DEV Community

Cover image for Everything You Need to Know About Phishing Attacks and Their Solutions
2muchcoffee
2muchcoffee

Posted on • Edited on • Originally published at 2muchcoffee.com

Everything You Need to Know About Phishing Attacks and Their Solutions

Phishing is a favorite technique among hackers. This is partly because it is so simple that anyone with basic IT skills can do it. It is also partly because it is highly affected millions of internet users fall victim to phishing attacks every day.

Considering the prevalence of phishing attacks one would expect every internet user to know what phishing is. Unfortunately, most people don’t.

What is Phishing?

Phishing is a hacking technique that hackers use to collect sensitive data such as email addresses, passwords to personal accounts, and more. It is one of the oldest and most efficient phishing techniques. It is also one of the simplest – it is so simple that there are ready-made phishing kits available on the dark web for amateur hackers.

Phishing goes back way before the internet was created. The word phishing is said to have been coined from the term ‘phreaking’. Phreaking was a technique used by hackers to get free airtime from their cellular service providers. The hackers would play unique sound tones into their cellular handsets to unlock free airtime.

Phishing emerged in the mid-90s. Hackers would target AOL users and get them to share their log-in details. Today, phishing is just as simple but the stakes are much higher. Nowadays hackers target more sensitive information such as passwords to bank accounts and online banking platforms. Phishing is also used to collect personal information that can then be sold for profit or used to blackmail victims. There are also more phishing techniques today than ever.

Types of Phishing Attacks Techniques

Hackers are always coming up with new ways of stealing sensitive information from unsuspecting internet users. However, there are three major techniques that are widely used today:

Email Phishing

Email is the most popular phishing platform for hackers. It is preferable because it provides hackers the anonymity they need to dupe their victims. It is also easy to manipulate so as to impersonate any entity.

Email phishing involves deception. Hackers register emails that look and sound just like real emails of real entities. The domain name is registered to closely match the original. The email is also designed to look like the original. The hacker then uses the fake domain to send out fake emails to unsuspecting victims.

Email phishing is used to collect data in a variety of ways. The simplest scenario is that the hacker asks for the recipient’s personal data hoping that he/she will fall for it and reply. Another scenario is that the email comes embedded with malicious malware that infects the device and collects sensitive data – a program such as a keylogger is used to record keystrokes and even take screenshots.

The most complex and common email phishing technique involves sending fake emails with links to fake websites. In this case, the hacker creates replicas of the company’s email as well as its website. The email urges the recipient to click on the link and log in to avert an impending problem. The website then collects the sensitive log-in information which is then used to commit other forms of cybercrime.

How to Dodge Email Phishing

Fake emails are easy to spot if you look closely enough. The domain name and email addresses may look original at a glance, but there is always something different. As such, always be keen when you receive emails from sensitive entities such as online banking platforms and governments.

You should also avoid clicking links in emails. If you have to log in to a website then do so directly via the browser. It also goes without saying that you should never respond to fake emails or share sensitive data with anyone.

Website Phishing

There are thousands of fake and malicious websites on the internet. Many of these websites are purposely designed for phishing. They are designed to look like popular websites dealing with sensitive issues such as private communications and financial transactions.

There are two phishing techniques used with websites. The most common tactic is tricking visitors to log into their accounts, in which case the website collects these log-in details and sends them to the hackers. The second technique involves infecting users’ browsers with malware and spyware programs. These programs then track the user’s online activities and collect a ton of sensitive data.

How to Dodge Website Phishing

You will be surprised by how real phishing websites appear. However, they all have some tell-tale signs. For starters, the URL is usually not secure – it does not contain the HTTP and HTTPS prefixes. Additionally, the website has certain pages that are either inactive or superficial.

The best way to avoid suspicious websites is by employing a decent cyber-security program. Many browsers including Chrome and Firefox automatically block out suspicious websites.

Telephone Phishing

Hackers are still using phones to phish, but they are not doing it for free airtime. Any number whose caller ID is publicly listed is susceptible to spoofing. Hackers spoof targeted numbers and use them to pry information out of unsuspecting targets.

