Phishing is a cybercrime that uses various digital and
telecommunications modes to lure victims into revealing personal or sensitive
information. Cybercriminals contact their targets by email, text messages (SMS &
chats), call, or other means to approach them, where these targets could be ignorant
individuals, groups, or large organizations. Phishing by itself may not seem very
damaging at first glance, but it is all just a ruse to trick you. Based on the type
of phishing (social engineering) attack, the cybercriminal can either deploy malware
to the target system/network, or extract information such as personally identifiable
information, banking, credit card details, passwords, etc., which could be used for
either identity theft or financial gains. With the right security awareness
training, business owners and CISOs can avoid them easily.
What Is Phishing and How Can It Be Solved with Security
The word "Phishing" sounds like and suggests "fishing" where
bait is placed onto the hook to lure prey; similarly, phishing attacks lure the
target to click on a link, open an attachment, provide their information, etc.
Phishing activities have been on a continuous rise since 2019,
with 71% being motivated by financial gains. Security experts have reported that out
of all the breaches involving phishing, 29% of them involved the use of stolen
credentials. Similarly, it has also been reported that 33% of breaches involve the
use of some or the other types of social engineering attacks. It is common to assume
that these attacks don’t have much to gain from individuals, and the money gained
might not be worth the effort, but contrary to these assumptions, the United States
FBI’s Internet Crime Complaint Center has recorded an approximate loss of $57
million to phishing attacks.
Security awareness training helps employees to identify
cyberattacks and prevent them from making usual yet, unintentional mistakes.
6 Common Phishing Scams That Can Be Stopped with Security
- Email Phishing: Email is one of the prominent modes of
malware delivery, with a report suggesting that 94% of malware is
propagated through emails. Cybercriminals are posing as legitimate
organizations (i.e., your bank, e-commerce website, NGO's, etc.), to send
malware as an attachment with a misleading file name (reward, coupon,
invoice, free app, etc.) or a link to a malicious site, which, upon
downloading and running the file, could lead to the installation of malware
on your device. The installed malware could either encrypt all your data
(ransomware) and then the cybercriminals could ask you to pay ransom to
unlock or decrypt it; or it could exfiltrate all your sensitive data
(personal data, financial data, username & passwords, etc.), which could
provide them with financial benefits.
- Spear Phishing: When cybercriminals take the effort to
personalize their phishing emails through reconnaissance, it is called spear
phishing. To look less suspicious and increase the probability of you taking
the bait, cybercriminals get more information about you from easily
accessible sources such as social media. As the probability of you opening
an email from known sources is higher, finding trivial but personal
information about you such as the institutes, websites, or sources you
follow, the company you work for, your bank or financial institutes that you
invest in, etc., could help them create a personalized phishing bait. Spear
phishing is surging in use, with 65% of cases using spear-phishing as
the primary vector for malware deployment.
- Voice Phishing: This type of phishing attack uses phone
calls (hence, voice phishing or Vishing), where the caller falsely
impersonates a legitimate organization and primarily intends to extract
personal and sensitive information such as bank account number, username,
password, OTP (one-time-password), pin, etc. Using advanced methods such as
AI (artificial intelligence), cybercriminals carry out the attack more
effectively. For example, by recording and analyzing the voice pattern of
someone you know or are familiar with, calls could be recreated with
unlimited responses to request and order an immediate transfer of the huge
sum of money.
- SMiShing: SMS phishing or SMiShing, involves the use of
text messages to deceive people into divulging their sensitive and
financially damaging information. It is said to be one of the oldest and
commonly known scams, where the threat actor targets ignorant users.
- Social Media Phishing: This type of attack uses social
media sites to build trust between the cybercriminal and the target. Some
studies suggest that social media helps establish a greater degree of trust
between people. The cybercriminal uses this to perform a social engineering
attack, where the fake profile is created, the target is befriended, and
personal and sensitive information is extracted. The cybercriminal could
also spread malware as suggested apps or executable files. Creating a fake
profile is said to be an easy task, and this could be supported by the fact
that in the year 2014, Facebook found 14% of the profiles on its
platform to be fake.
- Website Forgery: This type of attack is said to be one of
the most effective strategies against individual users. As its name
suggests, cybercriminals create fake websites or modify the malicious
website's address bar to look exactly like the original site. In some cases,
the attackers used pre-existing flaws in a trusted website's scripts to
hijack that particular webpage; these types of attacks are known as
cross-site scripting. Using these sites, the cybercriminal gains personal
and financial information of the user, which the individual users provide by
filling subscriber form or payment card/net banking details.
How to Avoid Phishing Scams?
Individual users could prevent phishing attacks through
awareness, adopting and implementing some degree of caution when performing digital
activities (such as providing personal or financial data), and using cybersecurity
tools. The most prominent methods that people could adopt to avoid phishing attacks
could be listed as:
- Anti-Phishing Tools: Using anti-phishing tools and software
provides many benefits and different features such as spam filtering,
scanning attachments, detecting phishing emails, blocking suspicious
identity, etc., to detect and prevent phishing emails from reaching you.
- Email Handling: Irrespective of whether you have an
anti-phishing solution installed on your device, every user should analyze
and confirm whether an email is legit. This could be done using the
- Check if the sender is a known person, i.e., whether the mail is
solicited or unsolicited.
- Check if the domain name (@xyz.com) belongs to the
organizations it represents
- Check if the domain name (@xyz.com) belongs to the
organizations it represents
- Think of the content if legit, i.e., if it's too good to be true,
then it might be spam
- Do not open short links, hyperlinked text, or buttons directly;
moving the cursor over the link gives you the actual URL; also,
check for the domain name and its spelling in the link.
- Do not open any attachment unless you scan it; also, do not open any
attachment with unknown extension or with .exe extension; no person
or organization sends executable files in the mail.
- Vishing and SMiShing Safety Precautions: There exist
multiple points that you could look out for while dealing with suspicious
messages and phone calls.
- Use trusted applications that validate mobile numbers and act as
spam filters for telecommunications.
- Do not share any personal information through messages or on-call;
there exist proper procedures to submit such details.
- Do not share a username, passwords, or authentications pins with
anyone on call or message, even if the person claims to be from your
bank; receiving money does not require any authentication password
implying that OTP's are only to be used by you and no one else.
- If you suspect that the call is a type of robocall, then try to ask
additional and atypical questions.
- Online Phishing: Whether it be social media or malicious
websites, there are some things that you absolutely must not do, or at least
tread carefully while doing. Malicious sites contain multiple hints that
suggest it is not legitimate.
- Do not share any personal or financial information on social media
platforms, even if you know the other party personally, causing
non-encrypted connections to be vulnerable.
- Always operate on secured websites; you can tell whether a webpage
is secure or not by looking at the SSL certification, i.e., the lock
symbol in the address bar, which implies that the data transfer
between the site and your system is secure and encrypted.
- Similarly, also check whether the links have HTTP or https, as https
(Hypertext Transfer Protocol Secure) links are more secure than HTTP
The immediate mitigations against any successful phishing
attacks require consulting a security expert or your government body dealing with
cybercrime, along with security training and awareness programs, as only knowing
about Phishing theoretically may not be sufficient for you to be able to
differentiate between a benign and malicious email when faced with an actual
phishing email. Thus, it is important to have practical experience in dealing with
The prevention of Phishing for a
non-technical person is improved with anti-phishing education
and awareness provided by many reputable organizations such as