Jane is relaxing at home when she receives an email from a bank that asks her to update her credit card pin in the next 24 hours as a security measure judging the severity of the message jane follows the link provided in the email on delivering her current credit card pin and the supposedly updated on the website became unresponsive which prompted her to try sometime later however after a couple of hours she noticed a significant purchase from a random website on that same credit card which she never authorized frantically contacting the bank jane realized the original email was a counterfeit or a fake message with a malicious link that entailed credit card fraud.
This is a classic example of a phishing attack. phishing attacks are a type of social engineering where a fraudulent message is sent to a target on the premise of arriving from a trusted source its basic purpose is to trick the victim into revealing sensitive information like passwords and payment information. it's based on the word fishing which works on the concept of baits.
If a supposed victim catches the bait the attack can go ahead which in our case makes jane the fish and the phishing emails the bait, if jane never opened the malicious link or was cautious about the email authenticity an attack of this nature would have been relatively ineffective but how does the hacker gain access to these credentials?
A phishing attack starts with a fraudulent message which can be transmitted via email or chat applications even using sms conversations to impersonate legitimate sources is known as smishing which is a specific category of phishing attacks irrespective of the manner of transmission the message targets the victim in a way that coaxes them to open a malicious link and provide critical information on the requisite website more often than not the websites are designed to look as authentic as possible.
Once the victims submit information using the link via the password or credit card details the data is sent to the hacker who designed the email and the fake website giving him complete control over the account whose password was just provided often carried out in campaigns or an identical phishing mail sent to thousands of users the rate of success is relatively low but never zero.
Between 2013 and 2015 corporate giants like Facebook and Google were tricked off of 100 million dollars due to an extensive phishing campaign where a known common associate was impersonated by the hackers apart from credit access some of these campaigns target the victim's device and install malware when clicked on the malicious links which can later function as a botnet or target for ransomware attacks.
There is no single formula for there are multiple categories of phishing attacks the issue with jane or the hacker stealing bank credentials falls under the umbrella of deceptive phishing a general email is sent out to thousands of users in this category hoping some of them fall prey to the scam spear phishing, on the other hand, is a bit customized version the targets are researched before being sent an email for example if you never had a Netflix subscription sending you an email that seems like the Netflix team sends it becomes pointless this is a potential drawback of deceptive phishing techniques, on the other hand, a simple screenshot of a Spotify playlist being shared on social media indicates a probable point of entry the hacker can send counterfeit messages to the target user while implying the source of such messages being Spotify tricking them into sharing private information.
Since the hacker already knows the target uses Spotify the chances of victims taking the bait increase substantially for more important targets like CEOs and people with a fortune on their back the research done is 10 full which can be called a case of whaling the hackers prepare and wait for the right moment to launch their phishing attack often to steal industry secrets for rival companies or sell them off at a higher price.
Apart from just emails farming focuses on fake websites that resemble their original counterparts as much as possible, the prevalent method is to use domain names like Facebook with a single o or youtube with no e these are mistakes that people make when typing the full URL in the browser leading them straight to a counterfeit web page which can fool them into submitting private data.
A few more complex methods exist to drive people onto fake websites like arp spoofing and DNS cache poisoning but they are rarely carried out due to time and resource constraints now that we know how phishing attacks work let's look at ways to prevent ourselves from becoming victims while the implications of a phishing attack can be extreme protecting yourself against these is relatively straightforward.
jane could have saved herself from credit card fraud had she checked the link in the email for authenticity and that it redirected to a secure website that runs on the HTTPS protocol even suspicious messages shouldn't be entertained one must also refrain from entering private information on random websites or pop-up windows irrespective of how legitimate they seem it is also recommended to use secure anti-phishing browser extensions like cloud fish to sniff out malicious emails from legitimate ones.
The best way to prevent phishing is to browse the internet with care and be on alert for malicious attempts at all times so here is a question for you, if both I and my friends receive the same email that instructs us to change our Spotify password before the end of the day even though one of us never used Spotify, what bracket does this fishing attack fall under one whaling two spear fishing three deceptive fishing our farming.
Think about it and leave your answers below in the comments section and three lucky winners will receive amazon gift vouchers, cyber attacks are becoming more prevalent due to the pandemic where working from home is the norm and people spend possibly more than half their day with a laptop but we cannot stop every attack at the root we must be informed and vigilant to fishing attacks among others to safeguard our data.
