Let’s go Phishing – The Silent Cyber Crime
In the universe of cyber threats, few are as maliciously deceptive as phishing. To the untrained eye, a phishing attack can be nearly indistinguishable from legitimate communication and there-in lies the potency of this silent crime.
Phishing attacks have become increasingly sophisticated and often transparently mirrors the site being targeted, which allows the attacker to observe every keystroke of the victim whilst navigating the site.
Phishing is a form of social engineering where cyber-attackers impersonate legit companies and or individuals to deceive victims into revealing sensitive information, such as login credentials, credit card numbers, other personal data or installing ransomware malware via emails that direct users to fake websites where they are asked to provide their details.
Phishing origins can be traced back to the 1990s when the internet adoption began to increase. The term “phishing” is based on the word “fishing,” which symbolize the act of “throwing out bait” to “catch” innocent victims. According to research, the first recorded mention of phishing, dates back to 1996 in a hacking tool named “AOHell.” As technology evolved over the years, so did phishing tactics, making them more sophisticated, harder to detect and since 2020, one of the most common types of crime, according to the FBI’s Internet Crime Complaint Centre.
Different Types of Phishing
Email Phishing: This is the most common type, where attackers send fraudulent emails designed to look like they’re from trustworthy sources.
Spear Phishing: Targeted attacks on specific individuals or organizations, often involving personalized information to make the “bait” more convincing.
Vishing (Voice Phishing): Using phone calls to scam victims. The attacker posing as a bank representative, informing you that there are fraudulent activities on your bank account.
Smishing (SMS Phishing): Attackers send deceptive text messages to trick victims into providing sensitive information.
Whaling: A subtype of spear phishing that targets high-profile individuals like CEOs or CFOs.
Pharming: Redirecting users to a malicious website by compromising domain name system (DNS) servers.
How does phishing work?
Phishing is a form of cyber-attack that capitalizes on human psychology, technical trickery, and deceitful tactics to obtain and or extract sensitive information from victims, for example:
Crafting the Message: The attacker designs an email or message that appears to be from a trusted source, for instance from a bank, or a popular service (like Showmax) a work colleague, top management or even a government entity. The message often evokes a sense of urgency, fear, or curiosity with common themes like warnings about account closures, unrecognized transactions and or tax refunds.
Deceptive Links and Attachments: Phishing emails often contain links directing victims to fake websites that mirror legitimate ones. Victims are requested to input sensitive information like usernames, passwords, or credit card numbers.
Fake Websites: These are set up to mimic genuine websites by having similar URLs (with slight misspellings or alterations) and replicate the look and feel of the actual sit. Once the victim enters their details on these fake sites, the information flows directly to the attacker.
The first line of defence is being aware and informed about the latest phishing techniques.
Check Email Senders: Hover over the sender’s email to verify its authenticity. Be wary of misspelled domain names.
Avoid Unsolicited Attachments: Never open attachments or links from unknown sources as it might have malicious attachments, which, when opened, can install malware on the victim’s device.
Secure Browsing: Ensure websites are HTTPS encrypted, especially when entering personal data.
Regular Training: Organizations should regularly train employees to recognize phishing attempts.
Use Security Software: Keep your antivirus software updated and use browser add-ons that detect malicious websites.
What must you do when you have fallen victim to a phishing attack?
It is imperative to act promptly and decisively to mitigate potential damage, for instance:
Change your Passwords: Immediately change the password for the compromised account and if you use the same password on other accounts (which is not recommended), remember to change those as well.
Notify Financial Institutions:If you have provided bank or credit card information, contact your bank immediately as they can then monitor for suspicious activity, freeze your account, or issue new cards if necessary.
Enable Multi-Factor Authentication (MFA): Activating MFA adds an additional layer of security so even when cybercriminals have unlawfully obtained your password, it will be challenging for them to access your account without the second verification step.
Examples of phishing attacks
Google and Facebook Phishing Attack (2013-2015): Evaldas Rimasauskas tricked Google and Facebook into paying over $100 million in fraudulent invoices.
Twitter VIP Attack (2020): In 2020, a significant Twitter breach saw high-profile accounts being hacked which was traced back to a 17-year-old from Florida, which had a global impact.
Phishing remains one of the most prevalent cyber threats and it is essential to recognize that phishing isn’t just a technical challenge but also a psychological one. Attackers understand human behaviour and design their campaigns to exploit common emotions and reactions. However, by being aware of these tactics, maintaining scepticism towards unexpected or suspicious messages; keeping your devices up to date with vigilance, education, and the right tools, both individuals and organizations can effectively reduce their risk of falling victim to phishing.