PHISHING- A SOCIAL ENGINEERING TECHNIQUE AND WAYS TO DEAL WITH IT
In this era, where we are in a world which can’t be imagined without use of technology in all facets of banking, the biggest challenge that needs to be addressed is various social engineering techniques used with malafide intention, which costs people their hard earned money. There are various ways in which social engineering techniques are used to cheat people like phishing, baiting, spoofing etc.
PHISHING
As the word phishing sounds as fishing, the meaning can be derived from that. In fishing as one attempt to catch fish from water by luring fish by some curious item , similarly in phishing a scamster try to lure the prospect victim over e-mail , call etc. Phishing is one of the various social engineering technique used by cyber criminals to trick and deceive people.The term phishing dates back at least 25 years to the days when AOL was a big internet service provider. Some users would pretend to be AOL staff in chat rooms and trick other users into sharing passwords and credit card numbers. This was sometimes referred to as fishing for information (i.e. phishing).The first use of the term phishing seems to be from a hacker called Koceilah Rekouche, who developed an automated tool for tricking users in 1995. As a nod to the existing term phreaking, which related to people who played with, reverse engineered and hacked the telephone network, he called this automated fishing, or phishing.
Phishing is a cybercrime in which a target or multiple targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing personally sensitive data such as personally identifiable information, banking and credit card details, and passwords or may be a PIN of the card. The information is then used to access important accounts and can result in identity theft and financial loss.
Features of some of the common feature of phishing mails are-
- Catchy Subject Lines-Phishing campaigns typically aim to instill asense of urgency using intense language and scare tactics, starting with the email’s subject line. Common themes among phishing emails are that something sensitive, such as a credit card number or an account, has been compromised. This is done to induce the recipient into responding quickly, without recognizing the signs of a scam.
- The message might use sub-domain, misspelled URLs also known as typo squatting or otherwise suspicious URLs.
- The recipient might uses a public email address rather than a corporate email address.
- The message might be written to invoke fear or a sense of urgency, so that a mistake might be committed by receiver without establishing sanctity of source.
- The message includes a request to share and verify personal information, such as financial details or a password.
- The message is poorly drafted with improper framing of sentences and has spelling and grammatical errors, etc.
WAYSOF PHISHING ATTACKS
Scam based on payment using digital channels
If a user is unsure of how to spot a fraudulent online-payment phishing email, there are a few details to look out for. Generally, a phishing email from is known to include:
Dodgy greetings that do not include the victim’s name. Official emails from companywill always address users by their actual name or business title. Phishing attempts in this sector tend to begin with “Dear user,” or use an email address instead.
In the case of online payment some services, some of these scams “alert” their potential victims to the fact that their account will soon be suspended. Others claim that users were accidentally “overpaid” and now need to send money back to a fake account.
Downloadable attachments are not something that companies sends to its users. If a person receives an email from company or another similar service that includes an attachment, they should not download it.
If a person receives one of these emails, they should open their payment page on a separate browser tab or window and see if their account has any alerts. If a user has been overpaid or is facing suspension, it will say so there. Additionally, payment wallet or company urges users to report any suspicious activity to them, so they can continue to monitor these attempts and prevent their users from getting scammed.
Attack based on financing
These are common forms of phishing, and it operates on the assumption that victims will panic into giving the personal information to scamster. Usually, in these cases, the scammer deceives as a bank or other financial institution. In an email or phone call, the scammer informs their potential victim that their security has been compromised. Often, scammers will use the threat of identity theft to successfully do just that.
Suspicious emails about money transfers that will confuse the victim. In these phishing attempts, the potential victim receives an email that contains a receipt or rejection email regarding a charge debit transaction. Often, the victim who sees this email will instantly assume fraudulent charges have been made in their account and click a mala fide link in the message. This will leave their personal data vulnerable to being mined.
Direct deposit scams are often used on new employees of a company or business. In these scams, the victims receive a mail that their login information is not working. Anxious about not getting paid, the victims click a “phishing” link in the email. This will lead the victim to a spoof website that installs malware to their system. From there, their banking information is vulnerable to harvesting, leading to fraudulent charges.
Work related phishing
This type of scam can be very personalized and hard to spot. In these cases, an attacker purporting to be the recipient’s boss, CEO or CFO contacts the victim, and requests a wire transfer or a fake purchase.
One work-related scam that has been popping up around businesses in the last couple of years is a ploy to harvest passwords. This scam often targets executive-level employees, since they are likely not considering that an email from their boss could be a scam. The fraudulent email often works because, instead of being alarmist, it simply talks about regular workplace subjects. Usually, it informs the victim that a scheduled meeting needs to be changed.
