What is Phishing ?

 

As times passes everything changes gradually and the Cyber Space is not left out. Various techniques of accessing people's data remotely without their knowledge are discovered.

No matter how careful one tries to be, there are still a big chance of letting down your guard. It is therefore very necessary to continually educating one's self on techniques born everyday. There are hundreds of ways in which these bad guys steal meaningful information from unsuspecting people around the globe and today I'll tell you all there is to know about one of the commonest ways "Phishing"

What is Phishing?

Phishing is an attack in which the threat actor(hacker) poses as a trusted person or organization to trick potential victims into sharing sensitive information such as One Time Password (OTP), Bank or Social login details and any other information which if found by the bad guys can cause harm to the owner. Just like real fishing, there are lots of ways to trick a potential victim: 

Some common types are Email phishing, Smishing, and Vishing. Some attackers take a targeted approach such as Spear phishing or Whale phishing (will be discussed later)

How Does Phishing Work?

Phishing attack is usually a 3 point communication approach, this Includes; The Sender, 

The Message and The Destination.

• The Sender (Actor)

In a phishing attack, the sender imitates or spoofs someone known to the victim. It could be an individual, like a family member, friends or colleagues. The CEO of the company they work for, or even a superstar. This is the person that generates the malicious links and messages hoping that unsuspecting individuals falls for it.

• The Message (Bait)

The attacker pretends to be a trusted person and ask the recipient to click a link, download an attachment, or participate in a money doubling scheme. When the victim opens the message, they find a jaw dropping offer or even a scary message meant to overcome their better judgement by filling them with excitement or fear. The message may demand that the victim go to a website and take immediate action.

• The Destination (Victim)

If an unsuspecting or a gullible user takes the bait and click the link, they're sent to a fake version of a legitimate website e.g Facebook or Bank website. From here, they're asked to log in with their username and password credentials. If they comply, the sign-in information goes to the sender(actor), who then takes over the real account and does so many terrible things like using available balance for online shopping, loan application, transfer to crypto wallet. For social accounts like Facebook, the hacker can start texting your friends pretending to be you and requesting for money to settle an emergency.

Types of Phishing 

There are a wide varieties of Phishing but today we'll discuss the very common ones. 

• Email Phishing 

This is one of the most common types of phishing. It has been widespread since the early days of

e-mail. The attacker sends an email pretending to be someone trustworthy and familiar (online retailer, bank, social media company, etc.), and asks you to click a link to take an important action, or perhaps download an attachment.

    Examples of this type of phishing are:

• Business email compromise (BEC): targets someone in the finance department of an organization, often the CFO, and attempts to deceive them into sending large sums of money. Attackers often use social engineering tactics to convince the recipient that sending the money is urgent and necessary.

• Clone phishing: In this attack, criminals make a copy or clone of previously legitimate emails that contain either a link or an attachment. Then, the phisher replaces the links or attached files with malicious substitutions disguised as the real thing. Unsuspecting users either click the link or open the attachment, which often allows their systems to be commandeered. Then the phisher can counterfeit the victim's identity in order to masquerade as a trusted sender to other victims in the same organization.

• Vishing (Voice Call Phishing)

In Voice phishing or vishing the phisher calls claiming to represent your local bank staff or customer care representatives from and organization. Next, they scare you with some sort of problem and insist you clear it up immediately by sharing your account information such as BVN, OTP and even date of birth. Before they call, they're logged in a shopping site and while on the phone with the victim, they enter information the victim provides directly and authenticate the transaction even before the victim hangs up.

• Smishing (SMS or text message phishing)

SMS phishing, or Smishing is almost the same as the  vishing and they're sometimes referred to as "evil twins", carrying out the same kind of scam (sometimes with an embedded malicious link to click) by means of SMS texting.

• Catphishing (Catfish)

Catfishing (catfishing) is a kind of online deception where a person creates a social profile of another individual either a superstar or a wealthy person for the purpose of luring someone into a relationship usually a romantic one in order to get money, gifts, or attention. Thousands of accounts across Facebook, Twitter, Instagram etc are actually Catfish accounts.

• Spear Phishing

Unlike other types, Spear Phishing is a one person or one group attack kind of phishing. The actor attacks a specific person or organization, often with content that is designed solely for the victim or victims. It requires pre-attack recce to gather info such as names, job titles, email addresses etc. The hackers tries to get nearly accurate details that matches the target's colleagues, along with the names and professional relationships of key employees in their organizations. With this, the phisher crafts an email that looks real.

Example, a fraudster might spear phish an employee whose responsibility is to authorize payments. The email appears to be from an executive in the organization, instructing the employee to send a certain amount of money (usually a huge one) either to the executive or to a company unknowing to the victim that the attacker is the one at the receiving end.

• Whale Phishing

As the name implies, Whale Phishing is one that targets high-profile victims. This can include celebrities, politicians, top military officers and  business people. Typically, the attacker is trying to trick these well-known targets into giving out their personal information or business credentials. Whaling attacks usually involve social engineering efforts to trick the victim into believing the deception.

How to identify a phishing attack

Identifying phishing attacks could be quite difficult but if one is attentive enough, traces of phishing can be glaring. One needs to be vigilant as most phishing attacks tends to instill fear or over excitement in potential victims.

Below are some tips to get started with identifying phishing attacks:

• Watch out for shortened URLs, most phishing links are often shortened in an attempt to hide the fake link from the victims.

• The message contains unexpected or unusual attachments. These attachments may contain malware, ransomware, or another online threat.
• The email makes an offer that sounds too good to be true. Example is the popular money doubling investments which is very common in Nigeria.

How do I protect myself against phishing?

Your judgement is the first step to safety against Phishing. Train yourself to recognize the signs of phishing and try to practice safe computing whenever you check your email, read Facebook posts, or play your favorite online game.

Some other useful tips are listed below;

• Like the above image, always ensure every site you visit has this little padlock beside it. It is an indication that the website is secure.

• Be careful with messages in the spam folder of your mailbox. Most mail companies helps filter messages from untrusted senders. Mails in this folder might just be a bait by a hacker and just a click can be detrimental.

Conclusion 

If one is not careful, a single Phishing attack could result to numerous problems ranging from lost of  valuables, trust, fame and a whole lot more. 

Be safe out there, don't be a victim.