What is a phishing attack?The term "Phishing” is apparent in the IT context. It refers to the malicious nature of the
growing cyberattacks in the web world. Attackers steal out essential credentials of users,
such as usernames, passwords, bank account information, credit card details, or any other
vital data that helps them make monetary gains utilizing the stolen information, or selling
them in the market.
Bu makaleyi okuduktan sonra şunları yapabileceksiniz:
- Modus Operandi
- Different types of Phishing attacks
- Account Deactivation scam
- Advanced Fee Scam
- Website Forgery scam
- What is Spear phishing?
- What is Clone Phishing?
Hackers use the phishing method to trick the victim into taking specific actions that help the attacker. These attacks can be complex and straightforward but preventable with proper awareness.
Phishing is done in a more complex way where attackers don’t directly attack the targets, prefers cross-scripting attacks or on-path attacks. This type of attack usually happens via emails or SMS and can be broken down into different categories. One need not be in the IT field to understand these dangers. But as an ordinary user of digital platforms and mobile devices, it would help if one is aware of different types of phishing attacks vector so that anyone can spot them at random.
Different types of Phishing attacks
Account Deactivation scam Attackers use this method by creating urgency, informing that a significant account will be deactivated, thus tricking the target into handing over crucial credentials. For example, an attacker sends an email to the victim from an email address that appears to come from legitimate and established institutions like banks. The deceptive mail claims that user accounts will get deactivated if immediate actions are not taken. The attacker will then request for username and password of the victim's bank account to prevent deactivation. Once the victim gives the details, their account is quickly compromised, and the damage is done. In another clever way, victims are redirected to a fake website similar to the bank, and credentials are compromised.
To prevent such type of attack, users should separately and directly go to the concerned bank website and see if there is any similar notification from the bank for deactivation. One should always check the URL bar and see if the website is secure or not. No reputable institutions ask for usernames and passwords without having their website secured. Hence, one should always avoid unsecured websites.
Advanced Fee Scam
It is a sort of scam popularized over the years by the Nigerian Guy, a prince in possession of the family "will" to donate millions of dollars to anyone who responded to their email. The catch was that the responder would have to pay a small fee upfront.
It was not surprising to know that once somebody paid the fee, neither did the millions of dollars come nor could one contact the sender anymore. Many victims fall for this because of greed and lack of common sense. Why would anybody send mass mails to dispose of a large amount of money in today’s world?
The best way to mitigate these kinds and similar lucrative mails is by not responding to the request either by email or messages. If one is not sure, one can always Google search on the themed request, and often Google throws up some information on such scams.
Website Forgery scam
This scam comes paired with other scams, such as account deactivation scams. In this case, the attacker creates a fake website whack that looks legitimate to the victim, for example, a bank website.
When the user visits the web page due to an email phishing attempt, or hyperlink, or via a search engine, any information entered by the victim in the fake website gets collected. The information then gets misused by the attackers for monetary benefits. Nowadays, creating identical websites is an example of craftsmanship in digital web designing. One should check the URL in the web browser, and it is pretty to spot a fraud.
If a URL looks different, then one should be alert. If the web pages are listed insecure, and there are no signs of HTTPS, it is the first red flag and guarantees that the site is broken or a victim of a phishing attack.
What is Spear phishing?
It is currently the most used and effective type of attack. Here the attacker directs attacks on specific individuals and companies; therefore, the term used is spear phishing. The attacker gathers enough details or browsing or buying information about a particular target; they then launch a personalized scam. Ninety percent of the attacks are caused by this method.
What is Clone Phishing?
Clone phishing mimics a previously delivered email that was genuine. By modifying its links or attached files, attackers trick the victim into opening a malicious website or file. For example, taking the legitimate email, and attaching a malicious file with the same name as the file that was originally attached, and resending the email with another spoofed email address to the victim. The email looks sent from the original sender, and victims get convinced based on the initial communication and trick the victim into taking action.
What is whaling?
Attacks directed at privileged users and senior executives within businesses are called whaling. These attacks are targeted with content likely to require the victim's attention, such as organizational issues. An example is when the scam mail appears to come from a senior executive of the organization.
For example, it is seen that an email request comes from a CEO to the employee in the finance department requesting their immediate transfer of money for official purposes. Lower-level employees do not go against the order out of fear and respect. In the process gets fooled into thinking about the importance of the request. Since the request came from the top executive, they do not try to cross-check by superseding. Large sums of money get transferred to an attacker by executing the request.
Such requests are innovations from attackers that use the victim's physiological aspect to fool the victim. The easiest way to counter such scams is to cross-check professionally and diplomatically from the sender of the purported email. If it is a scam, the legitimate person will confirm it.