Have you experienced phishing before? Well, you probably have.
Almost everybody will experience phishing and most already have. Even if you have not been sent the common virus-infected email or CFO Fraud mail, you would have gotten a call or text from someone pretending to be your Banking officer and/or a message from your telecoms network claiming you won a promo. These are all different forms of phishing.
According to phishing.org, Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
It essentially involves tricking unsuspecting victims into releasing information which could be used for several attacks.
There are several types of phishing. Some of these include:
Email Phishing: This is the common type of phishing which tries to con individuals by sending them disguised malicious emails. These emails may require that the victim sends sensitive information, clicks on malicious links and/or download malicious attachments.
Spear Phishing: Unlike traditional phishing, which sends emails to several addresses, spear phishing involves tailoring a phishing mail to a particular person (who must have been researched). The phishing email is tailored to the individual and is, mostly, highly effective.
SMS Phishing: This involves sending text messages to potential phishing victims. Individuals may receive an alert stating that they won a promo and inviting them to follow the included link to claim a prize.
Vishing: This is phishing performed over phone calls. For example, an attacker may pretend to be calling as your Bank account officer and would try to obtain as much information from you to enable him to steal your money.
Search Engine Phishing / Phishing Websites: This type of phishing involves the creation of fake websites which would trick the individual into releasing private information. For example, an attacker could lure his victim to click on a fake online banking website and obtain the victim's online banking login credentials from the fake website.
Phishing is one of the most common forms of cyber-attacks and is still generally successful. Attackers try to craft their emails, conversations, texts or phishing websites carefully to ensure that the victims do not suspect. Keywords like, "Your Invoice", "Payment Details", "Salary Breakdown" are often used in tricking unsuspecting or curious victims.
If phishing is successful, the attacker may carry out any or all of the following activities:
- Infect user system with malware which can spread to the network
- Steal user credentials for accessing other network resources
- Steal sensitive and important information
- Gain access to other segments of the network (which may be more sensitive than the initial victim's)
- Request for financial transactions (This is called "CFO Fraud" when the attacker impersonates a company CFO)
It is important to understand how phishing works and take appropriate preventive measures.
Read about Preventing Phishing here.