Nexix Security Labs
What Is a Phishing Attack? How it works and Types
The tactic of garnering sensitive information of a target like a username, password, email-ID, mobile number, etc., or other sensitive information including bank details, your credit, and debit card details through concealing as a trustworthy unit is tagged as Phishing.
It works as follows – Initially, the techie would create a fake website and sends it to the victim. The latter then enter the credentials under the impression of reliance, and consequently the former get the credentials. PayPal, Netflix, Microsoft, Facebook, eBay, Amazon, DHL, Roblox, LinkedIn, etc. are amongst the top brands preferred by the attackers.
How does Phishing work?
Phishing begins with a fake email or other kind of contact intended to lure a target. The message is designed to appear as though it came from a known sender. If the victim is duped, he or she is convinced to provide sensitive information, which is usually done on a fake website. Sometimes malware is also downloaded into the target’s computer.
From the analytics of the last 6-7 years, it is found that the delinquents’ skills are getting more polished up in phishing line. Examples like, successfully managing John Podesta, giving up his Gmail password, or employees at the University of Kansa responding to phishing email back in 2016 proves the analytics. To count for the reasons behind successful phishing attacks, one is the presence of numerous phishing kits on the dark web. Sites namely, Phishtank and OpenPhish hold on demanded lists of known kits. Its functioning goes as mentioned below-
The legitimate website is duped.
Then its login page is modified according to a credential-stealing script.
These modified files are stacked into a zip file which result in a phishing kit.
The phishing kit is uploaded to the hacked site, and the files are unzipped.
Finally, emails are sent with links points to the spoofed website.
Types of Phishing Attacks
Arriving at the types of phishing attacks, there are 5 basic types-
Email Phishing: It includes registering a fake domain of a veritable firm and then sending N numbers of generic request. Replacement like 'm' by 'r' and 'n' like 'rn' and using firm's name at that local part of email addresses due to which only firm's name appears at sender's name are the common practices used.
Spear Phishing: in this type, spiteful emails are being sent to specific people only. Information like the name, workplace, job email, etc. of these people is prevent with the crook beforehand itself.
Whaling: It focuses on imitating senior staff. Here, tax returns forms are a major medium to steal information as they include a significant amount of utile details.
Smishing and Vishing: The use of text messages for abstracting details is smishing while the use of telephonic conversation for the same is vishing. Crooks masquerading like a fraud investigator counts for the common vishing scam.
Angler Phishing: The practices of pretending to be a customer service account to tempt victims to share their personal information and using social media as a medium comes under angler phishing.
How to prevent Phishing?
Both individuals and businesses must take efforts to protect themselves from phishing attacks.
For Individual, vigilance is key. A spoof message frequently contains minor errors that reveal its actual identity. These can include spelling mistakes or changes to domain names, can be seen in the URL. Users should also examine why they are receiving such an email.
For Enterprises, a number of steps can be taken to mitigate phishing attacks:
Two-factor authentication (2FA), which provides an extra layer of verification when logging in to important apps, is the most effective approach for preventing phishing scams.
Organizations should implement strong password practices in addition to deploying 2FA.
To conclude, phishing can be majorly prevented by studying past examples. Additionally, always examine the spelling of the URLs in email links before clicking, in case of any suspicious source of email try to contact that source with another ID, use of non-dictionary passwords, and password managers like LastPass, 1password, etc. are beneficial. Also, try to avoid posting personal details on social media. While in a firm, sandboxing inbound emails, pentesting of the firm to find weak areas, etc. can be implemented for prevention purposes. Hereby, though not completely but these attacks can be pruned to major extents.
For more information visit us on: www.nexixsecuritylabs.com
To schedule an audit you can contact us on: firstname.lastname@example.org
Your Security | Our Concern