Understanding the ‘Phishing’ scam
Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
What really distinguishes this type of a cyber crime is the form the message takes. The cyber criminals often disguise themselves as a trusted entity of some kind, often a real or maybe even real person or a company the victim might do business with or working for. This is one of the oldest types of cyber- attacks and dates back to the 1990’s. Sadly, it's still one of the most widespread, with phishing messages and techniques becoming increasingly sophisticated and more fool-proof.
The "Phish" is pronounced just like its spelled, which is like the word "fish." The analogy is of an angler throwing a baited hook out there, in this case, a phishing email, and lying in wait, hoping you bite. The
term arose in the mid-1990’s among hackers who eyed the AOL users into giving up their login
Some very famous instances of cyber crimes relating to this cyber crime are:
One of the most prominent phishing attacks in history happened in 2016, when hackers managed to get Hillary Clinton campaign chair John Podesta to offer up his Gmail password.
The " fappening" attack, in which private photos of a number of celebrities were made public, was originally thought to be a result of insecurity on Apple's i-Cloud servers, but was in fact the product of a number of successful phishing attempts.
In 2016, employees at the University of Kansas responded to a phishing email and handed over access to their paycheck deposit information, resulting in them losing pay.
A more disturbing trend is the fact that these days the availability of ‘phishing kits’ that are becoming more easily available to one and all. The availability of these kits makes it easy for cyber criminals, even those with minimal technical skills, to launch phishing attacks on unsuspecting victims. These kits bundle phishing website resources and tools that need only be installed on a server. Once installed, all the attacker needs to do is send out emails to potential victims. Phishing kits as well as mailing lists are available on the other side of the internet- the dark web of crime. A couple of sites, Phish tank and Open Phish, keep crowd-sourced lists of known phishing kits.
There are several kinds of phishing such as spear phishing, whale phishing, etc but we won’t be getting into the details of those today. There are different types of phishing techniques that fall under the umbrella of phishing. However, it’s important to know the two very common types of attacks that get the victim to do one of these two things–
1) Hand over sensitive information- These messages are aimed to trick the user into revealing important data like- username and password via which the attacker can breach a system or account. This classic version of the scam involves sending out an email tailored to look like a message from a trustworthy bank or by spamming out the message to thousands of people at one go through which the attackers ensure that at least some of the recipients will be customers of that bank and take the bait. The victim, who clicks on the malicious link in the message, is taken to a dubious site designed to resemble the bank's web page. When the victim enters their username and password, the attacker can gain easy access the victim's account and swipe him clean.
2) Download a certain malware- These types of phishing emails aim to get the victim to infect their own computer with malware. Often the messages are intended to fool the victim into thinking that the mail is from someone they know or might be expecting. For example, they might be sent to an HR manager with an attachment that seems to be of a job seeker's resume.
These attachments are often .zip files, or MS Office documents with malicious codes embedded in them. The most common form of malicious code is ransomware. In the year 2017, it was estimated that about 93 percent of the phishing emails contained ransomware attachments.
How to safe guard yourself from potential phishing attacks?
Always check the spelling of the URLs in email links before you click or enter sensitive information.
Watch out for URL redirects, where you're subtly sent to a different website with identical design.
If you receive an email from a source you know but it seems suspicious, contact that source with a new email, rather than just hitting reply.
Don't post personal data, like your birthday, vacation plans, or your address or phone number,publicly on social media.
If the email or a SMS contains a link, don't click on it
Look out for common phishing language in emails like "Verify your account", “Claim your
Beware of emails that try to convey a sense of urgency
Always choose to key in your website address rather than click on the prompt below
Make sure your systems have the latest anti-virus up and running at all times
Do not download unverified or unfortified applications.
It's always a good practice to look at all the emails, attachments, SMEs that contain links and
websites suspiciously. Falling prey to a phishing scam can cost you dearly a. After all- ‘An ounce of
prevention now can save a pound of cure later.’
Indian Laws against Phishing-
Laws- 43 read with section 66-D of the Information Technology Act, 2000 and 379 & 420 of the Indian
Punishment and the category of the crime- If under the Information Technology Act, 2000 section 66-D
charge, then this offense will be a bailable offense. However, if under Indian Penal Code, 1860 section
379 and 420 charge, it will be a non-bailable offense. If crime is proved, then the accused is punishable
for 3 years of imprisonment and 1 Lakh rupees fine.