Phishing scams are a common occurrence on the internet. A lot of us aren’t adequately aware of what these attacks are and how we, as netizens, are vulnerable to such attacks for every minute that we spend online.
Phishing attacks have especially been on the rise ever since the Covid-19 pandemic has locked us in our homes. We’ve been compelled to conduct all our activities online, and a lot of hackers have taken advantage of this situation.
From hacking into Zoom calls to stealing personal/sensitive information, hackers are leaving no stone unturned to take advantage of netizens that are not so vigilant. People are now vulnerable to cybercrimes more than ever. This is why it’s important to know everything you can about types of phishing attacks and how they can be prevented.
Table of Content
What is Phishing?
Phishing attacks are devised to send fraudulent communications that appear to come from a legitimate source.
The attack usually occurs through email. The aim is always to steal sensitive data or personal information like credit/debit card and login information, or to install malware on the victim’s device.
The victim always believes that the message has been received from a trusted source they have interacted with before, mostly on a regular basis- like their bank or company-and the request is usually to click a link or download a file.
Phishing attacks started in 1995. The word ‘Phishing’ is a combination of the words ‘fishing’ and ‘phreaks’. The latter was the title hackers used to refer to themselves.
Types of Phishing Attacks
1. Spear phishing
Spear phishing involves targeting specific individuals rather than large groups. The attackers may research their targets online or on social media and other platforms so that they can stage their attack according to the victim and make it look believable.
Often, Spear phishing is the first step in launching a targeted attack against large organizations and companies.
2. Deceptive phishing
The most common out of all types of phishing attacks is deceptive phishing. It involves sending fake emails or messages, asking the recipient to click on a link or download an attachment.
Pharming also sends the user to a fake website. In this case, victims don’t themselves click a malicious link to be taken to the phony site. Attackers may either infect the targetted victim’s computer or the website’s DNS server and redirect the user to a fake site even when the correct URL is typed in.
When attackers go after high-level executives of an organization (like a CEO), then it is called Whaling. A lot of research is gone into this type of attack as hackers have to be careful and plan the moment of attack strategically.
If a Whaling attack succeeds, it could be devastating for the victims as high-level executives have access to a lot of sensitive information.
5. Evil Twin Phishing
This is when the attacker creates a WiFi hotspot that looks like the real one, using the same SSID as well. When users connect, the attacker spies on the user’s network and steals their passwords, account names, documents they might be viewing, etc.
6. Clone Phishing
The hacker ‘clones’ or creates an exact replica of a message that has already been received by the user before. The links or attachments in the message will be replaced with malicious ones. The attacker usually lures the user in by citing an issue with the previous message and asks them to click on the link or download the attachment again.
How to Prevent Phishing Attacks?
Awareness is the key to protecting yourself against phishing attacks. They shouldn’t be taken lightly as they put you at the risk of incurring huge monetary losses and data breaches. Here is a list of precautions you can take:
1. Don’t click on links you don’t expect
Phishing emails are made to look like legitimate business emails, and most of the time they send over an attachment containing some sort of malware or a link that will take the recipient to a fake website.
The email could be structured as a business offer or a notification/ update from the victim’s own company. It could also be a bank notification trying to lure you in with some abnormal information.
If you’re not sure who the sender is, it’s advisable to not open any attachments or click on any links. If you do know the sender, but the email you received was unexpected and you suspect that something might be fishy, then contact the sender directly. Sometimes attackers hack into other people’s emails and use them for staging an attack.
The most common format of files sent through a phishing email is zip. Sometimes though, Microsoft Office files can contain viruses, which can contain automated tasks that need to be enabled. It is advisable to keep an eye on all kinds of attachments.
2. Ignore money requests
One common phishing email scam is that hackers often use is, misrepresenting themselves as ‘government agents’ and asking for money under some pretense. An example of such phishing emails is an investment scheme, where you’re asked to contribute a small amount of money and promised more in return.
Sometimes the scammers could pretend to be from an NGO and ask you to contribute for a cause. You’d be directed to a fake website, and once you enter sensitive information, the hackers could have the power to empty your bank account.
Hackers can also ask money in the form of blackmail.
Whatever the way is, you should never click on random links asking for a financial contribution of any kind. Staying vigilant in this regard and reporting such emails is the way to go.
3. Check the site you’re visiting
If you click on a phishing link received through an email or message, it will take you to a mock-up of the original website. If you pay close attention, you can pick out the elements that help you identify that it’s not a real website.
The webpage will typically contain a form you’ll have to fill, so as to acquire your login details. Before filling in any data, take a look at the website address in your browser’s address bar.
Though scammers can create a website that closely resembles the design, flow, and style of the real brand, they can’t create a replica of their original domain name. Domain names are paid for by the original website owners, and nobody else can use the exact same URL for their website.
An attacker’s fake website’s URL will usually contain a name similar or resembling that of the brand’s, along with some numbers, symbols, letters, or words.
If these fake websites are trying to replicate a known brand you often visit, then the design and flow will feel a little off. For example, when signing in to Gmail, you fill up your username and password on different pages. A fake website might not be able to copy this flow and you’ll be able to recognize that if you’re vigilant.
4. Pay attention to the sender’s email address
One common Phishing scam is where a big brand sends you an email, informing you that there is some issue with your account and you have to log in to ‘fix it’. These emails will have a link attached to them, which will take you to a fake website of the original brand.
A good way to deal with this is to check the email address the mail has been sent from. Hackers can’t copy the brand’s original domain name in their email. So, if the original email address would be [email protected], the phishing email will be sent from [email protected]
You should also check the URL before clicking. If you’re using a laptop or a computer, hover your mouse over the link provided in the email. You’ll be able to see the entire URL and if it’s not the same as the brand’s, then don’t click on it! If you’re using a smartphone, you can touch and press on the link till the entire URL is revealed.
Now that you’ve read up all on types of Phishing attacks and how you can prevent them, it should be easier for you to identify these attacks and not fall for them. It’s important to be a mindful internet user.
You should always be careful when you’re entering sensitive information on a website. Stop and exit immediately if you feel something is fishy!
If you have any feedback and queries, do mention in the comments below.
Interesting read: Brute Force Attack: All you Need to Know