Introduction to phishing attacks, types & protection

Introduction to phishing attacks, types & protection

Today, Phishing is one of the key contributors to cyber crimes happening all over the world. Phishers are introducing various new methods to execute phishing attacks.

Many countries are losing millions of dollars in these types of attacks. In this article, we will talk about Phishing attacks, types, precautions to take, etc.

Let’s dive in.

What are Phishing attacks?

It is a cyber attack in which the attacker communicates with you (widely done by email), pretending to be from a trusted source.

The mail either tells you to enter your credentials (credit card info, login password, etc.) or manipulates you to click the malicious link attached to that email, which they can further use to gain access to your system.

Social engineering (manipulating humans to give their credentials or any other valuable information attacker wants) is one of the main factors in Phishing attacks.

Phishing attack Statistics & examples

The stats related to Phishing attacks might scare you. All the statistics I will tell you here are verified and mentioned by some trusted sources. Some of the relevant stats are listed below:

  • There are more than 15 billion Phishing emails revolves all over the Internet
  • In 2021, around 2.3 lakh unique Phishing websites were identified all over the web
  • Phishing attacks are increasing at a massive rate of roughly 400% every upcoming year
  • According to IBM’s 2021 cost of a data breach report, Phishing is the second most expensive attack vector
  • More than 95% of all Phishing attacks happen through email

Real-life Phishing attack Example

Let’s take a real-life example of a massive Phishing attack that cost Google and Facebook (now Meta) around $100mn.

The attack takes place between 2013 to 2015. Both Google and Meta were the clients of a company named Quanta at that time. The scammer sent multiple invoices to both companies, impersonating himself as an official Quanta email.

Both companies paid the invoices. Later the scammer got busted and extradited to the US. Nearly half of the money got recovered from him.

It is one of the Biggest Phishing attacks to date.

Consequences of Phishing

As we have seen above, the consequences of Phishing can be enormous for an organization. A company that is a victim of a Phishing attack primarily occurs two types of losses:

Loss of finances

A Phishing attack heavily affects the finances of the company affected by the Phishing attack. Because most of the time main motive of the attacker is to make money through it.

The data of the top 5 Phishing attacks also validate this statement.

  • Phishing attack on Crelan bank (around $75.8 million loss, the attacker impersonates himself as a top-level executive of the bank)
  • Phishing attack on FACC (around $61 million loss, the attacker impersonates himself as the CEO of the company)
  • Upsher-smith laboratories (over $39 million loss, attackers impersonate themselves as the CEO and lawyer of the company)
  • Ubiquiti Networks ($46.7 million loss, out of which $15 million recovered, the method is the same as above)

Loss of data and legal action

Apart from the financial loss, there are also data breaches seen in Phishing attacks. More than 60% of the companies affected by Phishing attacks also reported data loss.

A recent example is the cloud storage company Dropbox seen data loss in a Phishing attack. Code repositories of around 130 companies got leaked in this attack. It results in a decrease in the belief of customers towards the company.

Every country has its own rules and regulations against Phishing attacks. If we talk in India, Phishing is a criminal offense under the IPC section 415 (cheating), section 425 (mischief), section 464 (forgery), and section 107 (abetment of a thing).

Types of phishing techniques

There is no single method of executing a Phishing attack. There are multiple types of Phishing attacks & new techniques are evolving. But some of those account for the majority of Phishing attacks.

Email Phishing

This technique alone is responsible for the majority of Phishing attacks. Attackers impersonate themselves as legitimate source to steal the credentials or credit card information from the receiver.

Attackers send these Phishing emails to thousands of people.

Manipulating links

Manipulating links are those links that tend themselves to belong to a legitimate company/organization.

The attacker sends these links either by mail or puts them on websites (generally on pirated content websites). The attacker then steals the information you enter on the websites opened through these links.

Smishing

An attacker executes this type of Phishing attack by sending a text message to smartphones. The message usually consists of credit card expiry, unknown transactions through your account, lottery wins, etc.

This type of Phishing attack heavily relies on Social engineering. Attackers execute these attacks by gaining the trust of the receiver.

For example, the attacker sends a message to you about your credit card expiry. Then, you dial the customer care number mentioned in the SMS. The attacker picks up the call, introduces himself as a bank executive & tries to take out your credit card information. If the attacker can get the required information, he will use your credit card to steal your money.

Vishing

This attacker uses a phone call to execute these types of Phishing attacks.

The attacker will call the target and introduce himself as a customer care executive, bank employee, etc. Then, he tries to gather sensitive information and later uses the information to carry out transactions.

Content injection

A website is a medium to carry out this type of attack. The target of attackers in this attack are the websites that don’t correctly handle the data submitted by the user.

The attacker submits his data to the website, which then appears on the website. Then, the attacker will share the link with the users to steal the information they will submit on the website.

Angler phishing

It is a relatively newer technique to execute a Phishing attack. Cybercriminals show themselves as customer care executives of a company/organization on search engines or social media platforms.