From there, the employees are asked to fill out a poll about when a good time to reschedule would be via a link. That link will then bring the victim to a spoof login page may be likes of Office 365 or Microsoft Outlook. Once they have entered their login information, the scammers steal their password.
TYPES OF PHISHING
EMAIL PHISHING
Malicious actors send emails to users impersonating a known brand, leverage social engineering tactics to create a heightened sense of urgency and then lead people to click on a link or download an asset.
The links traditionally go to malicious websites that either steal credentials or install malicious code, known as malware, on a user’s device. The downloads or the link sent by email, have malicious content stored in them that installs the malware once the user opens the document.
For example, If you Ever get an email message from your bank warning you that your savings and checking accounts have been locked because of suspicious withdrawals. That email might ask you to click on a link embedded in the message to verify your identity and keep your account open.
Don’t fall for this trick. The odds are always there that the email is an example of phishing, an attempt by scammers to trick you into providing personal or financial information that they can then use to steal money from your bank accounts, make fraudulent purchases with your credit cards. If you do click on a link in a phishing email, you’ll usually be taken to a new web page that looks like it belongs to your bank or Credit Card Company. That page will ask you for your personal and financial information — maybe your account numbers or log in credentials, like your username and password. Once the scammer behind this fake or bogus page gets that sensitive personal information of yours, and then they can easily access your financial accounts.
Phishing is a form of social engineering — phishers pose as a trusted organization to trick you into providing information.. Remember, your bank or credit card provider will never ask you to provide account information online. When an email seeks such sort of information, it clearly indicates the sign of being sent for scams.
VISHING
Voice phishing, or “Vishing,” happens when a cybercriminal calls a phone number and creates a heightened sense of urgency that makes a person take an action against their best interests. These calls normally occur around stressful times. For example, many people receive fake phone calls from people purporting to be the Banker or from bank’s call centre, indicating that they want to renew their credit or debit card ,which is going to expire and need card number , PIN and OTP sent on mobile. Because the call creates a sense of panic and urgency, the recipient can be tricked into giving away personal information.
SMISHING
The word is derived from SMS+PHISHING, which indicates it is phishing done using SMS as mode of deceiving. Smishing is type of phishing where someone tries to trick you into giving them your private information via a text or SMS message.
Smishing is a social engineering technique where fraudster asks you to share your personal information. This tactic leverages your trust in order to obtain your information. The information a smisher is looking for can be anything from an online password to your Social Security Number to your credit card information. Once the smisher has that they can often start applying for new credit in your name. That’s where you’re really going to start running into problems.Smishing is basically sending texts that request a person take an action. Most Often, the text will include a link that, when clicked, installs malware on the user’s device.
For example- Most of the common Smishing attack uses brand names with links purported to be to the brand’s site. Usually, an attacker will tell the user that they’ve won money or provide a malicious link purported to be for tracking packages. The link typically points to a site hosting malware or prompts the user to log in to their account. The authentication page is not on the official site, but it’s more difficult to see the full URL on a Smartphone browser, and many users won’t bother checking. Smishing attackers use a message that a user might be expecting. Others lure victims with promises of prize money if they enter private information.
SPEAR PHISHING –
Spear phishing is a campaign that was purposefully built by a threat actor with a goal of penetrating one organization, and where they will really research names and roles within a company. Some targeted campaigns involve documents containing malware or links to credential stealing sites to steal sensitive information or valuable intellectual property, or to simply compromise payment systems.
The effectiveness of spear phishing comes down to a combination of both technical and psychological reasons. Spear phishing emails are quite hard to detect because they are so targeted. They look like normal business emails with normal business chitchat, so it’s really hard for spam detection systems to realize it’s not a genuine email. Spear phishers exploit that because you don’t want your spam protection blocking genuine emails as end users get frustrated and business processes start to fall down. One of the most common spear-phishing traits involves exploiting a sense of urgency.
Combining the data gained from an organization’s team page, a LinkedIn profile, a Twitter profile, and a Facebook profile, a criminal can usually capture quite a detailed picture of their victim. They might use your name, information about where you work, who you bank with, a recent payment you’ve made, information about your family and friends, and any other private information they can find.
For example- Suppose a data of employee of company xyz is hacked and a mail related to gift vouchers is mailed to a particular category of employees, as a bonus of performance by higher management. Here since the target group is fixed, it comes under category of spear phishing.
WHALING
A whaling attack is a method used by cybercriminals to masquerade as a senior player at an organization and directly target senior or other important individuals at an organization, with the aim of stealing money or sensitive information or gaining access to their computer systems for criminal purposes. Also known as CEO fraud, whaling is similar to phishing in that it uses methods such as email and website spoofing to trick a target into performing specific actions, such as revealing sensitive data or transferring money.
