Phishing is a type of cyber attack that targets the users through email, text message, or social media. The goal of the phisher is to steal sensitive information such as passwords, credit card numbers, bank account details and other such personal information from unsuspecting users. The most common form of phishing is a fake email, message, or social media post that looks like it comes from a legitimate source. The objective of the scam is to get the user to click on a link or open an attachment in order to download malware onto their computer. Any company’s digital footprint is always ever-increasing and requires a vigorous cybersecurity policy to be put in place.
Idea Behind
The idea behind these types of cyberattacks is to deceive the user into clicking on links or opening attachments that will lead them to a website which looks like an authentic one. This can often lead to more information being taken from their account. It can also lead to cases of identity theft, and fraud.
Phishing, belongs to a broader set of techniques called social engineering. Social engineering, is a technique that works by tricking you to trust the person, or organization contacting you, and their main agenda is to make you give them access to your account credentials.
Attack vectors
Phishing tends to be more pervasive through emails and text messages. Attackers create a campaign that looks like a familiar-looking email to a website that you might be using. Sometimes, they also purchase domains that look very similar to legitimate ones, in an effort to catch you off-guard. As most users do not check the sender of an email, they end up falling prey to them. The attackers send these emails en-masse, to thousands or even hundreds of thousands of users, usually obtained from the dark web.
Phishing, like all social engineering techniques, exploits the basic nature of humans. That is our trust. It is always easier to trust something that looks, feels or sounds familiar. If an email looks like what you have been used to seeing, you will almost never investigate it further. You end up doing what it says, especially if it is crafted well enough. This is why phishing is very efficient if done well.
Types of phishing
There are several types of phishing techniques. Let’s talk about a few most common ones.
- Spear phishing,. – Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization or business. As the name implies, it involves attempting to catch a specific fish. A spear phishing email includes information specific to the recipient to convince them to take the action the attacker wants them to take. This starts with the recipient’s name and may include information about their job or personal life that the attackers can glean from various sources. Spear phishers frequent social media sites like Facebook and LinkedIn to gather personal information about their target. They can also map out their target’s network of personal contacts, which gives them more context to crafting a trustworthy message. More sophisticated attackers may also use machine learning algorithms to scan through massive amounts of data and identify high level individuals they most want to target. (image from cloudstrike)
- Vishing – When your phone rings, it’s sometimes hard to know who’ll be on the other end. It might be someone vishing. Vishing, which is a combination of ‘voice’ and ‘phishing,’ is a phone scam. Cyber criminals use threats and persuasive language to make victims feel like they have no other option than to provide the information being asked. A second and common tactic is to leave threatening voicemails, that tell the recipient to call back immediately, or they risk being arrested, having bank accounts shut down, or worse. A cyber criminal may research an organization, find an employee’s contact information online, and then call on behalf of the CEO asking the victim to transfer funds to pay an outstanding invoice or to email personnel files. Scammers can place hundreds of calls at a time using voice over internet protocol and can spoof the caller ID to make the call appear to come from a trusted source.
- Pharming – Pharming, a portmanteau of the words “phishing” and “farming”, is a scam similar to phishing, where a website’s traffic is manipulated, and confidential information is stolen. In essence, it is the criminal act of producing a fake website and then redirecting users to it. There are a couple different forms of pharming. In one form, code sent in an email modifies local host files on a PC. The host files convert URLs into the IP address that the computer uses to access websites. A computer with a compromised host file will go to the fake site even if a user types in the correct web address or clicks on an affected bookmark entry. The second is known as DNS poisoning, in which the DNS table in a server is modified so someone who thinks they are accessing legitimate websites is actually directed toward fraudulent ones. In this method, individual PC host files don’t need to be corrupted. Instead, the problem occurs in the DNS server, that handles millions of internet users’ requests.