What is Phishing? Why is it dangerous?

 

Phishing

If you have not been living under a rock for the past couple of months, you would have probably heard of the Equifax breach that resulted in confidential information of around 200 million consumers being leaked.  While these attacks require the knowledge of sophisticated cyber security technologies, there are other kinds of attacks that are way easier to carry out and carries significant damage potential. I’m talking about a Phishing attack, something you may have heard being thrown around every now and then. But have you ever wondered what it is and how dangerous it is if you fall into its trap? This post is my attempt to explain it.

What exactly is phishing?

Phishing is a type of cyber attack in which an attacker tries to fool you into giving you confidential information (credit card details, passwords etc.) by making you believe that you are sending this information to the intended receiver. This is a form of man-in-the-middle attack that involves sending fake emails, texts messages to people and tricking them into divulging their private information to a third party without them knowing.

According to research, the most fruitful ways of conducting cyber attacks have been fear, money or urgency. The scammers contact you by either saying that your email has been compromised and include a link for you to click and reset your password. The victim, in their haste of keeping their confidential information safe, blindly click on the link. It would then lead them to a fake phishing page set by the attacker which looks like the login page of their bank but instead is controlled by the attacker. Once you type in your new password, you have unknowingly given the attacker access to your entire bank account. They then change the password so that you are not able to access your own account.

Phishing is not just for the ultra tech-savvy people. Everyone can view the source code of a website, make some changes to it and create their own phishing page. They just need to have a domain to host their webpage and register it (which takes less than 10 minutes and at a minimal fee). Your phishing page is ready!

How to recognize a phishing page

Phishing pages are designed to look exactly like the webpage they are copying including the branding and the logo. Victims need to be vigilant and should look out for things that make these illegitimate pages and bogus emails stand out. Some of them are:

1. The emails (and sometimes even the webpages) are riddled with grammatical mistakes. Some of them are easily identifiable but others need more scrutiny.
2. The fake webpage asks you for information that the legitimate website does not usually ask for.
3. The email would get your private information like address, phone number right but might spell your name incorrectly. They may also direct you to a website whose URL is incorrect.

Here is an exercise for you. Find out if you can spot inaccuracies in the screenshot of the webpage given below.

Let’s see how well you did on that image:

While there are things that will be difficult to notice at first attempt, there are other fairly obvious clues (like the URL) that most phishing websites tend to possess. If you were not careful, you may enter your login and password. The attacker would have been able to gain access to your social media. They would then have been able to send the malicious messages to even more people in your circle.

Phishing pages are not always easy to detect. In May 2017, there was an email blast to Gmail users asking them to open a Google Docs form and took them to a legitimate looking page to enter their security credentials.  Phishing emails are moving into a more malicious territory as per latest statistic. Since 2016, there has been an increase in the number of emails with attachments that contain malicious content.

Some emails get your personal information correct (phone numbers, address, company) etc. They are easy to obtain via social media profiles, floating resumes on career websites. This type of phishing is called “spear phishing” which targets a particular individual.

The only thing we, as potential victims can do, is be wary of our activity on the Internet. It is safe to assume that you are not going to be receiving a lottery which you didn’t even participate in. Also, nobody is going to gift you a Mercedes or a Tesla. Always be careful of what links you click and NEVER download any attachments from untrusted sources.