Whereas phishing scams target non-specific individuals and spear-phishing targets particular individuals, whaling doubles down on the latter by not only targeting those key individuals, but doing so in a way that the fraudulent communications they are sent appear to have come from someone specifically senior or influential at their organization. Think of them as “big phish” or “whales” at the company, such as the CEO or finance manager. This adds an extra element of social engineering into the mix; with staff reluctant to refuse a request from someone they deem to be important.
The sender’s email address typically looks like it’s from a believable source and may even contain corporate logos or links to a fraudulent website that has also been designed to look legitimate. Because a whale’s level of trust and access within their organization tends to be high, it’s worth the time and effort for the cybercriminal to put extra effort into making the endeavor seems believable.
CLONE PHISHING
A clone phishing attack uses a legitimate or previously sent email that contains attachments or links. The clone is a near copy to the original where the attachments or links are replaced with malware or a virus. The email is typically spoofed to appear like it is being sent by the original sender and will claim it is a simple re-send. What’s worse, the email is sent out to a large number of recipients and the attacker just waits for the victims who click it. When a victim succumbs to the cloned email, the attacker forwards the same forged email to the contacts from the victim’s inbox. This type of attack is considered the most harmful because it is hard for victims to suspect a spoofed email.
Example of clone phishing can be mails like
- An email sent from a spoofed email address intended to trick the recipient into thinking it is from a legitimate sender.
- An email containing a link or attachment that has been replaced with a malicious link or attachment
- An email or message that claims to be from a resent email from a legitimate sender but is updated in some way
WAYS TO AVOID PHISHING
Training and Awareness Campaign
Training of staff and creating the awareness about phishing techniques should be given to staffs of companies at regular interval. For creating awareness amongst customer and general public, various awareness campaigns should be driven to create awareness about phishing techniques used by scamster and how to be alert to avoid deception by social engineers.
Use email filters
It is suggested to send sensitive files in PDF formats rather than document or word format, as generally pdf files can’t carry executable virus codes whereas document file might carry such codes. Although normally associated with “spam filters,” email filters can also scan for additional risks indicating an attempted phishing attack. For example, cybercriminals often hide malicious code in a PDF’s active content or the coding that enables things like readability and file’s editable nature. Finding the right email filtering solution can help reduce the number of risky phishing emails that make it through to users.
Install website alerts in browsers
Protecting against malicious websites is more important than ever. Recognizing that organizations are filtering emails more purposefully, cybercriminals now target website code. Make sure that end-users’ browsers alert them to potentially risky websites.
Limit access to the internet
Using access control lists (ALCs) is another way to mitigate the risks arising from malicious websites. You can create access controls for your networks that “deny all” access to certain websites and web-based applications.
Require multi-factor authentication
Since malicious actors often look to steal user credentials, requiring multi-factor authentication can mitigate this risk. You want to require users to provide two or more of the following every time they log into your networks, systems, and applications:
- Something they know: a password or passphrase
- Something they possess : a device or token (an authentication application on a device, a keycard, or a code texted to a smartphone)
- Something they are: a biometric (a fingerprint or facial ID)
Monitor and takedown fake websites
Organizations in highly targeted industries, like financial services and healthcare, often use companies who can monitor for and spend time taking down spoofed versions of their websites. This is a way to protect your employees and customers who click on a malicious link from giving cybercriminals their login credentials.
Install security patch updates regularly
Many phishing attacks exploit common vulnerabilities and exposures (CVEs), or known security weaknesses. To prevent this, make sure to regularly install security updates that respond to these known risks.
Set regular data backup
Often, phishing attacks leave behind malware, which can also include ransom ware. To mitigate the impact that ransom ware can have on your organization’s productivity, create a robust data backup program that follows the 3-2-1 method of 3 copies of data, on 2 different media, with 1 being offsite.
CONCLUSION
There are multiple steps an organization or department can take to protect against phishing. They must keep a pulse on the current phishing strategies and confirm their security policies and solutions can eliminate threats as they evolve. It is equally as important to make sure that their employees understand the types of attacks they may face, the risks, and how to address them. Informed employees and properly secured systems are key elements in protecting your organization from phishing attacks.
Companies fall prey to phishing attacks because of careless and naive internet browsing. Instituting a policy that prevents certain sites from being accessed greatly reduces a business’ chance of having their security compromised.
It’s also important to educate your employees about the tactics of phishers. Employees should be trained on security awareness as part of their orientation. Inform them to be wary of e-mails with attachments from people they don’t know. Let them know that no credible website would ask for their password over e-mail. Additionally, people need to be careful which browsers they utilize. Read all URLs from right to left. The last address is the true domain. Secure URLs that don’t employ https are fraudulent, as are sites that begin with IP addresses.
Thus sound and robust IT Security policies and employee trainings are inevitable tools against phishing.