The rapid transformation of the cyberspace and digital technologies in recent times have necessitated changes in an enterprise’s digital architecture. Adversaries these days make use of highly sophisticated techniques and advanced digital platforms to attack enterprises and individuals. One of these techniques employed by cybercriminals is ‘Phishing.’
Phishing is a type of online fraud, which makes use of deceptive e-mails, website, or pop-up ads. It involves a technique known as social engineering which consists of throwing a bait towards the intended victim (usual employees of an organization) and luring them to reveal his private information or user credentials. This information can further be used to compromise the financial assets and data of the organization.
Historical Examples of Successful Phishing Attacks
Cybercriminals, who use phishing to pose as real people with legitimate concerns, play their cards very carefully. This allows them to bypass sophisticated cybersecurity controls already present at the organizational level by exploiting the vulnerabilities that untrained and unaware employees may present.
Phishing is one of the oldest, yet most successful forms of cyber-attacks faced by all the enterprises of today’s digital age. Learning to protect your organization or yourself from such attacks also involves understanding the methods used in historical scams.
Here are some famous examples of malicious cyber-attacks from the past: –
- Operation Phish Phry – This was an international phishing attack where hundreds of customers of banks and other financial institutions were targeted and robbed. The attackers made use of a fake bank account. The scam was a large scale covert operation and cost the victims a combined amount of USD 1.5 Million, which was stolen from hundreds of bank accounts.
- In the year 2016, a few employees of the University of Kansas replied to a phishing e-mail causing the institution to lose its pay-outs.
- The “Fappening” attack- Cybercriminals associated with this attack leaked intimate photos of celebrities all over the internet. This was initially thought to be a security leak from Apple’s cloud servers. However, it was later established that the leak was the result of a successful phishing attack.
- The Ukrainian power grid attack – This email phishing attack used the first automated and scalable malicious firmware updates, which were created to hack multiple sites in the same time-frame. Russian cyber intelligence agencies gained operational data of Ukraine’s power grid and exploited it with custom coded malicious firmware. Comprehensive training and protection could have prevented the entire episode.
Types of phishing attacks:
- Vishing: Vishing is derived from two words – voice and phishing. It makes use of the voice or telephonic conversation where the attacker impersonates a family member, friend, or acquaintance to initially winning the person’s trust and eventually extract sensitive data.
- SMiShing: Smishing again is a term formed by two words – SMS and phishing. It is one of the easiest ways of making people fall prey to the phishing attacks. Usually, people receive an SMS with a fake order cancellation update and a link to the same, which most people click on, as a reflex, without giving any second thought. These links lead to fake websites designed by the adversaries to extract sensitive credentials of the people.
- Search Engine Phishing: This type requires a great deal of effort on the part of the attacker. They create a fake webpage and wait for the users to land on their page. These pages target a few chosen keywords, and once the user visits them, they require the users to enter their credentials, which serve the adversaries’ malicious intentions.
- Spear Phishing: The most common and effective mode of phishing for hackers is spear phishing. This is carried out by sending e-mails from seemingly credulous but fake users and e-mail addresses. The spear phishing technique is specifically targeted at a particular user or an organization. The attacker usually undertakes thorough research before sending out an e-mail of relevance and significance, to the targeted individual or organization. This is done to remove the scope for any doubt and ensure credibility and authenticity of the e-mail and the links attached thereof.
- Whaling: This type of phishing attack targets a limited number of people who are believed to be the decision-makers and game-changers of an organization. These people are the C-suite post holders – the CEOs, CFOs, and COOs, etc. They are known as ‘whales’ in phishing terminology and hence, the term ‘whaling.’
Safeguards To Prevent Various Phishing Attacks:
E-mail Phishing Scams
- To protect yourself from e-mail phishing attacks, it is suggested that neither you nor your employees click on any unknown links or download any attachments from unidentified senders. Employees should report any suspicious mail to their IT administrators.
