Phishing is a common type of Social Engineering attack wherein fraudulent message from unscrupulous sources is sent to potential victims. These messages appear to come from a reliable source. They communicate through email to steal sensitive information like login credentials, credit card information, or even installing malware.
Phishing – and how it works:
Here email is sent to potential victims that they might need or want – for example, a note from their Company Head or a request from a Bank or University, etc.
The spoofed message looks like an actual email from a trusted source. The attackers use the same logos, signatures, phrasing, and typefaces to make the email look real.
If the recipient believes that the email is from a trusted source, they might click a link or download an attachment in the email. It will result in them giving away sensitive information.
The link sent in the email will have some slight changes in the URL and looks legitimate. These changes are not explicitly noticeable by the recipient. The victim is under the impression that it is a secure link and is unaware of when the attack takes place.
The attackers also try to create a sense of urgency in the emails to push the recipients to take action.
In short, Phishing will play out as below:
- The potential victim receives an email from the attacker
- When the victim clicks on the email link, it goes to the fraudulent website.
- Attacker collects victim’s credentials
- The attacker uses the victim’s credentials to access the legitimate website.
As in any other kind of attack, the effects are:
Monetary loss: There can be a direct loss of money due to a breach. Apart from that, phishing attacks on employees may also result in fines imposed due to violating the norms of the regulatory bodies.
Theft of Intellectual Property: Intellectual Property thefts like trade secrets, customer lists, latest developments, etc. can cause tremendous damage to the Organization.
Loss of reputation: Any internal breach with public exposure can lead to severe damage to the position of the Organization. The reputation built on trust will now sway the employees, partners, and customer’s perception of the brand as untrustworthy.
Disruption of business activities: Phishing campaigns not only disrupts the activities of any business but can also lead to huge economic losses and social disruption when the core infrastructure of our economy such as transportation, energy, water, health is under attack.
Loss of Investor Confidence: Investors of a Company have a moral responsibility to ensure cybersecurity culture. Any breach due to an attack will affect the confidence of the Investor in the Company. It will also impact customer confidence in the Company.
Types of Phishing:
The most common types of Phishing are:
Email Phishing: In this method, attackers masquerade as legitimate Organizations or identities. They send mass emails to as many addresses that they have obtained.
Spear Phishing: In this method, an employee is made a target within an organization. Personalized emails are sent to this individual to extract the required information.
Whaling: This is similar to Spear Phishing, but the target is senior executives of an organization with access to sensitive data.
Smishing and Vishing: Messages sent, calls are made to the victim to extract information.
Angler Phishing: Social media is used as a medium to obtain sensitive information or to download malware through posts, tweets, cloned websites, etc.
Phishing attacks – Prevention
The best ways to prevent phishing attacks are:
- Employee awareness: All employees should be made aware of the examples of phishing attacks in action. It is necessary to train the employees to spot the warning signs of phishing attacks such as:
- Email asking for confirmation of personal information.
- Misspelt words or poor grammar.
- High-pressure situation messages.
- Suspicious links or attachments.
- Offers that seem to be unbelievable.
- To equip with reliable antivirus measures.