Cyber Security Tutorial

Cyber Security Overview Cyber Security Introduction Cyber Crime Cyber Space Cyber Criminals Cyber Law Cyber Attackers Types of Hackers Functions of Cyber Security Method to Improve Data Security Cyber security frameworks Importance of Cyber Security Types of Cyber Security Cyber Security Fundamentals Applications of cyber security Cyber security in education sector Cyber security in health care industry Cyber security tools Cyber security policies Types of security policies Characteristics of cyber security policies Digital signature Cyber Security Standards NIST- National Institute of Standard and technology Information Technology Act ISO - International Standard for Organization ISO certification PCI DSS Standard FINRA Difference between Information Security and Cyber Security Cyber Security Vulnerability Elements of vulnerability management Social Engineering Vulnerability Assessment Vulnerability management Types of cyber security vulnerabilities Identification of security vulnerability Types of social engineering attacks Penetration Testing Penetration Testing Tools Types of penetration testing Process of Penetration Testing What is Phishing Elements of cyber security Difference between Spoofing and Phishing Difference between Network Security and Cyber Security Difference between Ethical Hacking & Cyber Security Role of artificial engineering in cyber security Cyber Forensics Definition Cyber Security job qualifications Cyber Security Prerequisites Cyber Security Identity and Access Management What is Cyber Forensics Different Types of Cybercrime Different types of cybercrime Tunneling Techniques in Cyber Security

What is Phishing?
2022-08-08 18:48:14

What is Phishing?

Introduction

Cyber security always tries to protect organizations or individuals from cyber-attacks by improving itself according to the latest trend and technologies. Still, some easiest and cheapest ways are used by cyber criminals to fetch sensitive or confidential information.

Phishing is one-way users can compromise their personal and financial information, including their login credentials like usernames & passwords and credit card details.

“Phishing is a type of cyber-attack comes under the category of social engineering attack through which victim is trapped or tricked to share or hand over their personal information via malicious emails or installing malware.”

A recent report has been initiated that more than 22% of the security breach attacks are in the form of phishing. This is increasing globally. In 2020, Google reported a 350% surge in phishing websites after the pandemic lockdowns. The main aim of phishing is to financial gain and harm the organization; therefore, criminals mainly target specific industries such as IT companies, banks and other financial institutes, social media, online stores (eCommerce), telecommunication companies, payment systems (merchant card processors) and delivery companies.

In the phishing attack, attackers try to trick as many people as possible by using well-known brands because these brands will incite trust in recipients, increasing the chance of a successful attack. Some of the common brands used in phishing attacks are FedEx, Microsoft, Well Fargo, Google, Amazon, Bank of America, Apple, Chase, DHL, and LinkedIn.

History of phishing

It started in the mid-1990s when attackers or hackers thought of using fraudulent emails to fetch information from unsuspected users. This was called "fish for" the data where hackers are referred to as "phreaks," which is further known as "phishing".

In 2000 hackers targeted users to get their bank account details, and phishing emails were sent to them in the bank's name or consisted of fraudulent links.

Links will lead to a malicious website similar to the official bank website, but the domain was slightly different from the original or official domain name, for example, www.sbionlinee.com instead of www.sbionline.com.

They also attack other accounts like Google and eBay to hijack the credentials, which are further used to commit fraud, steal money, or spam other users.            

Example of a phishing attack

These are some of the examples of phishing emails or scams examples: 

  • Message from HR scam –It's designed to breach employees' trust in the HR team because we receive highly important emails related to personal updates and company-wide from the HR team. Mail is received to the user consisting of a malicious attachment or link; if this link is clicked, it directly installs malicious software on the device or system.
What is Phishing
  • Paypal scam – It is a worldwide transaction tool with 200 million users and proved to be a lucrative tool for cybercriminals. This scam enforces panic mode into its victim with the message “ there is some problem in your account. Please click the link to fix it."  To convince users of this mail, include the PayPal logo and chunk of fine print at the bottom of the email. Beware of such fraudsters who are before your bank account and credit card.
What is Phishing
  • Google Docs scam is a high-profile phishing technique in which the victim receives an email from someone known. The user clicks on its link to view a document that takes it to the identical version of Gmail's login page. Once the user uses their credential, the attacker traps him.
  • Advance-free scam- In this scam, a foreigner is seeking help regarding transferring the money from your bank account as the user is stuck in a bad situation. It offers a large sum of money in exchange for your bank account. If you make a kind gesture, you will observe a chunk of your money move in the opposite direction.
What is Phishing
  • Email account upgrade scam – This email upgrade account scam sends an email of upgrading the user's email account from trusted email providers like Google and Microsoft or the user's Company IT department. This mail holds a message that the user account has expired unless immediate action is taken. They also provide a link of updation, which takes the user to the affected login page, where the user login his credentials and is trapped by a hacker.
    As you can see, it seems like a professional email with no elaborate requests or grammatical errors, and the "link" appears to direct a safe "https" web page to an unsuspected user.
  • The fake invoice scam- This scam works on urgency and fear of the user where the end-user is pressured to submit a payment for goods & services which have never been received or ordered by the user. This all happens because financial departments are obvious targets of these attacks.
What is Phishing
  • Some other scams are – The unusual activity scam, The council tax scam, and the Dropbox scam.

