What is Phishing
Phishing is a type of cyber crime used to steal personal data from unsuspecting people. This personal data is usually very sensitive. In most cases, the fraudulent attempt is usually to acquire information such as login credentials (usernames and passwords) and credit card details. Phishing occurs when an attacker poses or masquerades as a trusted or legitimate entity and lures unsuspecting victims or individuals into opening e-mails, text messages or instant messages and providing personal and sensitive information about themselves. It is a type of social engineering technique of attack that is used to deceive users by exploiting the weaknesses in recent web security. The information collected is then used for fraudulent activities like identity theft, financial theft and unauthorized purchases.
Examples of phishing attacks that have made waves over the years include:
- An attack in 2016 that targeted the chair of Hillary Clinton’s campaign John Podesta. The hackers that instigated the attack managed to get his Gmail password. It is known to be one phishing attack that was very consequential.
- Another example is the “fappening” attack where a number celebrities had their intimate photos made public. This was a result of several successful phishing attempts.
- At the University of Kansas, the year 2016, employees responded to a phishing email. This resulted to them handing over access to information about their paycheck deposit. The end result was a loss in the employees’ pay.
Identifying Phishing attempts
90% Data breaches were the results of phishing attacks. 76% of organizations have been victims to phishing attacks. An attacker ill spoof their email address in such a way that it looks like it is from another person, for instance similar to a website that you trust that has foreign characters that disguise the real URL. Phishing technique fall under many different categories. There are however two main purposes of phishing attacks. One is to trick the victim into downloading malware while the other is to trick them into handing over sensitive information.
Phishing emails in most cases tend to be targeted while others are usually not targeted at all. Attackers using emails that are not targeted send emails to millions of potential victims with an aim of tricking them in to logging on to websites that are fake version of real known ones. There is also an option of soft targeted emails where a person in a given organization playing a particular role will receive an email even if they are not the main target. Targeted emails require a lot of energy and work in order to reap any benefits. These cases are usually highly rewarding.
Types of Phishing
Spear phishing: This is phishing where an attacker will craft a message purposely to appeal to a given individual. In this case, an attacker will identify their target and use a spoofed address to send an email making it look like it is from a fellow co-worker or acquaintance. A technical example is when a fisherman is aiming for one fish instead of a baited hook for any fish who bites.
Whale phishing: This is also known as whaling. It is a form of spear phishing that targets big fish or high-valued targets.
Clone phishing: Clone phishing works by tricking the victim to think that exact replica of a message that is legitimate is the real message. The address used resembles the legitimate address as well.
Vishing: This is phishing through the phone, where a victim will receive a phone call from a person disguised as a financial institution, and they will collect all the needed personal data from the victim.
Snowshoeing: Also known as hit-and-run spam is a case where an attacker will use multiple IP address and domain to send out messages. This gives the filtering technologies a lot of work, in filtering malicious messages, that one message makes it through to the inbox.
Prevention Tips:
- Countercheck unfamiliar email addresses and if not trustworthy reply through new email instead of on the same mail.
- Do not open links and attachments you are not aware of.
- Avoid posting personal data on social media.
- Check for spelling and grammatical issues in addresses.