Understanding Phishing and it’s Techniques.
– Shreya Deb-
Did you watch the famous Netflix series, ‘Jamtara’ and wondered what phishing is? Or came across some bogus calls stating your bank account has been selected for a gift voucher, and fell into the trap or pondered about it. So here is a clear explanation of the most common type of cybercrime – Phishing:
Phishing is a form of social engineering attack, in which an individual or individuals are contacted through telephone, text messages or e-mails, by attacker who poses themselves to be some individual of a trusted entity. They fake their identity in order to trick individuals into providing confidential information such as banking and credit card details, passwords, personally identifiable information and login credentials. Once such important data is obtained by the attackers, it can lead to devastating outcomes such as unauthorized purchases, identity theft or stealing funds.
Phishing can be classified into two categories:
Gathering confidential information:
This is the case where an individual is attacked by cyber criminal to gather sensitive data using deceptive websites, e-mails or phone calls, and use such data for personal or monetary benefit.
This is the case where an individual is duped into clicking a malicious link, which is mostly sent through e-mail or text message, and can lead to installation of malware to infect the individual’s computer or can even result in revealing confidential data.
Techniques used in Phishing:
Phishing is all about baiting the hook and hope that you bite. An attacker makes thousands of phone calls, sends numerous fraudulent emails and text messages, hoping that atleast a small percentage of recipients among thousands, fall into their trap. These are the most common techniques used by attackers to increase their rate of success:
Lucrative offers –
A cybercriminal, masquerading as a person of legitimate institution provides lucrative offers to grab people’s attention immediately. You might receive calls, or e-mails claiming that your phone number or bank account has been selected for a lottery, a car or any other luxurious gift.
Create a sense of urgency –
Attackers usually tend to push users to act fast, stating that the offer lasts for a limited period only. For instance – you might come across emails stating that you have limited time to update your personal details or your bank account would stand expired.
This tactic is used to create pressure in individuals to be less conscientious and more prone to fall in the trap.
Impersonation of links –
A link may not be all that it appears to be. An attacker goes to the length of designing website links so as to impersonate actual link of an institution, but typically consists of misspelled domain name or additional subdomain. For instance, the actual link of ‘xyz university’ is ‘universityofxyz.edu.in’ whereas the impersonated link is ‘universityofxyz.eduin.com’.
How to prevent Phishing?
Phishing attackers are constantly coming up with new tactics to bait their hook on internet users. Vigilance is the only key to prevent phishing. It is therefore important for us to stay alert and take necessary steps –
Before entering any personal information over the Internet, always watch out for subtle mistakes in the URL, it could be minor spelling mistakes or change in domain name. Further, if you receive any link through e-mail, first hover over the URL, before opening it.
If you receive calls or e-mail claiming that you won some mind-boggling prize, and it sounds too good to be true, then it probably is. Do not provide any confidential information, falling for such rewards. It’s always better to be safe than sorry.
Avoid the tendency of clicking on any suspicious e-mails. It is advisable to use spam filters to prevent spam mails. It filters mails by assessing the origin and appearance of the mail, and the software used to send the same.
If you sense urgency in any phone call or email to gather your personal information, it’s best to avoid those. It must be kept in mind that most credible institutions provide enough time and notice before terminating an account. If you are in doubt, it’s better to visit or contact the institution directly rather than sharing personal details over the Internet.
Do not share your OTP with any third person, even if they offer you to make the payment on your behalf, because you never know what is going on, in the other end.
If you receive an e-mail consisting of an attachment which does not make sense, double check the sender’s address, verify it, before opening. Since attackers often send attachments which consist of malware or other viruses. This could lead to freezing your device or revealing your data stored in the device.
Educational institutions and work places should facilitate students and employees with cyber security awareness program to identify and prevent the risks.
A little change in our browsing habits is all it takes, from becoming the next victim of phishing.