Phishing in Ethical Hacking
Go through the “Spam” section of your Email. What do you see?? You might have won a brand new Audi or a mind-boggling amount in a lottery that you didn’t even purchase, asking for credit card details. Or your bank might be asked to verify your account details via email in urgency. Do you see things similar to the above cases in your spam section? This is where Phishing comes into the picture.
Phishing is a type of Social Engineering attack that aims to obtain sensitive information including the bank account number, usernames, passwords, and credit card details. It is mostly done by sending fake emails that appear to have come from a legitimate source, or it can be in the form of Vishing. The recipient is mostly manipulated to click a malicious link that can install malware or access sensitive information. Or it can simply be a case of Typosquatting that redirects the recipient to a malicious website in order to obtain login credentials.
Common Features of Phishing Emails:
- It will have an eye-catching subject such as “Congratulations! You’ve won an iPhone”.
- It will reflect a sense of urgency so that the recipient doesn’t get enough time to re-think and make a mistake in a hurry that can later benefit the attackers.
- It will have attachments that make no sense with respect to that email.
Types of Phishing attacks:
There are different types of phishing attacks that are used by the attacker: –
- Spear Phishing attack: This is a type of attack which is basically done to target any specific organization or any certain people. It is a type of attack which can’t be initiated by any random type of hacker. It can be initiated by someone who needs information and that can be related to financial gain. A Spear Phishing attack is almost the same as a normal phishing attack. Both of them will appear from a trusted source. It is considered one of the most successful attacks.
- Clone Phishing: This is a type of attack which works based on copying email messages that came from a worthy or trusted source. Hackers alter the information present in the original email and also add a link or attachment. This link or attachment is malicious and will make the user go to a fake website. Now this altered link is sent to a large number of people and the hacker waits for someone who will take the initial approach of clicking the malicious link. When the link or attachment will be clicked, the email will be sent to the contacts of the user.
- Cat Phishing: This is a type of attack which is socially engineered. It kind of plays with the emotions of the victim and exploits, such that attackers can have a benefit related to financial gain and information of the victim.
- Voice Phishing: This is a type of attack that does not require an attacker to make the user go through their fake website. We call this sometimes vishing. Someone who will follow the steps of vishing will have the knowledge to appear as a trusted source, such that the victim can be convinced. They use another thing that is IVR which makes the legal authority face difficulty when needed for tracing, blocking, or monitoring. As it is a type of phishing attack, this is also used for getting credit card details and some confidential information of the victim.
- SMS phishing: This is also a type of attack that makes the user reveal information that can be related to the credit card details or some sensitive information. Just like other phishing attacks, this will also appear as a trusted source to the victim. Android phones and smartphones are mostly used by every user and this gives the opportunity to the attacker to perform this phishing attack. It makes it easy for the attacker in avoiding the trouble of breaking firewalls and stealing information.
Threats of Phishing:
Almost all kinds of Internet theft are possible through Phishing. It can be very dangerous if the received malicious link is clicked. It can:
- Redirect to a website used for malicious purposes.
- Install malware or Ransomware to the PC.
- Steal confidential data of the Internet users such as credit card information.
- Steal the identity of the users for the purpose of Identity theft.
The first and foremost recommended thing is to go through the email thoroughly. The attackers make tiny mistakes that often get skipped while reading. Re-check the spellings, the source, and the subject before taking any further steps.
- Computer security tools should be in updated form.
- Never open suspicious email attachments.
- Never click on suspicious email links.
- Don’t provide confidential information via email, over the phone, or text messages.
- Don’t post your personal data, like your vacation plans, or your address or phone number, publicly on social media.
We are surrounded by threats. To mark us safe, all we can do is to spread awareness regarding the threats alongside the preventive measures. Spread awareness among your known ones. Stay safe.