Phishing is an attempt to fraudulently acquire sensitive
information, such as usernames, passwords and credit
card details, by masquerading as a trustworthy entity in
an electronic communication.
Phishing is typically carried out by email
spoofing or instant messaging, and it often directs users
to enter details at a fake website whose look and
feel are almost identical to the legitimate one.
Types of phishing
1. Disguised hyperlinks and sender address-
• Appear similar as the genuine institution site.
• Sender address of the email also appears as originated
from the targeted company.
2. Email consists of a clickable image :
• Scam emails arrive as a clickable image
file containing fraud request for
• Clicking anywhere within the email will
cause the bogus website to open.
3. Content appears genuine
Scam email include logos, styling, contact and copyright
information. identical to those used by the targeted institution.
4. Unsolicited requests for sensitive
• Emails asks to click a link and provide sensitive
personal information .
• It is highly unlikely that a legitimate institution would
request sensitive information in such a way.
5. Generic Greetings
• Scam mails are sent in bulk to many recipients and
use generic greetings such as "Dear account
holder" or "Dear [targeted institution] customer".
• Sending mails that look trustworthy to user
• Send the same email to millions of users, requesting
them to fill in personal details
• Messages have an urgent note
• Click on a link which is embedded in your email.
“Man in the Middle” - attack
• Attackers situate
between the customer
and the real web-based
• The attacker's server then
proxies all communications
between the customer and
the real web-based
By manipulating the links for example
Misspelled URLs or sub domains are common tricks
used by Attacker
Key loggers are designed to monitor all the
Inserting malicious content into legitimate site.
Three primary types of content-injection phishing:
Hackers can compromise a server through a security
vulnerability and replace or augment the legitimate content
with malicious content.
Malicious content can be inserted into a site through a
cross-site scripting vulnerability.
Malicious actions can be performed on
a site through a SQL injection vulnerability.
• In this method, phishers used malicious software to attack on
the user machine.
• This phishing attack spreads due to social engineering or
• In social engineering, the user is convinced to open an
attachment that attracts the user regarding some important
information and download it containing malwares.
• Exploiting the security vulnerabilities by injecting worms and
viruses is another form of malware based phishing.
• Trojan is a program that gives complete access of host
computer to phishers after being installed at the host computer.
• Phishers will make the user to install the trojan software
which helps in email propagating and hosting
• Mobile Phishing is a social engineering technique where the attack is
invited via mobile texting rather than email.
• An attacker targets mobile phone users with a phishing attack for the
purpose of soliciting account passwords or sensitive information from
• The user is enticed to provide information or go to a compromised
web site via text message.
Prevention Against Phishing Attack
• Never respond to emails that request
personal financial information
• Visit bank’s websites by typing the URL into
the address bar
• Keep a regular check on your accounts
• Be cautious with emails and personal data
• Keep your computer secure
• Use anti-spam software
• Use anti-spyware software
• Use the Microsoft Baseline
Security Analyser (MBSA)
• Use Firewall
• Protect against DNS pharming attacks
• Check the website you are visiting is
• Use backup system images
• Get educated about phishing prevention
• Always report suspicious activity
It is better to be safer now than feel