What is Phishing?

Firms across the globe have come up with action plans to tackle the increasing scenarios of various kinds of Cyber-crimes. Though every threat leads to damaging consequences, Phishing still tops the list as it is the most common and the easiest trap to deceive a user.  Criminals dangle a fake lure like a legitimate looking email or advertisement with a hope that the users will click on the link which then, will take them to a company’s website and ask for their personal information such as credit card numbers, account details, passwords. But the website is a clever fake and the information one provides goes straight to the frauds who misuse them as per their advantages. 

Steps of a Phishing Attack

A Phishing attack consists of mainly five stages:

1. Planning Phase

The phisher decides which business to target and determine how to get email addresses/contact numbers for the customers of that business.

2. Setup Phase

Once they know which business to spoof and who their victims are, phishers create methods for delivering the messages/emails and collecting the data from the victims.

3. Execution Phase

Phishers stage the attack by sending phony messages/ emails that appear to be from a reputable/legitimate source.

4. Recording Phase

The victim’s personal details are recorded when he gives out his information into the webpage or pop-up windows.

5. Identity theft Phase

The phishers use the information they have gathered to commit fraud and sell the personal information 
As digital technologies witness advancement this technique continues to track down new ways to exploit vulnerabilities. 

Some of the most Common Phishing Techniques:

1. Standard Email Phishing

This attack is launched to steal sensitive information via email that appears to be from a reliable source. Cybercriminals conceal their presence in little details like the sender’s URL, and an email attachment link etc.

2. Spear Phishing

Spear phishing is a highly targeted, well researched attack generally focused at public personas, business executives and other lucrative targets. Attackers often research their victims on social media and other sites so that they can customize their communications and appear more authentic

3. Whaling

When attackers go after a “hotshot” like a CEO, it’s called whaling. These attackers regularly invest considerable time profiling the target to find the right moment and means for extracting login credentials. This is concerning because high-level executives have authorized access to a great deal of critical company information.

4. Pharming

Pharming sends users to a false website that seems to be authentic. In these cases, victims do not even have to click a malicious link to be taken to the fraudulent site. Attackers can exploit either the user’s computer or the website’s DNS server and redirect the user to an infected site even if the correct URL is typed in.

5. Malware phishing

This attack encourages targets to click on a link or download an attachment so that some kind of virus/ malicious software can be installed on the device or company network. These attachments look genuine and may even be disguised as funny videos, eBook PDFs, or animated GIFs. It compromises both the information and the device.

6. Smishing

A fraudulent SMS, social media message, voice mail, or other in-app message often disguised as account notices, prize notifications and political messages asks the recipient to update their account details, change their password, or tell if their account has been violated. The message includes a link that steals the victim’s personal information or installs malware on their mobile phones.

How to Avoid Phishing?

To protect against phishing attacks, one needs to raise awareness of how phishing happens. When people experience, how easy it is to be tricked by what looks like a valid email, they are more likely to carefully review email details before clicking on an embedded link or downloading an attachment.
These are the keys to building a cyber secure aware culture:
  1. – Use security awareness training and phishing microlearning to educate, train, and change behavior.
  2. – Monitor employee knowledge using phishing simulation tools.
  3. – Provide ongoing communications and campaigns about phishing emails, social engineering, and cyber security.
  4. – Make cyber security awareness campaigns and trainings, part of your corporate culture
  5. – Implement network security technologies like email and web security, malware protection, user behavior monitoring, and access control.
  6. – Don’t click on the link in an email
  7. – Don’t give your information to an unsecured site
  8. – Rotate passwords regularly
  9. – Don’t ignore the security patches or updates
  10. – Establish a robust cyber security management system. If in the need of assistance, seek external consultation assistance from expert IT management consulting companies.


Spotting the lure:

I will explain the alarming signs of a typical email phishing attack with a practical example so that you be careful about not falling for it.
Suppose you receive an email from Amazon claiming your account has been locked and you check the mail and see:
1.       The email is not addressed to your email address
2.      The header is addressed to “Dear Customer” instead of a personalized identifier that includes your name
3.      A label saying that you exceeded the number of login attempts
4.      A lot of visual errors like capitalized words throughout the text punctuation and the formatting is off
5.    The email asks you to confirm this information using the link they provide. Yet if you hover over the link on the page, another web address appears.
All of these elements are indications that the email must be a scam because:
1. If you were truly being notified by Amazon, that there was an issue with your account, they would know your  name and email already.
2. If you recall correctly, you must know that you have not attempted to sign into your Amazon account lately. Thus, the information declaring that you exceeded the number of attempts allowed is false.
If you suspect this don’t click on the link in the email and go to the web page directly.
According to a recent report released by KPMG, over the last year US companies had experienced an increase in phishing attacks by 59%. Hence cyber crimes and data breaches continue to be a growing problem for organizations across the globe.
Look out for the holes in the security structure of your organization and ensure you don’t become the next victim