What you need to know about Phishing

This is a social engineering attack often used in stealing user data such as, login credentials and credit card numbers. It occurs when an attacker masquerades as a trusted entity and dupes a victim into opening an email, instant message, or text message.

The aim, in this case, is to trick the email recipient into believing that the message is something they are obliged to open such as; a request from the bank, a note from someone in the company requesting them to click on a link or download an attachment.

Phishers use public sources of information to get background information about the victim's personal information such as work history, interests, and activities. This can be done through social networks such as LinkedIn, Facebook, and Twitter. These sources provide information such as names, job titles, and email addresses of potential victims.

Typically, a victim receives a message or email which appears to have been sent by a known contact or organization. The attack is then carried out either through a malicious file attachment or through links connecting to malicious websites. In either scenario, the objective is to install malware on the user's device or direct the victim to a fake website. Fake websites are set up to trick victims into divulging personal and financial information, such as passwords, account IDs, or credit card details.

  1. Most phishing emails are poorly written and clearly fake.
  2. Most cybercriminal groups use the same techniques adopted by professional marketers to identify the most effective types of messages.

Types of phishing

Spear phishing

The attackers craft a message or an email appealing to a specific individual. Then he/she identifies the target using the information on social network sites and uses the spoofed addresses to send a message or an email that looks like it is coming from a co-worker.

Whaling

Whale phishing is a form of phishing aimed at the very big fish — CEOs or other high-value targets. Many of these scams target company board members, who are considered particularly vulnerable: they have a great deal of authority within a company, but since they aren't full-time employees, they often use personal email addresses for business-related correspondence, which don't have the protections offered by corporate email.

 How to avoid becoming a victim

  • Think before downloading anything
  • Think before clicking any link
  • Make sure to use antivirus software with anti-phishing capabilities when accessing the internet
  • Always verify a site’s security
  • Be wary of pop-ups and keep your browser up to date