishing scams the attacker manipulates the JavaScript to alter the website URL they originally lead to. This is simply done by either closing the original URL and opening a new phished website or any other similar technique. A flaw in a legitimate website is the way an attacker exploits this. This is also known as Cross-Site Scripting. In most cases, it’s difficult to understand that it is not a legitimate website. To prevent from being detected by anti-phishing filters, some websites using flash where they hide the actual phishing text in a multi-media object. This is also referred to as Phlashing.
• Social Engineering: With social networking, social engineering is another popular way employed by hackers. It simply persuades a user to click on a malicious link or attachment.
• Covert Redirect: This in a way is more complex forms of phishing attacks. In most other attacks the URL will be altered in some way and hence can be detected. However, in covert redirect, the attacker may use the original URL itself. An attacker can corrupt a legitimate website by adding a small pop-up. If this pop-up asks the victim to authorize an app and if the victim chooses to authorize, then a lot of sensitive information including email lists can be obtained by the attacker. Using this, an attacker can also redirect you to a malicious page which can be further damaging.
• Voice Phishing: This is also referred to as vishing. This does not require a spoofed website. This can be simply carried out over a voice call. Such calls from scammers can prompt a user to enter personal details such as account number or pin on a voice over IP service, owned by the attacker. The user believes this to be a legitimate call and enters personal information thereby making it easy for the attacker.
• Tabnabbing: This technique makes use of open tabs available on the user’s browser. Without the user’s knowledge, this would load a malicious website in one of the existing tabs.
• Overloading request: This is a technique which again occurs over a legitimate website, where the attacker adds a small popup asking for sensitive information. For instance, if the user is on a bank website and a sudden popup appears asking for username and password. In such cases, this sensitive information would be actually captured by an attacker.

Identifying and avoiding Phishing attacks

There are multiple ways a phishing attack can be carried out. With more advancement in technology, we do have advance anti-phishing filters. However, this has also led to more complex phishing attacks. Attackers employ more sophisticated techniques to carry out phishing attacks.

So how do you identify a phishing attack?

• Unknown sender: Avoid opening emails from unknown senders. There is a high probability this might be a phishing attempt.
• Lucrative offers: Lucrative offers which make you click on links. Such emails are too good to be true are again a reason one should be alert
• Urgency: A lot of emails keep a tone of urgency to capture sensitive information. Mails stating it’s from banks or income tax departments are common bait.
• Hyperlinks: Such emails can be from known as well as unknown sender, where the email contains a hyperlink which needs to be clicked. As a good practice never click the email link directly. Either verify the authenticity of the link or type in the actual URL in the address bar. This is not restricted to just emails but can also be carried out using social engineering as well.
• Attachments: Attachments sent over emails are again a good way to carry out phishing attacks. Always scan the attachment and do not download the attachment if you are not sure about the content.
• Downloads: Never download software from unknown or unverified links. Use the official website to download software.
• Anti-Phishing: Use market specified anti-phishing filter. Most well-known antiviruses provide an anti-phishing filter.
• Update: Always keep your browsers up to date with the latest security patch.
• Pop-ups: While browsing be wary of random pop-ups. Do not click a pop-up which you didn’t expect to appear or asks for sensitive information.
• Firewalls: Protect your system with a good firewall along with pre-specified firewall rules which are difficult to bypass.
• Personal Information: Most institutions do not ask for personal or sensitive information. Never share personal or confidential information online, even if it seems to be a legitimate website.
• Site Security: Check site’s security by looking at the URL and confirming the site uses https. Check the site’s certificates which can be viewed over most common browsers.
• Regular Checks: Check your email, online accounts regularly. This ensures you remain up to date about the activities and can detect any fraudulent activity immediately before it is too late.
• Password: Password is one of the important features for security. Keep a password which is as per common security policies. The password should be hard to guess. Passwords should be changed periodically. Many online payment systems ensure users mandatorily change their password regularly. However, this is not the case with most email accounts.
• Advance Security: Added security with 2-factor authentication makes it difficult to employ phishing attacks. This requires the attacker to know more details, thereby increasing the chances of failing the phishing attack.