Phishing is a cybercrime, a type of cyberattack that uses email, phone or text to entice individuals into providing personal or sensitive information, ranging from passwords, credit card information and social security numbers to details about a person or organization, which involves luring the user into providing sensitive and confidential information to the attacker.
The information could include credit card details, username and passwords, bank details, etc. These phishing attacks occur through malicious emails, text messages and telephone calls. After obtaining the information, the attacker could commit crimes such as financial losses and identity thefts. The target could be an individual, an organization or a cluster in an organization. This paper provides an explanation on phishing attacks to create awareness and several countermeasures to overcome them.
Phishing is a form of social engineering where attackers deceive people into revealing sensitive information or installing malware such as ransomware.
Phishing is a form of social engineering where attackers deceive people into revealing sensitive information or installing malware such as ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI's Internet Crime Complaint Centre reporting more incidents of phishing than any other type of computer crime. It is characterized by attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an e-mail or an instant message. The term "phishing" was first recorded in 1995 in the cracking toolkit AOHell, but may have been used earlier in the hacker magazine . It is a variation of fishing and refers to the use of lures to "fish" for sensitive information. Measures to prevent or reduce the impact of phishing attacks include legislation, user education, public awareness, and technical security measures. The importance of phishing awareness has increased in both personal and professional settings, with phishing attacks among businesses rising from 72% to 86% from 2017 to 2020.
Phishing often uses social engineering techniques to trick users into performing actions such as clicking a link or opening an attachment, or revealing sensitive information. It often involves pretending to be a trusted entity and creating a sense of urgency, like threatening to close or seize a victim's bank or insurance account. An alternative technique to impersonation-based phishing is the use of fake news articles to trick victims into clicking on a malicious link.
2. PHISHING
• In computing, phishing is a form of social engineering.
• It is characterized by attempts to fraudulently acquire sensitive
information, such as passwords and credit card details, by
masquerading as a trustworthy person or business in an
apparently official electronic communication, such as an e-mail or
an instant message.
3. SOCIAL ENGINEERING
• It is the psychological manipulation of people into performing actions or
divulging confidential information
• A type of confidence trick for the purpose of information gathering fraud or
system access
4. TYPES OF PHISHING ATTACKS
• Deceptive phishing or Email phishing
• Clone phishing
• Voice, SMS and calendar phishing
• Spear Phishing
• Whaling
• Pharming
5. DECEPTIVE PHISHING
• Deceptive phishing or also known as email phishing is the most common type
of phishing.
• In this case, an attacker attempts to obtain confidential information from the
victims.
• Attackers use the information to steal money or to launch other attacks.
• A fake email from a bank asking you to click a link and verify your account
details is an example of deceptive phishing.
6. SPEAR PHISHING
• Spear phishing targets specific individuals instead of a wide group of people.
• Attackers often research their victims on social media and other sites.
• That way, they can customize their communications and appear more
authentic.
• Spear phishing is often the first step used to penetrate a company’s defenses
and carry out a targeted attack.
7. WHALING
• Whaling also known as CEO fraud
• When attackers go after a “big fish” like a CEO, it’s called whaling.
• These attackers often spend considerable time profiling the target to find the
opportune moment and means of stealing login credentials.
• Whaling is of particular concern because high-level executives are able to
access a great deal of company information.
8. PHARMING
• Pharming also called page hijacking is similar to phishing, pharming sends
users to a fraudulent website that appears to be legitimate.
• However, in this case, victims do not even have to click a malicious link to be
taken to the fake site.
• Attackers can infect either the user’s computer or the website’s DNS server
and redirect the user to a fake site even if the correct URL is typed in.
9. CLONE PHISHING
• Clone phishing is a type of attack where a legitimate email with an
attachment or link is copied and modified to contain malicious content.
• The modified email is then sent from a fake address made to look like it's from
the original sender.
10. VOICE, SMS AND CALENDAR PHISHING
• Voice phishing or vishing is a type of attack done through phone calls, the attackers spoof
the calling phone number to appear as if it is coming from a legitimate bank or institution
• Vishing takes advantage of the public's lower awareness and trust in voice telephony
compared to email phishing.
• SMS phishingor smishing is a type of phishing attack that uses text messages from a cell
phone or smartphone to deliver a bait message.
• The victim is usually asked to click a link, call a phone number, or contact an email address
provided by the attacker.
• Calendar phishing involves sending fake calendar invitations with phishing links.
• These invitations often mimic common event requests and can easily be added to calendars
automatically
11. SIGNS OF A PHISHING
• It may contain unfamiliar tones or greetings
• Grammar and spelling mistakes
• Inconsistencies in Email addresses, links and domain names
• Threats or a sense of urgency
• Suspicious attachments
• Request for credentials payment information or other personal details
12. WAYS TO PREVENT PHISHING ATTACKS
• Proper awareness about phishing
• Don’t click on the suspicious attachments and links
• Don’t give information to unsecured sites
• Get free anti- phishing add on
• Rotate passwords regularly
• Update your system regularly
• Install firewalls
• Don’t be tempted by site pop-ups
• Have a security platform to spot signs of attack