Phishing is one of the most destructive and internet's oldest cyberattack in which an attacker steal private sensitive information like username, password, payment details, etc. It uses social engineering as well as spoofing tricks.
Social engineering means collecting personal information about a targeted person or an organization which gives an attacker the complete detailed analysis of the target.
Spoofing means pretending as a legitimate source so that the target believes it's legitimate. That means attackers use social engineering tricks to analyze the targeted person and use spoofing tricks to attract the targeted person in entering a phishing website or downloading malware.
The most popular form of phishing is Emails and it looks like as it comes from a legitimate (trusted) source. So, the targeted person believes it's trustworthy and attacker tricks the targeted person in entering a phishing website or downloading malware. Most destructive malware like Wannacry, Doomsday, Emotet, etc was also spread through phishing emails.
Phishing emails contain a malicious link and it takes the targeted person to the phishing website, some little unnoticeable changes are done by the attacker but it looks exactly like a legitimate website. It usually contains login related fields like username and password. So, this way attackers steal the login credential details of the targeted person or an organization.
That's why phishing attacks are the most destructive and dangerous. If someone has less knowledge about cybersecurity then its easy to compromise all security measures because attackers bypass a network with one phishing email. So, It is important that everyone has knowledge about phishing.
Three Components of Phishing Attack:-
1. The phishing attack is carried out via digital communication includes email, SMS, phone call, etc.
2. The attacker act as an individual or organization you can believe.
3. The goal id to collect personal sensitive information such as username, password, payment details, etc.
How Does Phishing Works?
Phishing emails are always sent with a subject that will make the target panic like some sense of urgency, account suspended, limited period offer, won a big cash prize, loan approved, etc. So, because of this target open the link or attachments as soon as the target sees.
For a normal person, it wouldn't easy to recognize a spoofed email. So, as soon as the target clicks and executed attachments or enter credentials in the phishing website, phishing would have been successfully executed.
Common Features of Phishing Emails
1. Too Good To Be True — Attractive offers or attention seeking sentences are designed to attract a person's attention instantly like you won a big cash prize, an iPhone, or a lottery.
2. Sense of Urgency — A key method amongst attackers is to create a sense of urgency by telling you that one of your account suspended or one of your account was hacked so update your login details immediately. Due to this, most people will not think twice before clicking on the link. So, just ignore these types of emails and also remember that legitimate or reputable organizations never ask your personal sensitive information over the internet.
3. Attachments — If you see strange and unusual attachments in your email then don't download and open it. Because, These attachments may contain malicious threats like ransomware and malware.
4. Hyperlinks — The email contains links that may not be true it appears to be. So, make a habit of hovering over the link before clicking upon it because it keeps you well informed about where it leads.
5. Unusual Sender — Be suspicious if emails come from unusual sender. However, also be suspicious even if emails come from the known sender (to whom you don't regularly communicate with over email).
6. Bad Look — If there are grammar mistakes, no logo, or different font types throughout the email body then be suspicious because these are the signs of a phishing email.
Types of Phishing:-
1. Deceptive phishing
It is a very ordinary type of phishing. In Deceptive phishing, the attacker attempts to gain private sensitive information from the targeted person or an organization and uses that information for financial gain.
2. Spear phishing
Spear phishing is targeted one in nature means attacker personalize their attack and send emails to only a certain person or certain organization. In spear phishing, an attacker firstly does research about a specific person or specific organization like through LinkedIn which is a professional social network, an attacker can easily find your employment information in one place and with all this information, an attacker tries to pretend trustworthy. That's why spear phishing is a critical and destructive threat to businesses because it could lead to a data breach.
It is a special kind of spear phishing attack because Whaling phishing attack targets high-value individuals like CEO (Chief Executive Officers), CFO (Chief Financial Officer), or other high ranking executives in an organization. Here, an attacker does more research about targets. Whaling phishing attacks are also very dangerous and destructive because high-value individuals access most private sensitive corporate data.
4. Clone phishing
In clone phishing, attacker clone a legitimate email that targeted person recently received and then sends that clone email to the targeted person by doing some minor changes like replacing attachment with malicious one or replacing the link with a malicious one. Here, an attacker also spoofs the sender's email address. That's why clone emails are most difficult to detect.
5. Smishing and Vishing
Nowadays, mobile-based phishing attacks are increasing day by day. In mobile-based phishing attacks, smishing and vishing are very effective.
Smishing is phishing via SMS. Here, You'll receive an SMS over mobile which contains a link and asking you to click on a link. But when you click on a link you'll be tricked into downloading malware that can compromise your mobile and sends you private sensitive information remotely to the hacker.
Vishing is phishing via mobile call. Here, an attacker will try to convince the target over the mobile to disclose private sensitive information.
So, These are the types of phishing.
If you have any questions related to phishing attack and also want to share your views on this then please mention in the comments box and I will get back to you.