What is Phishing? - Seeker's Thoughts

Recent Posts

Seeker's Thoughts

A blog for the curious and the creative.

What is Phishing?

In Times of COVID - 19, when people started work from home, so the hackers have started more phishing attacks.

In common terms, Phishing attacks can be defined as --in which carefully targeted digital messages are transmitted to fool people into clicking on a link that can then install malware or expose sensitive data, are becoming more sophisticated.
Photo by Saksham Choudhary from Pexels

Since the use of computers, the technologies have changed for both – good and bad. The good side of the technology is that it made life easy and long while the destructive minds which are also inevitable in nature use these technologies for their selfish motives and to harm the society.

Also Read




 Earlier there were wars between kings, which later shifted to national boundaries and now the new era of war has taken place- “Cyber Attacks”. 

Why are Phishing attacks cause of concern?
As per,  2019 Phishing Trends and Intelligence Report, PhishLabs found that total phishing volume rose 40.9 percent over the course of 2018.
In recent news, it is also evident that cyber attacks have grown.
These attacks targeted a range of organizations, especially financial service companies, email and online service providers and cloud/file hosting firms.
The growth of phishing attacks poses a significant threat to all organizations. However, financial firms have been the worst victim of it.

How to Spot Phishing?
It’s important that all individuals as well as organisations know how to spot some of the most common phishing scams if they are to protect their corporate information.
There can be an email from recognised sender, but steals information. There are categories of Phishing, which are defined below-----

Deceptive phishing is by far the most common type of phishing scam.
In this type of ploy, fraudsters impersonate a legitimate company to steal people’s personal data or login credentials.
For example.- if you receive an email from a recognised brand/company which shows, threat and urgency to login, that can be Phishing.
When you do not have anything related, company never approaches you. Second, there must be grammatical error, and spelling differenced when such sort of links are sent to Users.


In this type of ploy, fraudsters customize their attack emails with the target’s name, position, company, work phone number and other information in an attempt to trick the recipient into believing that they have a connection with the sender.
 The goal is the same as deceptive phishing, even so: trick the victim into clicking on a malicious URL or email attachment so that they will hand over their personal data.
Given the amount of information needed to craft a convincing attack attempt, it’s no surprise that spear-phishing is commonplace on social media sites as LinkedIn where attackers can use multiple data sources to craft a targeted attack email.
To protect against this type of scam, organizations should conduct ongoing employee security awareness training that, among other things, discourages users from publishing sensitive personal or corporate information on social media.
 Companies should also invest in solutions that analyse inbound emails for known malicious links/email attachments. This solution should be capable of picking up on indicators for both known malware and zero-day threats.
3. CEO FRAUD or whaling attack
Spear phishers can target anyone in an organization, even executives. That’s the logic behind a “whaling” attack. In these scams, fraudsters try to harpoon an exec and steal their login details.
In the event their attack proves successful, fraudsters can choose to conduct CEO fraud.
As the second phase of a business email compromise (BEC) scam, CEO fraud is when attackers abuse the compromised email account of a CEO or other high-ranking executive to authorize fraudulent wire transfers to a financial institution of their choice.

