Phishing is a type of cyberattack that uses email, SMS, phone, or social media to entice a victim to share personal information — such as passwords or account numbers — or to download a malicious file that will install viruses on their computer or phone.
Features of a Phishing Email:
Typical characteristics of phishing messages make them easy to recognize. Phishing emails usually have one or more of the following indicators:
Asks for Sensitive Information
Uses a Different Domain
Contains Links that Don’t Match the Domain
Includes Unsolicited Attachments
Is Not Personalized
Uses Poor Spelling and Grammar
Tries to Panic the Recipient
Phishing attack examples:
The following illustrates a common phishing scam attempt:
A spoofed email ostensibly from myuniversity.edu is mass-distributed to as many faculty members as possible.
The email claims that the user’s password is about to expire. Instructions are given to go to myuniversity.edu/renewal to renew their password within 24 hours.
Several things can occur by clicking the link. For example:
The user is redirected to myuniversity.edurenewal.com, a bogus page appearing exactly like the real renewal page, where both new and existing passwords are requested. The attacker, monitoring the page, hijacks the original password to gain access to secured areas on the university network.
The user is sent to the actual password renewal page. However, while being redirected, a malicious script activates in the background to hijack the user’s session cookie. This results in a reflected XSS attack, giving the perpetrator privileged access to the university network.
Types of Phishing
Spear phishing:
Spear phishing is a phishing attempt that targets a specific individual or group of individuals. One adversary group, known as Helix Kitten, researches individuals in specific industries to learn about their interests and then structures spear phishing messages to appeal to those individuals. Victims may be targeted in an effort to reach a more valuable target; for example, a mid-level financial specialist may be targeted because her contact list contains email addresses for financial executives with greater access to sensitive information. Those higher-level executives may be targeted in the next phase of the attack.
Smishing:
Smishing is a phishing campaign conducted through SMS messages instead of email. Smishing attacks are unlikely to result in a virus being downloaded directly. Instead, they usually lure the user into visiting a site that entices them to download malicious apps or content.
Vishing:
Vishing is a phishing attack conducted by telephone. These attacks may use a fake Caller ID profile to impersonate a legitimate business, government agency or charitable organization. The purpose of the call is to steal personal information, such as bank account or credit card numbers.
Whaling:
Whaling, also called business email compromise (BEC), is a type of spear-phishing that targets a high-profile victim, such as a CEO or CFO. Whaling attacks usually employ a sense of urgency to pressure the victim into wiring funds or sharing credentials on a malicious website.
What happens if you open a phishing email?
Simply reading a phishing message is normally not unsafe. The user must click a link or download a file to activate malicious activity. Be cautious about all communications you receive, and remember that although phishing may most commonly happen through email, it can also occur through cell phone, SMS and social media.
Phishing Prevention:
Use anti-virus software: Anti-malware tools scan devices to prevent, detect and remove malware that enter the system through phishing.
Use an anti-spam filter: Anti-spam filters use pre-defined blacklists created by expert security researchers to automatically move phishing emails to your junk folder, to protect against human error.
Use an up-to-date browser and software: Regardless of your system or browser, make sure you are always using the latest version. Companies are constantly patching and updating their solutions to provide stronger defenses against phishing scams, as new and innovative attacks are launched each day.
Never reply to spam: Responding to phishing emails lets cybercriminals know that your address is active. They will then put your address at the top of their priority lists and retarget you immediately.
Top comments (0)