Staying Safe Online

The five most efficient cyber defenders are: Anticipation, Education, Detection, Reaction and Resilience. Do remember: Cybersecurity is much more than an IT topic.
~Stephane Nappo

What is Phishing?
Types of Attacks & Prevention:

Phishing is by far one of the biggest frauds done online through electronic communication. The potential victims of phishing attacks are mostly the individuals and reputed organizations. In these phishing attempts, hackers try to steal your personal information including your credit card details and passwords. Hackers mostly use emails, social media, phone calls and other electronic mediums to carry such social engineering attacks.

According to Verizon Data Breach Investigations Report (DBIR), 66% of malwares are carried using email attachments where phishing tactics are used to lure the victim.

Phishing Defined
Phishing is a type of social engineering attack where hackers try to trick the victims into opening email attachments and entering sensitive details such as login credentials. The hacker masquerades himself as an organization or individual trusted by you. Hackers use text messages, emails and social media handles to carry out these attacks.
The hackers try to tempt you with wonderful offers that are too good to be true. They play different tricks on people to make them perform an action. This action is actually a trap that results in compromised systems and breach of sensitive or personal information.

Types of Phishing Attacks
Phishing is generally categorized into two types. One type of these phishing attacks is targeted while others are general email phishing attacks. We’ll discuss them both with their respective examples.

Email Phishing Attacks
Email communication is the biggest medium where most phishing attacks take place. The email medium is so big for attackers that 94% of total malware attacks were delivered through emails, according to Verizon Data Breach Investigations Report.

In email phishing scams, the hackers collect different emails of various online users. These emails can be in thousands or lacs. The hacker uses automated systems to deliver the same type of email to all these people. These types of emails mostly create a sense of urgency and the user takes an immediate action that results in a scam.

The phishing messages might be designed for students studying in a particular university. The hackers first study and mimic the emails of that particular university to design their own phishing email templates. They pay attention to details in order to craft the most tempting emails. These emails are then sent to all potential targets and a percentage of these people actually fall victim to such attacks because of their lack of knowledge.

The phishing emails mostly contain fake links that can resemble an organization’s official website or any login pages.

The above example shows how a hacker can manipulate the official link to a university renewal page with a fake “edurenewal.com” domain. Here the “myuniversity.edu/renewal” is an official page while “myuniversity.edurenewal.com” is a fake subdomain that is created and hosted by the scammer. The hacker can email university students with a fake renewal link to get their sensitive information after the victim lands on the page. This sensitive information might be their credit card number or login credentials.

Spear-Phishing Attacks
Spear-phishing is a more specialized type of phishing attack where hackers target specific personalities and hit their vulnerable points to leak their sensitive data. These individuals can be CEO, manager or any employees of a company. Hackers also target rich individuals with spear-phishing techniques by analyzing their personality and interests to scam them by getting their credit card information.

This type of phishing is more dangerous because the hackers target specific individuals and study them before they design their phishing strategy. It’s sort of a customized attack with little to now clues that can easily trick people who are even aware of phishing scams.

Consider a scenario where a hacker collects the latest project invoices information from a marketing department of an organization. The hacker emails the project manager of the organization with a proper organizational style email and sends him the updates for invoices along with a password-protected link (which is actually a spoofed version of the original document). The PM is most likely to put the credentials to check the invoice and the hacker will steal the information to access other documents of the organization.

Phishing Attacks Identification & Prevention
The proper awareness of such attacks can only help individuals to secure themselves from such attacks. Phishing emails always have some clues to detect their nature. In order to identify phishing emails, here are some pointers to consider:

  • Organizational emails sent from a public domain like @gmail.com are most probably a scam because organizations neve use public addresses.
  • If the domain name of the email sender is misspelled like “ab*@pa****.com” instead of “paypal.com” then it is a phishing email.
  • If emails are poorly written, without proper layouts and a lot of grammar mistakes then they are most probably a part of a phishing scam.
  • If emails contain suspicious links and attachments then do not open them because it might be a malware or phishing page.
  • If an email creates a sense of urgency and tells you that you have won the following prize by participating somewhere then do not respond to such emails because they are trying to scam you.

Once you are aware enough of these phishing attacks then you can take some precautionary measures to prevent hackers from accessing your accounts.

Enable 2 Factor Authentication: The best way to keep hackers out is to enable 2FA. Even if a hacker has your username and password, they won’t be able to access it without passing an extra layer of security. It is the most basic yet important security layer to keep individual accounts secure.

Strict Password Management: The organizations should also employ strict password management rules for their employees. They should also use 2FA but they also need to constantly update their passwords and don’t reuse old passwords again.

Secure Practices: The students and teachers in educational organizations can enforce secure practices where the external emails links should not be sent and clicked. In this way, if a hacker attempts to trick them, they will not engage with any email and link attachments.

Author