Phishing is a method of cyber-attack where the attacker or “phisher” poses as a trusted company, such as a bank or a government organization to obtain confidential and personal information from an individual.
Almost all phishing cases are misused for fraudulent activities, so it is necessary to detect and take remedial actions to avoid these attacks. Endpoint Security Software helps in taking care of most modern phishing attacks.
Let’s look at some of the phishing techniques and how to prevent them.
Types of Phishing Attacks
We generally assume that the websites that we interact with are safe to visit, yet hackers trick people with the help of different phishing methods, such as using cloned websites and impersonated domains. With the help of social engineering, these scammers read the online behavioural patterns and preferences of the victim. By studying the victim’s history, they’re able to execute a well-planned attack. Here are a few ways by which the scammers extract vital information:
Email Spoofing: Name Impersonation
Email spoofing is one of the most common types of phishing techniques to steal data from users without their knowledge.
It can be done in a number of ways:
By sending emails using a familiar name,
By sending emails impersonating colleagues or business associates, asking for crucial/confidential information,
By pretending to be an organization and asking its employees to share critical or confidential information.
The email’s call-to-action is designed in such a way where the victim is supposed to click the link provided and at times log-in to view the document. The email is also designed to create a sense of urgency and panic so that the victim clicks the link without being able to rationalize.
Unlike other types of phishing techniques, email spoofing has an elaborate format and a defined strategy:
Targeting the victim(s)
Personalizing content according to the victim(s)
And, creating a compelling call-to-action for a better chance of a conversion
How to prevent email phishing?
The best way to detect and prevent critical data from being stolen is by making sure to read and verify the sender’s email address. If you sense something ‘phishy’ such as if the characters in an email address aren’t matching, then it is advisable to copy and paste the email address in the notepad to check if any numeric and/or special characters are used.
Mass Target – Brand Impersonation
Targeting a big group for phishing attacks is carried out to cover more ground for scamming people with a common interest depending on their choices, brand preferences and demographics.
In this, scammers pose as a familiar brand bringing offers, discounts or other documents such as receipts, reminders for payment or gift cards.
People fall for this because of their transactional history with a specific brand.
How to prevent it?
It is always advisable not to open these emails, without the confirmation of their source. In the case of receipts, one should first check their purchases and the exact amount. In the cases of gift cards or loyalty points, one should call the helpline numbers mentioned in the official website of the brand rather than calling from the number provided in the email.
URL Phishing
By using the URL phishing technique, attackers use the page’s URL to infect the target. This is one of the most prevalent forms of phishing attacks as it can target anyone and from any URL from an untrusted site or source. They mostly target
People who click on links sent by untrusted sources,
People who accept friend requests and read messages – DM links from untrusted sources, and
People who share their contact details and email addresses with untrusted sources.
Here are a few ways how attackers can use URLs to target their victims:
Hidden link
A simple way to hook a victim is by using a hidden URL. We have all, at some point, received emails with message boxes such as: “DOWNLOAD NOW”, “CLICK HERE” or “SUBSCRIBE.”
These are some examples of call-to-action command buttons, through which attackers target and launch phishing attacks.
Misspelt URL
Often hackers use misspelt URLs to fool their targets. They purchase domains that look like popular websites. Then, when a person accidentally types the wrong spelling due to a typographical error, they ask targets to log in by submitting personal information.
For example, at times people mistype “www.citiibank.com…” instead of www.citibank.com… And that is when they land in the lair of the scammer.
Homograph attack
Homograph attacks are more creative and use the victim’s lack of attention to make them their target. This type of attack uses similar-looking words including combinations and characters that can be easily overlooked and misread.
For instance, when victims receive a coupon or gift card in their mail and then click on the link, instead of the website ‘amazon.com,’ they’re redirected to ‘arnazon.com’.
Once they land on the fraudulent website, the page prompts them to enter their personal credentials, login information or financial data like credit or debit card information.
How to prevent URL phishing?
Hovering the cursor over the link provided will show the link of the landing page. It is important to check the link thoroughly before opening it.
In-Session Phishing
Pop-up messages are another convenient way to scam people. With the help of pop-up messages, scammers get a chance to steal important login credentials by redirecting to a seemingly important website. This phishing technique is called in-session phishing. Messages like “CONGRATULATIONS! YOU’VE WON $1,000,000! CLAIM IT NOW!” are some of the most common forms of pop-ups to make people click on the buttons.
How to prevent in-session phishing?
The best prevention for in-session phishing are pop-up blockers which can be downloaded from the list of browser extensions or the app stores.
Website Spoofing
Website spoofing is like email spoofing, however, it requires the scammer to put in more effort.
Scammers publish a website by replicating the user interface (UI) of a legitimate website. Some also use URL shortening techniques to create similar URLs for their fake websites. People easily fall for the counterfeit website and their data is stolen by the scammers.
How to prevent website spoofing?
It is always best to type the entire link by yourself, instead of copying and pasting the link or clicking from a source such as emails.
Image Phishing
Are you a dog/cat lover? Have you received emails with pictures of your favourite animal, sports team or something that interests you? If yes, then beware! It could be a well-orchestrated phishing attack. Attackers use images and other media formats to deliver batch files and viruses. Which can infect your system in multiple ways.
How to prevent image phishing?
Do not download images from unknown emails and sources. Opening images in an incognito window is also risky. Using an anti-malware or trusted antivirus software in your email service is advisable. It is also a good practice to use a backup solution to protect loss of data.
With the changing times, we also need to implement next-generation threat prevention so that new ways of phishing can be detected and remedied.
Author Bio
Anurag Vats is an in-house writer at Techjockey who is fond of exploring the latest avenues in the field of technology and gadgets. An avid reader of fiction and poetry, he also likes to dabble with brushes and loves to cook in borrowed kitchens.
Facebook: https://www.facebook.com/anurag.vats
Instagram: https://www.instagram.com/anuraagvats
Twitter: https://twitter.com/Derit_Erised