Phishing Attack.

 

    

 

What is phishing attack?

Phishing attacks happen when an attacker, impersonating a trusted entity (colleague/ senior/ known non-profits/ reputed companies, etc.,) tricks the victim into opening an email/ message/ chat or clicking on a malicious link.By doing so, victims may:

• Divulge sensitive information
• Wire money to the phishers
• Download malicious attachments
• Install malware on their device
• Distribute malware to other devices in the network
• Unauthorized purchases and so on.
  

How Does Phishing Work?

People will not divulge their personal information to anyone and everyone. So, phishers take extra efforts to lure the victims to accomplish their end-goals. For instance, spending weeks and months in creating a fake social media persona or researching extensively about victims, etc.Typically, phishers craft communication (SMS, email, voice-based content, social media accounts, etc.) that create a sense of urgency/panic or instill fear in the recipients/ users.

In the least sophisticated attacks, the users are not redirected to another website. Simple actions such as clicking a link are sought from victims.

In more sophisticated attacks, the readily available phishing kits are used. These kits enable phishers with minimal technical skills to easily orchestrate phishing attacks, from gathering mailing lists to spoofing legitimate brands and setting up fake websites.

 

Types of Phishing Attacks

• Email phishing scams: Fraudulent messages sent out to random users in bulk through email.
  
• Spear phishing: Highly targeted type of phishing, attacking specific users.
• Whaling: Big fish such as CEOs or other high-level executives are targeted based on in-depth profiling.
• Smishing: Fraudulent SMS alerts in this phishing attack
• Vishing: Phishing orchestrated using phone calls or other voice-based media.
• Pharming: The victims are redirected to fraudulent websites using DNS cache poisoning.
• Social media phishing: Social media platforms are used for this attack type.   

How to Prevent Phishing? 

1. Extensive and Continuous User Education:- Phishing prevention best practices dictate that all users/ stakeholders (employees, customers, end-users, partners, etc.) must be continuously and extensively educated through a structured anti-phishing program.

2. Multi-Factor Authentication (MFA):-  MFA is a simple technical barrier that adds extra layers of verification. For instance, entering OTP sent to a registered mobile number, a physical token, biometrics, etc. over and above the username and password. 

3. Effective Password and Access Management Policies:- Apart from MFA, effective password and access management policies must be enforced by every organization. For instance, clearly defined user roles and privileges, frequent changing of passwords, the barrier to reuse passwords, and so on.

4.Security Testing:-Another important phishing attack prevention measure is to conduct security testing/ pen-testing. This enables organizations to see how aware and equipped the users are about phishing.

 

 By Shubham Sharma.