Phishing is the activity in which the attacker tries to find out the private credentials or information by masquerading as a reputable entity or person in email, IM or other communication channels.
As phishing starts, the victim will receive the message that may come from a known contact or organization. The attachments or the links along with the email may install malware on the user’s device. It is a trick to divulge the personal and financial information such as passwords, or credit card details.
For the cyber criminals, it is easy to trick someone to click the malicious links and break through the computer’s security. The use of subdomains and misspelled URLs are common tricks –the URLs are created using different logical characters to read exactly like the trusted domain.
Phishing technique generally used by the attackers:
- Embed a link in the mail that can redirect the users to the insecure websites.
- Install a Trojan via a malicious email attachment.
- Spoofing the sender address in an email to appear as a reputable source.
- Attempting to obtain the company information by impersonating a known company vendor or IT department.
The internet users need to protect their computers and database from such phishing scams. Here are some ways to spot the phishing emails.
- If the email has an improper spelling or grammar: It is the most common type of phishing attack so make sure that you will have a closer look at it. Such emails are from the illegitimate sources.
- The hyperlinked URL is different from the one given/shown: A phishing email tries to trick and force you to click on a link that states that your account has been put on hold. To be safe enough, don’t click on the link in the email, instead just log onto the website and check your account status.
- When the email says that you have won a random contest for which you never appeared. Another most common phishing scam is to send an email informing the recipients that they have won a lottery. It comes with a link, clicking on which you will have to provide your personal details.
- When emails force you to feed in your personal information: Some fake ids or the malicious users that pretend to be the legitimate source, asks for the personal information like bank account number.
- The email asks you to make a donation: The scam artists find it easy inviting people to contribute for donations.
- If the email contains suspicious attachments: It is unusual if a legitimate organization sends you a mail, unless you’ve requested.
Here are few steps that you or the company can take to protect itself against Phishing.
- The companies should arrange for the employee training and conduct sessions with a mock phishing scenario.
- The company or the users should immediately deploy the SPAM filter that detects viruses, blank senders, etc.
- The system should have installed an antivirus, with the scheduled signature updates, and monitor the antivirus status on all equipments.
- We will keep all the systems current with the latest security softwares (updated).
- Develop a security policy that is not limited by the password expiry or complexity.
- You should use web filter to drive away the malicious websites.
- Encrypt all sensitive information.
- Convert the HTML email into the text only email message or disable HTML email messages.
- Require encryption for the employees that are telecommuting.
Some of the phishing attacks that are directed at the specific individuals or companies are called Spear Phishing Attacks. While the incidents that target the senior executives within an organization are termed as Whaling Attacks.
The Phishers nowadays, uses the social networking and other sources to gather the authentic information like background, history, their interests and activities. The targeted attacks or the Adavnced Persistent Threats start with a spear phishing email that contains a malicious links or attachments.