What is Phishing and How to Deal with It?
What is phishing?
Phishing is sending fraudulent emails, phone calls or websites by manipulating the unsuspecting users that it is from a reputable company or a legitimate organization. It is like fishing for information in the sea of vulnerable users. They craft the emails and sites to entice the users to clink on the links by either offering grand prizes or by threatening them. Those links may contain a malicious virus, install hazardous software or may steal personal information from your device like username-passwords, etc. Cybercriminals also use social engineering to lure you into downloading their harmful content from a website. Their tactics are threats and pressuring their target into doing what they want and gaining access to their personal data.
The first known Phishing attack occurred back in 1995, and AOL was the first actual major victim. The attack was known as "AOHell." In this instance, credit card numbers were randomly hijacked and used create fraudulent AOL accounts.
Phishing simulations & training
How to identify phishing scam?
There are several ways of identifying phishing scam:
- Spelling and grammar mistakes –. When skimming through your email watch for spelling and grammar errors. These errors are indicative of spam. Most reputable business will check their emails for copy mistakes.
- Links – Be aware of the links and pay careful attention to them. If you are suspicious of an email, do not click on the link. Instead, to make sure it is not a scam, rest your arrow on the link- again do not click it at first sight- and see if the link that is appearing in the yellow box is like the link in the message. In case of a scam, the link entirely differs from each other.
- Spoofing – It has now become a common practice to spoof popular websites and even those of reputable companies. The attackers, well-learned in graphics and technicalities, find it easy to change emails and make it appears it is connected to the legitimate organization, but they are actually phony site scam. The web addresses that sometimes resemble the real organizations might be a scam site altered by cybercriminals.
- Threats – People usually receives emails regarding their accounts that contain threats in them and take it seriously, unknowingly giving up their private information. The mail sent by cybercriminals threatens the user to respond to the mail and give information like credit card number, address or password. Warning them that if their instruction is not followed, they will block or delete their account. This is a scam because reputed organizations rarely send such types of messages.
- Cold calls – Cybercriminals may call you, offering to solve and fix any problem your computer might be suffering from. They try to convince their victim in buying a software license from them and pretend to be from the reputed company. However, such high organizations do not make unnecessary calls to charge you for software and computer security fixes. Usually, the attacker tries to lure the user and attempt to gain their trust and then ask for passwords, username or to install any software, to go to some vulnerable website for better guidance. They might also ask you to give them access to your computer to fix it. It might lead your private information in danger.
Types of phishing
- Deceptive phishing – It is one of the most common phishing scams. The attackers send fake messages to the user by impersonating original and authentic companies, trying to steal away any essential credentials. The emails usually contain threats or urgency for doing certain things to scare their victim into giving in their personal information. The reason it is so common and successful is because of major similarities between legitimate company's correspondence and their scams.
- Spear Phishing –The spear phishing is more personalized and upgraded version of deceptive phishing, though the objectives remain the same. They try to connect with the user by adding user's name, occupation, workplace, their number, position and several more information. This mostly happens on social media like LinkedIn, where multiple information of the target is displayed in the front, helping the attacker to craft his mail more convincing.
- Malware-based Phishing - This scam is about any harmful software downloaded and running on the PC. The source can be any unknown email with an attachment, unintended download from a website or stumbling to unsafe sites.
- Keyloggers and Screen loggers – this malware keep tracks of your keyboard input and send all the required and harmful information to the attacker through the internet. They are embedded in the browsers as a small program that runs by itself when the browser is started and on-screen monitor.
- Pharming – Nowadays people are more familiar with technologies and have become savvier to these scams. As a result, some fraudsters are taking more direct method, leaving the idea of baiting their victim, which is pharming. The attacker directs the user to any bogus website which resembles the authentic one. As a result, getting their hands on the victim's login credentials, account number, etc. This can be possible under a DNS cache poisoning attack.
Some other types of occurring phishing scam: -
- CEO – fraud
- Session Hijacking
- Dropbox Phishing
- Web Trojans
- DNS –based Phishing
- Search Engine Phishing
- Google doc Phishing
Solutions –
Phishnotify plugin:
Prepare your last line of defense against phishers; protect your employees, with anti-phishing and security awareness training from SecurityIQ, a computer-based enterprise training platform. SecurityIQ keeps you away from the threats and guides you with the best solution. Consist of several pieces of training, satisfying membership options and free sign up.
See Infosec IQ in action
How to report for different countries:
For every different country, there's a different site which helps you in reporting phishing scams and act against it.
- For United States (America), report on FTC complaint assistant - https://www.ftccomplaintassistant.gov or https://www.us-cert.gov/report-phishing.
- For countries like India, French, German, Japanese, Korean, Polish, Spanish, and Turkish, use Consumer - https://www.econsumer.gov/. It has the facility to send reports in above languages.
- For Canada, the Canadian Anti-fraud Centre - http://www.antifraudcentre-centreantifraude.ca/ can help with the reporting process.
- For the United Kingdom, report fraud and calls on http://www.actionfraud.police.uk/ or http://www.tpsonline.org.uk/tps/index.html.
- For international reporting site, go on APWG - http://www.antiphishing.org/ which is a site for response to all cybercrimes.
How to report for different site: (Gmail, yMail, Outlook, etc.)
- Gmail - Open the message, click the Down arrow and click Report Phishing.
- IRS – forward the mail to phishing@irs.gov.
- Yahoo – Move it to span and click Report a phishing scam.
- Outlook – Click on the checkbox beside the message, move it to junk and point to a Phishing scam.
- LinkedIn – Email phishing@linkedin.com
Other:
- Do you want to know which mail can be a phishing scam? If you are suspicious that it might be from the bad guys? Here's the Phish alert button "http://www.phishing.org/phish-alert-button" It gives the users most straightforward way to get rid of the scam and forward it the security team for analysis with just one click.
- You can also report any phishing sites that you are doubtful of on "Report phishing page" - https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en