Phishing is a kind of cyber-attack that is increasingly growing in popularity among hackers due to its simplicity of use and high potential rewards should the attacks prove to be successful. Phishing is usually done via email, popup ads, or even calls and involves deceptively fooling users into taking some action that ends up compromising them.
The history of the first phishing attacks began in 1990 when phishers designed an algorithm to generate random credit card numbers and then scrambled these numbers to match up with original card numbers belonging to clients of a financial organization in America. This was the first time phishers used sophisticated algorithms along with social engineering on the Internet through phishing scams. Such incidents now include theft of personal information have given no sign of abating. In fact, phishers used advanced cryptographic methods and repurpose tools created for decent purposes such as TOR (The Onion Router), military-grade tools such as automated ransomware and crypto currencies to mask their identity and carry attacks with impunity.
In the early 2000s, hackers devised advanced techniques for performing phishing attacks through the use of emails. This generation’s adversaries are very tech-savvy and use modern technology to intrude and steal information. They use commercially available cryptography tools, phishing kits, and advanced methods readily available on the dark web to carry out attacks which end up costing millions to people. The rise of Phishing as seen phishers choose emails as their weapon of choice in this Digital Age’s battlefield for data and enterprises who have not safeguarded themselves using anti-hacking, anti-phishing tools, training and firewalls have suffered tremendous blows to both their reputations and finances.
Some psychological and social engineering tricks used earlier by attackers included drafting emails with intentional grammatical errors to gain attention from employees who they fooled into taking actions that weakened organizational security controls. Later, several increasingly fascinating and advanced email techniques were used by attackers such as Domain spoofing. In this scenario, the attackers bought domains (website addresses, example Google.com or your Website.com) similar to other well-known names in the market such as banking domains and pretended to be the employees of these enterprises to get access to information such as financial data and passwords. PayPal was the first target of this technique, and many people had their stored details in PayPal servers compromised.
The Origin of word Phishing: ‘F’ is replaced in “Fishing” to give rise to the name “Phishing.”
Phishing is in many ways similar to fishing where bait is used to capture fish. In phishing, instead of using worms as bait, adversaries make the use of cleverly designed and deceptive emails and websites to get data.
When It Comes To Types Of Phishing, Phishing Is Divided Into Five Main Categories
Vishing
The word originates from the conjunction of Voice and Phishing, claiming its name as Vishing.
Adversaries collect the data about a person from social media and contact the person using the name of his or her friends/family to gather personal data. Thankfully, people are also wising up, and this technique is no longer working out well for cybercriminals. Vishing makes use of the voice or mobile conversation where the adversaries impersonates as tax department authorities, Bank employees, friend, or acquaintance to initially gaining the user’s trust and eventually steal the sensitive data
SMiShing
SMiShing is a term formed by combining two words – SMS and phishing.
When SMS is used as a tool to perform the Phishing crime, it is referred to as SMiShing. In this, an SMS is sent to a large number of people asking them to click on a given link. The link usually has lucrative offers such as free branded shoes in exchange for email addresses or some other information. This helps hackers in their job.
SMiShing is also one of the easiest ways of making users of mobile fall prey to the phishing attacks. Generally, users receive an SMS with a fake delivery order, or an order cancellation update and an associated URL to the same, which many people click on, without giving it a second thought. These links eventually lead to fraudulent websites specially crafted by the adversaries to extract sensitive information of the people
Search Engine Phishing
This is the easiest way to attack any system and infiltrate it to steal significant personal information. Links to the fake and deceptive web pages target internet traffic towards these sites.
As a searcher land on a web page, adversaries gain access to some data on their system and use it for gaining further essential data files. They know IP addresses and country location instantly when someone lands on their site.
This can happen in case of websites without HTTPS connections which encrypt data from a device to the end location. This is why you should avoid visiting sites without HTTPS security certificates. (The Green Lock sign in Google beside a website’s name)
Spear Phishing
In spear phishing, one particular high-value person is singled out and targeted with emails crafted using prior information known about them. Before the attack, all relevant information about the target is mined from their social media profiles and online activities. Then emails are sent where hackers impersonate themselves as a person known to the target and try to get information to perform a big heist.
Spear Phishing can be very dangerous and has proved to be extremely efficient in exploiting vulnerabilities in a security system. Users often end up revealing all the necessary information to a fake person (Phisher).
Whaling
In the world of phishing, “Whales” are those persons whose positions are prefixed with “C” such as CEOs, COOs, and CTOs.
They are high-level employees who have access to extremely important data about the enterprise. Research is done in advance in order to get relevant information about these persons from their profile, and then they are targeted.
Nowadays, financial organizations such as banks, payment systems, crypto currency exchanges, and mobile wallets are at significant risk from phishing attacks. However, e-commerce and technologies companies also remain soft targets to adversaries and hackers. Phishing attacks can be stopped only by spreading organizational awareness among the employees, with phishing protection services and updating all security regimes, firewalls and security controls and configuring them properly.