The mechanism in a phishing email

To create a phishing email, generally, cyber- criminal or attacker uses three primary mechanisms to steal information, and that is:

  1. Malicious weblink
  2. Malicious attachments &
  3. Fraudulent data entry forms

Working of phishing

Phishing is initiated with the communication and fraudulent email designed to lure a victim. The violated message is created to look as if it is sent from a trusted partner. Users visit the scam website and log in with their credentials to get fake benefits. Phishing fools the victims to provide a financial advantage to the hacker. With fraud, email, malware, or infected software can be downloaded onto the target's computer.

Effect of phishing mail in different aspects

There are various consequences of falling for a phishing attack, or some problems arise at home or work. It arises such problems in personal life like money stolen from a bank account, return tax filled in a person's name, fraud charges applied on credit cards, mortgages and loans opened in a person's name, on a person's account some fake social media posts are posted, and user can lose access to videos, photos, files, and other important documents.

Consequences at work are reduced investor confidence, damage to the reputation of employees, interruption of revenue-impacting productivity, attacked files become inaccessible and locked, reduced company value, financial fines from compliance violations, exposure of customers and co-workers' personal information due to which outsider can access confidential files, communication and systems.

Types of phishing attacks

What is Phishing
  • Spear phishing
    In this attack, the specific individual is targeted instead of a wide group of people. The victim is searched on social media and other sides, and after finalizing the target, the attacker customizes their communication and appears more authentic to them.
    These attacks have a high success rate because attackers spend much time crafting information specific to the recipient. For example: target the high-value victim and organizations and connect with them with some work or business-related topic instead of getting information or credentials from thousands of victims.
    An attacker may send them malicious attachments where the filename references a topic related to the recipient's interest.
    A state or nation cyber-criminal may target or attack the government working employee or agency to steal nation or state secrets.
    In 2017 a phishing mail was sent to target cyber security professionals with the name (Group 74 (a.k.a. Sofact, APT28, Fancy Bear) pretending to be related to the Cyber Conflict U.S. conference, an event organized by the United States Military Academy’s Army Cyber Institute, the NATO Cooperative Cyber Military Academy, and the NATO Cooperative Cyber Defence Centre of Excellence. Rather CyCon was a real conference, but the email consisted of an attachment with a document containing a malicious Visual Basic for Applications (VBA) macro that would download and execute reconnaissance malware called Seduploader.
  • Deceptive phishing
    It is the most common phishing type where attackers try to obtain confidential information from the victim to launch another attack or steal money. For example, A fake mail from the bank was sent with a link to the victim to verify the account details.
  • Whaling
    A whaling attack is designed to trap a “big fish” in which the attacker target an enterprise's top executives like the CEO, Board of Directors, M.D, etc. because they are high-value persons, and the information stolen from them are more valuable than the what a regular employee may offer.
    Attackers spend a lot of time profiling the target and finding opportunities to steal login credentials.
    Attackers use social engineering platforms before crafting the phishing message to collect all the information about the Company and the victim used in the whaling attack. For example, information about a problem in the executive suite, legal issues, some customer complaints or issues, etc. 
  • Smishing
    It is one of the common phishing attacks deployed via SMS messages. The message is the medium of communication between businesses and customers regarding notification and other resourceful information. More people like to read a text messages than email, and half of them even respond to the messages.
    With the rising popularity of SMS messaging, attackers use misleading test messages as a weapon to deceive victims. Smishing is widely increasingly as it makes attackers reachable to everyone in a responsive form. Attackers make users believe that message has arrived from a trusted person or organization, like from known brands, websites, banks, etc. they convince them to take action and their valuable information.
    In past years it has been most commonly used by bank attackers who ask for ATM PIN and OTP (bank login credentials) from the victim on behalf of the bank. Once they provide information, they wipe out all the money.   
  • Snowshoeing
    Snowshoeing is a phishing attack in which spam is propagated over several domains and IP addresses to weaken the reputation metrics and avoid the filter. It is also called "hit-and-run" spam, in which attackers push out messages via multiple domains and IP addresses.
    These low-volume messages are sent by each IP address that couldn't recognize or block malicious messages by reputation- or volume-based spam filtering technologies. Before these messages are recognized, and filters learn to block them, they make themselves to the email inboxes, which seem to resemble the legitimate sender and body of the message that looks the same as the previous one. Specialized spam trapping organizations via conventional spam filters find hard-pressed to trap and identify snowshoe spamming.   
  • Clone phishing
    A clone meaning is the exact copy of something. Here clone phishing refers to an attack where the attacker creates a near replica of a legitimate message as a real one to trick the victim.
    The victim received a message or email probably sent from an address resembling the legitimate sender, and the structure of the message looks like the previous message. The minute difference created by the attacker is that the link or attachment in the message has been swapped out with a malicious one. The attacker also adds an explanation/ reason behind sending the "same" message again. For example, they send an updated version for promotional reasons, etc.
    This is clone phishing, where the attacker creates a fake or dummy website of an original one with a spoofed domain to trick the victim.
    Once the attacker successfully attacks, it again uses this technique against another person who has already received the cloned message. In most cases, victims fall for the attack because they have previously seen the legitimate message but can't able to point out the change.    
  • Vishing
    Vishing is a phishing attack carried out via phone call, also known as “voice phishing”. The victim got a fake call from the attacker, usually with a pre-recorded message or a script. For example: Recently, a group of hackers tried to breach twitter security by convincing twitter employees that they were "IT staff" over the call. All through the conversation, they ask them to hand over their credentials.
  • Session hijacking
    In session hijacking phishing, some of the sophisticated techniques are used by criminals to violate a web server and starling information stored on the server.
  • Pharming
    This is slightly different from phishing as this victim doesn't have to click a malicious link that leads them to a bogus website. Criminals directly infect the website's DNS server or the user's computer because it straightly takes the user to a fake site even if the correct URL is typed in.

