There was a time when fishing was in trend, but it’s the new digital world of new India, and here the trending hashtag nowadays is not fishing; it is phishing. Yes, you saw it right; these homophonic type of words are totally different in reality. The only similarity between these two is the process of capturing the fish in the former and the customer for fraud in later one.
WHAT IS PHISHING?
Phishing is a new type of cyber-attack often called a social engineering attack, commonly used to steal user’s data, like login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity to the customer and dupes a victim by making the individual open an email, instant message, or text message which looks like the authenticate one but in reality, it would be a fraud data. Once the recipient gets tricked into clicking a malicious link, then the installation of malware started, or the freezing of the system as part of a ransomware attack or the revealing of sensitive information and more.
TECHNIQUES OF PHISHING
1) SPEAR PHISHING
This type of phishing targets a specific person or enterprise or some high authority level individual or company, instead of some random application users. It’s a more in-depth version of phishing as it requires specialized knowledge about that particular organization, including its power, structure and also confidential matters.
An attack might play out as follows:
- The fraud dealer does research and finds names of employees within an organization’s marketing department, and gains access to the latest project invoices to look genuine.
- Acting as the marketing director, the attacker emails a departmental project manager using a genuine subject line. The text, style, and included logo duplicate the organization’s official email template and the email seems like the same one with the same pattern that you won’t be able to recognize it in one go.
- The link in the fraud email redirects you to a password-protected internal document, which is, in reality, is a spoofed version of a stolen invoice to misguide you.
- The person is then requested to log in to view the document whereby the attacker steals his credentials, gaining full access to sensitive domains within the organization’s network and do the spear-phishing with you.
2) EMAIL PHISHING
This phishing is based on a numbers game style. An attacker sending out thousands of fraud messages to get the net significant information and sums of money, even if only a small percentage of the person falls for the scam.
Just like the spear-phishing here they again try to create the same spoofed email or texts to conduct fraud activities. Besides, attackers will usually try to push users into action by creating a sense of urgency and take the victim into the confidence of genuinely.
The unfortunate side is the links inside the messages resemble the legitimate counterparts, but also have a typically misspelt domain name or extra subdomains, like
https://www.bajajfinservmarkets.in/ and
http://www.bajajfinservemarket.in/.
Similarities between the two addresses offer the impression of a secure link, making the recipient less aware that an attack is taking place and next in the click it happens.
HOW TO PROTECT YOURSELF FROM THIS SOCIAL ENGINEERING ATTACK?
Phishing attack protection requires steps taken by both users and enterprises to stay away from such mishaps.
For users, vigilance and awareness is the key. A spoofed message often contains mistakes that expose its true identity, and these are easily catchable. All you need is to see it in patience and with awareness. These can include spelling mistakes or changes to domain names, as seen in the earlier URL example of email phishing. For enterprises, several steps can be taken to mitigate both phishing and spear-phishing attacks:
(a) Two-factor authentication (2FA) is the most effective method for protecting from phishing attacks, as it adds an extra verification layer when logging in to sensitive applications. 2FA relies on users having two things: something they know, such as a password and user name, and something they have, such as their smartphones with their confidential information.
- In addition to using 2FA, organizations or individual should enforce strict password management policies. For example, employees should be requested to change their passwords frequently and not to be allowed to reuse a password for multiple applications or use different and not simple passwords to log in.
- Educational campaigns and awareness campaigns can also help diminish the threat of phishing attacks by enforcing secure practices, such as not clicking on external email links and getting the authenticate the information from the genuine service provider and more.