For example, you mistakenly sent money to the wrong bank account. Then, you will search for the customer care numbers of the bank on Google. The fake numbers are already available for you. If you call the number, a cybercriminal will talk with you and impersonate himself as the customer care executive of the bank. The scammer then gathers your bank details and uses them to steal your money.

Forgery of websites

In this type of Phishing, the attacker makes a new website by cloning the legitimate website of a company/organization.

When a user searches an official website of a company, it might be possible he may visit the cloned website made by the scammer. The visitor might submit some personal information on the website. The attacker then uses that information to scam that person.

Pop-up appears

This type of Phishing happens on websites giving illegal or pirated content. These websites show these pop-ups to their visitors. These pop-ups sometimes contain malicious software.

When a user clicks on the pop-up, the malicious software starts downloading. This software can harm the device of the visitor or steal information.

To get rid of these pop-ups, you can enable an ad-blocker on your web browser or get ad-free browsers like Brave.

Spear Phishing

Spear Phishing generally focuses on an individual rather than a group of people. The attacker first researched his target using various social media platforms. After researching, the attacker executes a particular Phishing attack on their target.

Whaling

The attackers use this technique while going after a high-value target, such as the CXOs of a big company/organization. They spend a lot of time researching their target. There is no room for mistakes in these cases. This type of attack heavily relies on social engineering. The attacker has to know the login credentials or any other important information about their target. Honeytrap is a well-known method in these types of attacks.

Phishing: How can you spot it?

Now that you know all types of Phishing techniques happening today. Your next doubt might be how to spot them. There are some parameters to check. Some of them are the following:

Mismatched and misleading data

If someone sends you an email demanding any money or credentials, there are chances that someone is impersonating himself as a trusted source. You may be a victim of BEC (business email compromise) fraud.

Double-check with the person demanding any information or money transfer (call or text the person sending).

Threatening or urgent language

If you receive an email or text message saying your credit card is expired or you won a lottery. In such situations, don’t panic and stay calm. The sender wants you to call the given number so that he can benefit from this situation and take your credentials from you.

Providing attractive rewards

If someone communicates (via phone call, email, or text message) and provides you with any reward, there is a very high chance that you will be their victim. Don’t fall for these types of frauds.

Below is an image showing an example of an attractive reward.

kbc scam
KBC scam

Confidential information requests

If someone requests you to provide confidential information (via email or text), you should call or meet that person. In this technique, the scammer might be impersonating a high-level executive. Don’t send anything immediately; check that you are sending the information to the right person.

Unexpected emails

If you receive an unrecognized email, don’t open it. It may contain malicious software.

Attachments of suspicion

If you receive an email with a file attached, handle it with utmost care. The attached file could be any malicious software or code within it. It’s better to ask the sender. If the sender doesn’t answer, it’s better not to open it.

How does phishing work?

There is no fixed methodology for how Phishing work. But the majority of the time, it works through emails. Let’s understand the working of Phishing by an example.

Let’s say steve is an attacker and roger is a target. Roger works in an MNC as the head of accounting. He manages all of the cash of the company.

He receives an email from the CEO to pay some bills. The email seems legitimate to roger, pay the bills sent by the CEO. Later it comes out that the email is not sent by the CEO but rather by a scammer. The scammer impersonates himself as the CEO & roger believes the email without verifying, as it seems legitimate to him. And this is how they became a victim of a Phishing attack.

5 Best Ways to Protect Your Organization from Phishing

  1. Do not open an unknown email.
  2. Cross-verify the sender if you find anything suspicious within it.
  3. Do not click on an unknown link.
  4. Don’t share credentials over emails.
  5. If you don’t trust the source of the attachment, don’t download it.

Check Point helps prevent Phishing

Check Point is an anti-Phishing software for office 365 and G suite. It scans all emails received by you.

It blocks Phishing sites, alerts credentials re-use, and detects all the compromised passwords.

Conclusion

We learned about Phishing, various Phishing techniques, and prevention.

I hope this article helps you to understand better about Phishing.

Frequently Asked Questions to Resolve (FAQs)

What is meant by a Phishing attack?

A phishing attack is a form of cybercrime.

What is a simple definition of Phishing?

In Phishing, an attacker impersonates himself as a trusted source to steal credentials or money.

What happens when you get phished?

Either your data or your money got stolen.

How does getting phished affect you?

If you get phished, it could be tremendously bad for you. At individual level, your personal information has been stolen and may be used in future attacks. If you are a company, your customer data has been compromised, and the attacker may have deleted it. It could be a huge loss for your organization. Not only could it cost a lot of money to recover, but you could also lose customer loyalty and face legal action from those affected.

Is there such a thing as a phishing attack?

Yes, Phishing is a real thing and is one of the fastest-growing contributors to cyberattacks.

Sharing is caring

Did you like what Ankur Balwada wrote? Thank them for their work by sharing it on social media.

0/10000

No comments so far