- Phishes use real company logos and genuine-looking websites which look similar to the websites they are maliciously emulating, to lure their victim. It is suggested that the receiver of such content try to figure out the authenticity of such e-mail addresses. Whether or not, the addresses/sites have been spoofed, can be ascertained by checking for misspellings in the email address or website domain.
- One must also check whether they are marked in the ‘To’ section or ‘Cc’ section. If the e-mail isn’t directly addressed to them, and they are marked along with other unknown people, then the users might be dealing with one of the fake e-mails from cybercriminals. Such e-mails and the links mentioned within them should never be opened.
This is the voice version of phishing, but the intent behind the attack is similar.
- It is advised to not provide any sensitive information to any unverified person over the phone, who is calling from unknown numbers. Also, cross-checking the website data before providing any financial information to call-center employees or other representatives, if at all necessary, is an excellent measure to safeguard yourself from any Vishing threat.
- One must never call back on a suspected scam number. Also, one should be vigilant while browsing any website, because there are many fake ones, which are created by the adversaries, specifically to exploit the vulnerabilities of the user.
Pop-Up Warning Phishing Scams
Pop-ups are small advertisements with graphics and links which can be commonly observed on e-commerce and entertainment websites. These warnings usually display messages which state that your system is infected. At times, they imitate reputed companies such as Norton, Avast, etc.
- The first step to avoid a pop-up scam is to look for any spelling mistakes or grammatical errors, which are most often, the apparent signs of fraud.
- In case you are unsure about the authenticity of a pop-up, avoid using it. Instead, run a system scan to detect any infection. Norton pop-ups appear only on their security dashboards and not on the web browser.
- The links that are sent via SMS should never be opened.
- The identity of the sender should be verified before replying to any SMS. One should only respond if they know the person.
- The messages seeking bank details or details of personal finances should never be replied to.
- Lottery winning messages which say “Congratulations! You have won $100,000. Please provide your bank details so that we can transfer the earning to your account.”, are a phishing attempt by cybercriminals, and should never be replied to.
Follow These Steps In Case You Find That You Have Been Attacked.
- Changing your passwords should be the priority. Start from the primary computer password to antivirus accounts and other password-protected applications and websites.
- Running a full system scan to detect any virus infection is advisable.
- Filing a complaint with the anti-fraud department or relevant authorities of your city/state.
- Being sagacious and alert while online browsing and taking care to open websites and link thoughtfully.
- Looking out for shortened links. Adversaries often use specific tools to shorten genuine links and create fake ones, which lead to fake websites that extract the user’s sensitive data. One must point the cursor over the links received on e-mail, and check whether the domain of the actual site and the one sent on mail tally.
- One must ensure the usage of secure websites denoted by ‘https: //’ while browsing for information. Proper care of the same should be taken while making online payments. This reduces the risk of giving away your financial and personal data to unreliable sources.
- Checking whether the internet connection used is secure, is also a necessary precautionary measure. It is advised not to enter sensitive personal information online while using public, unsecured Wi-Fi. This might involve net banking data, credit/debit card details, or any other relevant information.
Looking out for phishing attacks should be a part of the security plan of all enterprises and users. Using a password manager, anti-phishing software and anti-phishing services are smart ways of protecting critical systems from being compromised.
As technology advances and a more significant number of people become aware of the wonders of the internet, the number of malicious attackers, who are waiting for a chance to exploit innocent or ignorant users’ private credentials, is also on the rise. According to Verizon’s 2017 Data Breach Investigations Report, 15% of the people who have been the victims of phishing attacks will click an insecure attachment again. This speaks volumes about people’s vulnerability to outside threats and the high risk it poses to their private information.
Wombat Security’s 2017 User Risk Report states that 30% of the working adults are oblivious of phishing and the dramatic consequences of being the victim of a phishing attack. A direct implication of this is that a significant portion of the internet users is yet to gain insight into phishing and online frauds related to it. Apart from securing oneself from the malicious intents of attackers, one must also ensure to educate at least two other individuals about the same, to increase global awareness about phishing and cybersecurity in general.