Protection against phishing attacks

1. By implementing technical measures

To keep the system free from cyber-attack, the user must implement appropriate technical measures that prevent phishing attempts. Users must prepare a defense system; if an attack becomes successful, they won't get much detail further.
It ensures that in the organization, all the network tools, applications, internal software, and operating system must be secure and up to date. For protection purposes, malware and anti-spam software must be installed.

2. Training of the staff

Employees or staff are trained by educating them using phishing simulation tools to identify phishing risks.       
It keeps organizations cyber secure by using proven security awareness training and creating internal cyber security heroes. High-level executives are the major target; therefore, it is important to educate & trained them to recognize phishing emails and what to do when they receive them.         

3. Building a positive security culture

Social engineering is a common type of cyber-attack as it is very successful because its perpetrators are good at manipulation. Therefore, staff shouldn’t be punished for being a victim.
Instead, they should be encouraged to report the incident to alert everyone and take preventive measures. In an organization with a culture of blame, no employee will admit to what is perceived as a mistake, which puts the organization at great risk. To create a positive cyber security culture, cyber security awareness campaigns, education, training, and support are utilized in the corporate culture.

4. Learn the psychological triggers

Cybercriminals trigger and exploit human psychology to attack victims and to get past victims' natural wariness, as:

  • Creating false alarm of urgency and heightened emotion to make their victim confused
  • Hackers create a sense of indebtedness which help in exploiting the human propensity for reciprocation

5. Test the result or effects of training

Time-to-time training should be tested by using simulated phishing attacks. These attacks help analyze the effectiveness of the staff awareness training and its loopholes. It also makes aware which employees need further training.

6. Establishing network access rule

Organizations must make network access rules that limit sharing information outside and using personal devices on the corporate network.

7. Deploy email security solutions

To protect against email phishing, some modern email filtering solutions detect the affected email consisting of malicious links, spam content, attachment, and language that could suggest a phishing attack. It protects email messages against malicious payloads and malware present in them.

Phishing simulation

The method of raising awareness about phishing risks and identifying the employees at risk of phishing. This phishing simulation allows the incorporation of cyber security awareness into the organization in an informative and interactive method.  

Real-time simulations are an effective and fast way to educate people and increase their alertness to phishing attacks. While working, people see first-hand how fake websites, malware, CEO fraud, emails, and spear phishing are used to steal corporate and personal information.

Benefits of phishing simulations

  • Segmented phishing simulation
  • Reduce the cyber threat risk level
  • Users can alter the phishing risk
  • It could measure the degree of vulnerability of employees and corporate.
  • It can deploy targeted anti-phishing solutions
  • Improvise cyber security culture
  • It helps in creating cyber security heroes
  • Useful in protecting valuable personal and corporate data
  • Phishing simulation meets the industry compliance obligations
  • Impact of cyber security awareness training is accessed