Phishing Attacks & Safety Tips | Web Security

Have you ever received WhatsApp messages or emails offering massive discounts on popular e-commerce platforms? If so, making the mistake of clicking on them may make you a victim of phishing attacks. But what is it and how can you identify them to protect yourself?

Last week we talked about social engineering attacks. One of most common social engineering attacks is Phishing and in a world of online shopping and online banking, it is important to have knowledge about the subject in order to protect ourselves and the people around us.

What is Phishing?

Just like in “fishing” where the fisherman would place bait in the water to lure and catch fish, the attacker conducting a phishing attack, disguised as a trusted entity, lures you to click on the malicious links attached with an email or text message that they design to look original.

illustration showing personal data as bait

On clicking the link, it leads you to a fake website having the same look and feel as the legit website. It may ask you to login or download something malicious either by clicking another link or without your knowledge. If you use your login credentials to “log in” to the website, it will send the information to the perpetrator instead of the legit system, hence compromising your account. Worse, if you end up using your credit/debit card on the malicious website thinking you got lucky, you can end up donating your financial details to the attacker.

illustration of a phishing attack
A Phishing Attack

Let’s Review The Types Of Phishing Attacks

  • Spearphishing – A type of phishing attack where the attacker instead of placing bait on random victims, targets an individual or an enterprise.
  • Whaling – It is a type of spearphishing attack directed to bigger fishes of the ocean, like an upper manager in a company.

Methods used in Phishing Attacks

  • Email Spoofing – It is a forgery of an email address which appears to have originated from a different source. If you ever receive an email asking for personal information, be suspicious.
    • Please note that no legitimate organization, like banks, asks for your personal information especially via email or a phone call. Even if it looks legitimate, always check the email address and verify it with your bank or the concerned organization.
    • Do not give away any information, even if the tone of the message sounds urgent. If such suspicious emails contain an attachment, do not download it. They are often viruses or malware like RAT (Remote Access Trojan) and ransomware.
  • Link Manipulation – A spoofed email generally contains a link which redirects you to a website designed to look legit. If you ever reach such a website, you should always check the URL, which is the web address on top of your browser.
    • Chances are it will be misspelt.  Do not fill in any information if the URL does not look like the real one.
    • You may also receive such links through instant messaging. Such messages generally lure you by offering offers that are too good to be true on a well-known e-commerce website.
    • You may also receive links to redeem a prize which you never won. Remember that such things never happen.
  • Voice Phishing – Also known as Vishing, you may receive suspicious phone calls claiming to be your bank.
    • They often portray a sense and urgency of situations where your account has been suspended, asking you for your personal information.
    • They may use fake caller-ID data. Never trust such phone calls and confirm with your bank.

For more information, refer to this article by Force Point.

How To Stay Safe

If you ever receive a phone call or a suspicious email or instant message, do not react immediately. Take your time to think and try not to give into the sense of urgency.

If you received such links via email, delete and report them as spam immediately. If you receive said links from a friend or family member on WhatsApp, explain to them why such links are dangerous and how they can identify malicious links.

In case you have any doubt, always verify the information with the authority concerned. If you feel like you have been comprised or have fallen prey to such attack, immediately contact the organization with whom you have the account. It is a good practice to regularly check your online accounts and not to use the same passwords everywhere.