Have you ever received WhatsApp messages or emails offering massive discounts on popular e-commerce platforms? If so, making the mistake of clicking on them may make you a victim of phishing. But what is it? How can you identify them and protect yourself?

Last week we talked about social engineering attacks. One of most common social engineering attacks is Phishing and in a world of online shopping and online banking, it is important to have knowledge about the subject in order to protect ourselves and the people around us.

What is Phishing?

Just like in “fishing” where the fisherman would place a bait in the water to lure and catch fish, the attacker conducting a phishing attack, disguised as a trusted entity, lures you to click on the malicious links attached with an email or text message that they design to look original.

On clicking the link, it leads you to a fake website having the same look and feel as the legit website. It may ask you to login or download something malicious either by clicking another link or without your knowledge. If you use your login credentials to “login” to the website, it will send the information to the perpetrator instead of the legit system, hence compromising your account. Worse, if you end up using your credit/debit card on the malicious website thinking you got lucky, you can end up donating your financial details to the attacker.

A Phishing Attack

Let’s Review The Types Of A Phishing Attack

  • Spearphishing – A phishing attack where the attacker does not place a bait on random victims rather it targets an individual or an enterprise.
  • Whaling – It is a spearphishing attack directed to bigger fishes on the ocean, that is, some one high-profile like an upper manager in a company.

Methods Of Phishing

  • Email Spoofing – It is a forgery of email address which appears to have originated from a different source. If you ever receive an email asking for personal information, be suspicious. Know that no legitimate organization, like banks, asks for your personal information especially via email or a phone call. Even if it looks legitimate, always check the email address and verify it with your bank or the concerned organization. Do not give away any information, even if the tone of the message sounds urgent.

If such suspicious emails contain an attachment, do not download it. They are often viruses or malwares like RAT(Remote Access Trojan) and ransomwares.

  • Link Manipulation – Generally a spoofed email contains a link. The link generally redirects you to a website which may look legit. If you ever reach such a website, you should always check the URL, which is the web address on top of your browser. Chances are it will be misspelled.  Do not fill in any information if the URL does not look like the real one.

You may also receive such links through instant messaging which generally lures you by offering you something like a too-good-to-be-true offers on well-known e-commerce website or a link to redeem your prize which you never won. Remember that such things never happen.

  • Voice Phishing – Also known as Vishing, you may receive suspicious phone calls claiming to be your bank. They often portray a sense or urgency like your account has been suspended and ask for your personal information. They may use fake caller-ID data. Never trust such phone calls.

How To Stay Safe

If you ever receive a phone call or a suspicious email or instant message, do not react immediately. Take your time to think and try not to give into the sense of urgency.

If you received such links via email, delete and report them as spam immediately. If you receive said links from a friend or family member on WhatsApp, explain to them why such links are dangerous and how they can identify malicious links.

In case you have any doubt, always verify the information with the authority concerned. If you feel like you have been comprised or have fallen prey to such attack, immediately contact the organization with whom you have the account. It is a good practice to regularly check your online accounts and not to use the same passwords everywhere.