Telephone phishing is all about smooth-talking. For instance, a hacker may spoof numbers linked to a bank and use them to contact the bank’s clients. The oldest play in the book usually involves alerting the clients to problems with their accounts and requesting their account numbers and other sensitive information so as to “fix” the alleged problem. Unsuspecting victims end up sharing their information.

How to Dodge Telephone Phishing

The best way to avoid becoming a victim of a telephone phishing attack is to never share your sensitive information with anyone over the phone. If you are concerned about anything then always hang up and call back using the number you know and believe to be true. You should also always verify the identity of anyone calling you.

Phishing and Social Engineering

Phishing is going past the internet and smart gadgets and into the physical world. Hackers have become brazen in their attacks and are now confident enough to make closer contact with their victims.

There is not much difference between phishing and social engineering. In both cases, hackers try to pry sensitive information out of their victims. However, social engineering is more complex and convincing.

Social engineering attacks are usually targeted. The hacker spends time studying their targets before coming up with an elaborate plan to defraud them. Most targets are small companies, but individuals, major corporations, and even government institutions qualify. Once the hacker learns everything relevant about the target he/she goes on to learn about their contacts and acquaintances and impersonates one.

Social engineering attacks usually take place over the phone. They are similar to telephone phishing except for the fact that the attacks are more elaborate. Usually, the hacker will impersonate one of the victim’s contacts and then call asking for information or money. The most common tactic is to impersonate a company’s client currently doing some work for the company and asking for an advance in payments using a different account number. Hackers also call asking for sensitive information that they then use to defraud the companies.

In some cases, hackers are brazen enough to walk into a company and carry out these social engineering attacks in person. For instance, a hacker may impersonate an IT contractor and play the role to the minutest detail including getting a uniform, badge, toolbox, and everything you would expect from an IT guy. In many cases the hackers create an excuse for why you would need their services – for instance, they may instigate a cyber attack that will sabotage your computer services. Once they come to “fix” the problem they also install spyware and can then collect as much information as they want.

Social engineering attacks are bold and versatile. In fact, any attempt to coerce sensitive information off someone using pretentious means can be described as a social engineering attack. These attacks are on the rise owing to their success as they exploit human vulnerability, which is easier to get past compared to cybersecurity programs.

It Can Happen to Anyone

Millions of people around the world fall victim to phishing attacks every day. This includes elites, major organizations, and even governments. Here is a look at three of the most outstanding phishing attacks to-date:

Operation Phish Phry

Operation Phish Phry is the largest recorded case of phishing in history. It involved a highly organized network of hundreds of individuals. The attack targeted hundreds of bank and credit card users. The attackers sent out emails that looked real and directed their victims to fake bank and credit card sites. The people who fell for the scam proceeded to log into their accounts and ended up falling victim to the attack.

It is reported that Operation Phish Phry defrauded its victims of over $1.5 million. However, the attackers did not get away as the FBI launched a massive investigation that netted hundreds of them.

Scam against Walter Stephan

Walter Stephan goes down in history as the individual to lose the most money from a single phishing attack. Walter Stephan is a former CEO of FACC, an Austrian aerospace company that makes aircraft components for Airbus and Boeing.

During his tenor as CEO, a hacker successfully guessed Stephan’s email address and created a look-alike spoof. The hacker then sent an email to one of the low-level accounting staffers authorizing the transfer of $47 million to a foreign bank account. The amount would allegedly pay for a scheduled acquisition project. The staffer took the bait and transferred the money.

Unfortunately, Stephan and several other high-level officials were fired following this attack. What’s more, the company recovered only a fraction of the stolen money and the hacker was never caught.

The Target Scam

The phishing attack against Target was one of the most publicized cyber-attack stories in 2013. The massive attack affected over 110 million users and compromised details related to over 41 million retail card accounts. However, the authorities did not provide much detail about how much the attackers stole or even if they were ever caught.

Conclusion

The Ultimate Solution to Spoofing Attacks: Keep Your Sensitive Information to Yourself.

Spoofing relies on people’s vulnerability as compared to other cyberattacks that exploit weaknesses in cybersecurity programs. As such, now that you know what is phishing you can stop any attack in its tracks by keeping your sensitive information private. Additionally, be sure to follow the highlighted tips for each type of phishing attack.

Liked that? We’ve done our best! Go to our blog to find more useful articles.

Top comments (0)