The other way can be  that same email account to conduct W-2 phishing in which they request W-2 information for all employees so that they can file fake tax returns on their behalf or post that data on the dark web.
Vishing is a type of fraud over a phone call. An attacker can target by setting up VoIP (Voice over Internet Protocol) server to copy various entities in order to steal sensitive data- for example people may get a call, that there ATM or Debit card has been stopped working, and ask for details of ATM card.
While Bank never calls that ATM has stopped working, people have to approach banks. It can be similarly connected to the Id’s issued by the governments, and other financial institutions.
Few target of Vishing attacks are-
Photo by Andri from Pexels
- As noted by Comparitech, an attacker can perpetrate this type of attack by setting up a Voice over Internet Protocol (VoIP) server to mimic various entities in order to steal sensitive data and/or funds.
-  In September 2019, for instance, Infosecurity Magazine reported that digital attackers launched a vishing campaign to try to steal the passwords of UK MPs and parliamentary staffers.
-  Not long thereafter, The Next Web covered an attack where vishers masqueraded as the boss of a German parent company to scam a UK subsidiary firm out of $243,000.
The similar method of steal continues but in form of SMS and texts, therefore it is called as Smishing, which is also a type of Phishing. In SMS, there can be some links which can ask for personal information threatening users that their ID’s can be blocked or ATM will stop working, or account will stop working.
Neither company sends this kind of messages. However, general public is being targetting of smishing.
-        Back in February 2019, for instance, Nokia warned its users to be on the lookout for a smishing campaign in which digital attackers posed as the Finnish multinational telecommunications and sent out text messages informing users that they had won a car or money. The bad actors then asked recipients to send over money as a registration payment for their new car, reported Bleeping Computer.
Later in the year, WATE covered the story of a Knoxville woman who fell for a smishing attack.
The woman had cancer, and the scammers claimed that she could receive a federal grant to assist her in paying for treatment. She just needed to submit a down payment and pay taxes on the grant first, the fraudsters told her.
That is why medical companies should abstain from data leaking, there are people everywhere who are intending to make a fool of people.
This is the method, where victims are not approached directly.  They infect divert people on fake sites.
Pharming is a cyberattack intended to redirect a website's traffic to another, fake site
Usually, pharming is applied to online banking or other payment systems through which money transactions are performed.
It is rather difficult to be secured from pharming as the site substitution process goes unnoticed.
Pharming software can work both from the browser cache and directly as a virus on your PC.
Thus, to protect yourself from pharming, you need not only to learn to recognize phishing emails, but also be careful when installing the software.
 It is necessary to be extremely cautious when reading emails, and when downloading any software from the Internet.

How to prevent phishing attacks?
1.     users should inspect all URLs carefully to see if they redirect to an unknown and/or suspicious website.
2.     They should also look out for generic salutations, grammar mistakes and spelling errors scattered throughout the email.
3.     Organizations should also consider injecting multi-factor authentication (MFA) channels into their financial authorization processes so that no one can authorize payments via email alone.
4.     To protect against vishing attacks, users should avoid answering calls from unknown phone numbers, never give out personal information over the phone and use a caller ID app.
5.     Users can help defend against smishing attacks by researching unknown phone numbers thoroughly and by calling the company named in the messages if they have any doubts.
6.     To protect against pharming attacks, organizations should encourage employees to enter in login credentials only on HTTPS-protected sites.
7.     Companies should also implement anti-virus software on all corporate devices and implement virus database updates on a regular basis. Finally, they should make sure to stay on top of security upgrades issued by a trusted Internet Service Provider (ISP).
8.     Files attached to an unknown message that have .exe, .msi, .bat, .pif, .com, .vbs, .reg, and .zip extensions can install malicious software, there is no point to open them.

Other Types of Attacks over internet-

 The Ransomware

The new kind of crime where the computer of the individual is hacked and to access own computer the user has to pay the ransom and these types of viruses are called Ransomware. WannaCry has been on the hit list for troubling users.  

India was one of the worst-hit countries by the WannaCry Ransomware -malware affecting sectors such as banking, finance and manufacturing last year.

The main Dilemma- Don’t know who attacks!  

Attacks are often anonymous and difficult to attribute to specific actors, state or non-state. Advanced Precision Threats (APTs) carried out by anonymous hackers are often silent and go unnoticed for long periods.

Where does India Stand?
The government is stepping up authority around cybersecurity to check the rising menace of financial frauds. 

Global Conference on Cyberspace was conducted in India for the first time with a view to establishing internationally agreed ‘rules of the road’ for behaviour in cyberspace and create a more focused and inclusive dialogue between all stakeholders on how to implement them.

