A Phishing Attack is a hacking technique that makes use of social engineering tactics that compel a person to perform an action that goes against their personal and best interests. Phishing attacks are one of the earliest forms of hacking used worldwide since the advent of the Internet. The first phishing attacks were carried out by cybercriminals in the mid-1990s where they stole credit card information and passwords using the AOL service.
There are many types of phishing attacks, from which we will be discussing some of the most common ones in this blog. With each attack type, we will also share tips on how to identify it.
Email Phishing
This is the most common type of phishing attack where cybercriminals use emails to mimic a recognized and genuine organization or brand by creating a fake domain with an almost identical name. Then generic requests are sent to customers using that domain. These requests can ask the receiver to either download a malicious file or click on a link that has been designed to capture their personal and financial information.
To identify email phishing attacks, look for the following signs:
- Shortened URLs
- Little text content in the email body
- Website URL with suspicious characters (for example, 0 in place of o)
Spear Phishing
Spear phishing also makes use of email but has a more targeted approach. Open-source intelligence (OSINT) is leveraged by cybercriminals to get access to information already available on public or published sources like company websites or social media platforms. Using this information, cybercriminals can target individuals within an organization by using real information such as names, job roles, or work contact numbers. This makes the recipient believe that the communication received is from one of their colleagues and they end up performing the action requested in the email.
The following signs signal towards a spear-phishing attack:
- Abnormal requests that don’t seem ordinary from the perspective of the job role
- URLs to shared folders on cloud storage
- Password-protected documents might be a way to get access to your login information
Whaling
Whaling is another phishing attack type that makes use of OSINT and is targeted towards trapping the C-level executives (CEO, CMO, CFO, COO, CTO) of a company. Whaling emails are oriented towards making the C-level executive believe that the company is in trouble and some details pertaining to taxation or banking are required. Both tax and banking details are highly valued in the cybercriminal world.
Ways to identify a whaling attack:
- Check for email addresses that are outside of your work domain
- Abnormal request for divulgence of information
Vishing
Also known as voice phishing, this technique employs the use of phone calls where a cybercriminal acts as a governmental or an organizational representative and subtly coerces the recipient into believing that they are in trouble. Once the recipient is convinced, they are mostly willing to pay or share important information to resolve the issue. This technique is highly favored by call centers working in a scam process.
Vishing attacks can be identified by the following signs:
- Caller number
- Timing of the call coinciding with stressful situations
- Caller requesting for personal information or payment outside normal
Angler Phishing
In this mode, the cybercriminal uses a social media application to send a direct message or a notification to another user and shares some information that entices the recipient into taking an action against their best interest. Angler phishing is a relatively new mode of phishing.
Angler phishing can be identified by:
- Suspicious notifications where you are added to a post or a community or you get unidentified URLs to visit
- Direct messages from users who are not active on the platform
- Links to websites in direct messages
Conclusion
With numerous phishing techniques available to cybercriminals, it has become a necessity to be ever vigilant while using tools that connect to the internet or mobile devices. With some preventive measures, you can safeguard your personal and financial information from possible phishing attacks.