Phishing is a fraudulent attempt to acquire sensitive information such as personally identifiable information, banking and credit card details, usernames, passwords, by disguising as a legitimate and trustworthy enterprises. The information is then used to access accounts and can result in identity theft and financial loss.
Phishing is an example of social engineering techniques used to deceive users, induce panic and exploits weaknesses in current web security. This cyber crime is carried out by email spoofing, SMS, text and instant messaging. These scams attempt to trick recipients into responding or take them to a fake copy-cat website, the look and feel of which are identical to the legitimate site to collect personal information.
Phishing attacks directed at specific individuals, roles, or organizations are referred to as “spear phishing”. Since these attacks are so pointed, attackers may go to great lengths to gather specific personal or institutional information in the hope of making the attack more believable and increasing the likelihood of its success.
The term “whaling” is used to describe phishing attacks (usually spear phishing) directed specifically at executives, officers and other high-profile targets within a business, government, or other organization. The content of a whaling attack email is often written as a legal subpoena, customer complaint, or executive issue.
Clone phishing is a type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link is used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malware or virus and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original.
Most methods of phishing use some form of technical deception designed to make a link in an email (and the spoofed website it leads to) appear to belong to the spoofed enterprise. Misspelled url or the use of sub-domains are common tricks used by phishers.
Voice phishing / Vishing
Not all phishing attacks require a fake website. By impersonating as a trustworthy entity over call (telephone/mobile/IVR), the fraudster attempts to acquire sensitive personal information.
SMS phishing / Smishing
Cell phone SMS / text messages are used to induce people to divulge their personal information.
Prevent Phishing Scams
Companies don't ask for password
They don’t need password to look up your account. Same goes for Banks, IRS, Government, Google, Facebook, and other organizations.
Use a reputed VPN service. VPN hides your real location and also make Man-in-the-middle (MITM) attack difficult. Watch out! Some free VPN providers are known to install malware, steal bandwidth and hijack your computer. If something is free, you are the product!
Don't share personal information
Social engineering attacks can occur over phone, text, instant messaging, email or even Internet. Watch out for lucrative too good to be true offers like free iPhone, winning a lottery or inheriting money from strangers. If you have reason to believe that a financial institution actually does need personal information from you, pick up the phone and call the company yourself using the number listed on their website.
Think before you click
A link may not be all it appears to be. Hovering over a link shows you the actual url where you will be directed upon clicking on it. It could be completely different or it could be a popular website with a misspelling, for instance bankofamnerica.com – there is an extra ‘n’, so look carefully. Do your own typing rather than merely clicking on the link provided in the email.
Think twice before opening attachment or file
Even if it is from people you know. They often contain payloads like malware, ransomware or viruses that could wreak havoc.
Beef up your security
Use antivirus, and firewall. They guard against known technology workarounds and loopholes. Make sure you keep the virus definition and software up to date.
What to do if you are a Phishing Victim?
Always act quickly when you come face to face with a potential fraud, especially if you’ve lost money or believe your identity has been stolen. Notify the company or bank right away and also file a complaint with law enforcement. In USA, you can file a complaint with FBI for phishy emails, FTC for Identity theft and SEC for securities or investment related scam.