To combat the cyber threat, the government is coming up with more cybersecurity labs.
1.      Digital Investigation Training and Analysis Centre (DITAC)
The government has earlier launched the Digital Investigation Training and Analysis Centre (DITAC) to tackle these crimes.
DITACs will monitor and police cyber-crimes committed through different platforms such as mobile, email, computer and social media platforms like Twitter and Facebook.
2.     National Cyber Coordination Centre
Apart from DITACs, the government also established the National Cyber Coordination Centre, an operational cybersecurity and e-surveillance agency in India.

NCC, set up in 2015 as a part of the National Security Council Secretariat, should be strengthened to bring about a much-needed synergy among various institutions and to work out a coordinated approach to cybersecurity, including cyber deterrence.

Has the plan worked?

India emerged as the third most vulnerable country in terms of risk of cyber threats, such as malware, spam and Ransomware, in 2017, moving up one place over the previous year, according to a report by Symantec.

As per the report, India continues to be the second most impacted by spam and bots, third most impacted by network attacks, and fourth most impacted by Ransomware.

India faces the highest number of Cyber Security Threats

India faces the highest number of cyber security threats in the Asia-Pacific region with over 500,000 alerts daily, according to cybersecurity report, Cisco 2018 Asia-Pacific Security Capabilities Benchmark.

Union ministries and elite security agencies, apart from government bodies, have been victims of a wide range of cyber-attacks, from website defacement to Ransomware. 
The Indian Computer Emergency Response Team (CERT-In), the governmental nodal agency for dealing with and handling of cybersecurity threats, had less than 1% of the reported number of incidents come from security researchers.

With the growing adoption of the Internet and smart-phones, India has emerged as one of the favourite countries among cybercriminals. There is a growing threat from online radicalization. Lack of coordination among different government agencies may increase the risk of cyber-attacks. India is not a signatory to the Budapest convention which is the only multilateral convention on cybersecurity.

A team of Ethical hackers

Need for efficient information security systems: - With more and more companies entering the e-commerce ecosystem and adopting new technologies like cloud computing, the threat from imminent security breaches is clearly demanding the need for efficient information security systems.

Cybercrimes are becoming more common and attackers more sophisticated with rouge nation-states and terrorist organisation funding criminals to breach security networks either to extort hefty ransoms or compromise national security features.

Trained Manpower The rising threat from cyber-attacks has exposed the severe shortage of talent in this sector. As per 2015 figures reported by Nasscom, India needed more than 77,000 white hat hackers as against only a mere 15,000 certified professional ethical hackers in that year.

Who Are Ethical Hackers?

These professionals employ methods similar to that used by malicious hackers, but they are required to be a step or two ahead of their vicious counterparts. Ethical or white hat hackers may be employed by the government, banks, or private firms to prevent cybercrime. 

They hack the system with the permission from the client and present a maturity scorecard for the network that highlights their overall risk. Ethical hacking firms with specially trained professionals come to the rescue of businesses while ensuring the effectiveness of service and confidentiality. 

 Businesses are faced with the challenge of dealing with complex security requirements that need to be updated as per changing hacking tactics, handling hidden vulnerabilities and evolving technologies.

While many new businesses are better prepared in the case of cyber-attacks, traditional businesses still lack the proactive understanding of the need for ethical hacking. For example, in India, banks having faced the brunt many-a-times are hiring professional help to secure their networks. Hotels and other service wings of the industry seem to be lagging behind.

Using the guide above, organizations/governments and individuals will be able to more quickly spot some of the most common types of phishing attacks. Even so, that doesn’t mean they will be able to spot each and every phish. Phishing is constantly evolving to adopt new forms and techniques.
With that in mind, it’s imperative that organizations conduct security awareness training on an ongoing basis so that their employees and executives can stay on top of phishing’s evolution.
For more information on how your company’s personnel can spot a phish, please click here.

Much More to be done
Coordination among CERTs of different countries is going to be helpfulNations must take responsibility to ensure that the digital space does not become a playground for the dark forces of terrorism and radicalization.
Follow Us on Twitter - https://twitter.com/notesseekers

No comments:

Post a Comment