Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity in an electronic communication.
Before we learn different ways for defending and protecting against phishing, lets learn types of phishing first.
Some common forms of phishing:
- Spear Phishing : Phishing attempts directed at specific individuals or companies have been termed spear phishing. In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success. . Hackers normally include some personal data in these emails, such as: the name of the victim, his role in the company or his phone number. The reason for this is to gain his confidence and, therefore, obtain the information they need to compromise the corporate network and access the confidential data they are looking for.
- Clone / Deceptive Phishing : It is the most common form of phishing. It is a form of phishing attack where legitimate, and previously delivered email containing exact features, sign, Sender’s name , links and attachments are used to create an almost identical or cloned email. In this cloned email all the attachment or link within the email are replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original.
- Whaling : Targeting big ones. The term whaling has been used for spear phishing attacks directed specifically at senior executives and other high-profile and senior management targets. In these cases, the content will be crafted to target an upper manager and the person’s role in the company. The content of a whaling attack email may be an executive issue such as a legal subpoena or customer complaint.
- CEO Fraud : It is type of whaling where attacker impersonates or spoofs to be CEO or Higher management and demanding wire-transfer or any legal information.
- Drop-Box/Google Docs/ Facebook/ Linkedin Phishing : It is one of the new form of phishing where attackers mimics the social account login screens or Dropbox login screen to steal your credentials. The best way to identify these attacks is to see the exact URL because the real login pages will have dropbox.com / google.com/ linkedin.com /facebook.com over https in the link where as fake login pages will appear to be like the original pages but their URL will be very weird and will be on http.
- Vishing: Phishing over phone is called vishing. It is specifically known as Social Engineering where attacker calls the victim pretending to be bank officials or Immigration officers asking for your some specific information and credential.
How to identify phishing email ?
Some common things to look for to decide if its phishing or not.
- Unexpected email from known or unknown entity, email address doesn’t seems genuine.
- Spelling mistakes, Grammatical errors.
- Signature and Salutations.
- Emails having message of urgency and panic like your account is locked or your money is stolen, never fall for such emails.
- Emails asking confirmation of your personal information.
- Emails having unexpected or suspicious attachments.
- Emails with suspicious links referring as bank login/ google/dropbox etc login link.
- Login links in email are very weird and are pretending to be social networking login links. Never click on these links just hover over these links to see the complete domain.
Some snapshots showing different form of phishings:
How to protect against phishing emails ?
- Always use 2-factor authentication. This is the best way to beat phishing emails looking for credentials.
- Prefer Installing anti-phishing tools.
- Always be vigilant and aware about ongoing phishing campaigns.
- Keeps you browsers and website certificates updated.
- Watch out for shortened links in emails.
- Look if the links present in emails are on http or https.
- Never fall for any kind of urgency emails creating panic situation, always contact the authorities personally to make sure what the situation and if this email is send from them or not.
- Never call on numbers present in emails creating sense of urgency and panic.
Say no to phishing !!