“Congratulations! You have won n million dollars. Send us your bank details.” If you are on the Internet, you may have seen such e-mails in your inbox or spam. These emails are called phishing: a cybercrime in which criminals use computer technology to steal data from victims who may be individuals or businesses. This Phishing checklist is an attempt to provide you with as much knowledge as possible about this cybercrime so that you do not become a victim of crime. We also discuss the types of phishing.
What is phishing?
Phishing is a cybercrime where criminals lure victims, with the intention of stealing victim’s data, using fake emails and text messages. Primarily, this is done through mass email campaigns. They use temporary email identifiers and temporary servers, so it becomes difficult for authorities to catch them. They have a general template that is sent to hundreds of thousands of recipients so that at least a few can be deceived. Learn how to identify phishing attacks.
Why is it called phishing?
You know fishing. In real fishing, the fisherman places a bait to be able to catch fish when it is hooked to the fishing rod. Also on the Internet, they use bait in the form of a message that can be convincing and appear authentic. Since criminals use bait, this is called phishing. It represents fishing by password, now called phishing.
The bait could be a promise of money or any commodity that could force any end user to click on the bait. Sometimes the bait is different (for example, threat or emergency) and calls for action like clicking on links saying that you need to re-authorize your account on Amazon, Apple or PayPal.
How to pronounce phishing?
It is pronounced as PH-ISHING. “PH’as in Fchop.
How common is phishing?
Phishing attacks are more common than malware. This means that more and more cybercriminals are involved in phishing compared to those who spread malware using email, fake websites, or fake advertisements on real websites.
Nowadays, phishing kits are sold online, so almost anyone who knows the networks can buy them and use them for illegal tasks. These phishing kits provide everything from cloning a website to compiling an email or compelling text.
Types of phishing
There are many types of phishing. Some of the most popular are:
- Regular and general emails asking for your personal information are the most used form of phishing
- Phishing
- Whale scams
- Smishing (SMS phishing) and Vishing
- QRishing scams
- Tabnabbing
1]General phishing
In its simplest form of phishing, you come across emails and text messages warning you of something while asking you to click on a link. In some cases, they ask you to open the attachment in the email they sent you.
In the subject line of the email, cybercriminals trick you into opening the email or text. Sometimes the point is that one of your online accounts needs to be updated and seems urgent.
In the body of the email or text, there is compelling information that is false but credible and then ends with a call to action: asking you to click on the link they provide in the email or phishing text. Text messages are more dangerous because they use shortened URLs whose destination or full link cannot be checked without clicking on them when you read them on the phone. There can be any application anywhere that can help verify the full URL, but I don’t know of any at this time.
2]Phishing
Refers to targeted phishing when the targets are employees of trading houses. Cybercriminals get their work credentials and send bogus phishing emails to these addresses. It appears to be an email from someone high up on the corporate ladder, creating enough haste to respond to it … helping cybercriminals to break into the corporate network. To learn all about underwater phishing, click here. The link also contains some examples of spear phishing.
3]Whaling
Whaling is similar to phishing. The only difference between whaling and phishing is that phishing can target any employee, while whaling is used to target certain privileged employees. The method is the same. Cybercriminals obtain victims’ official email identifiers and phone numbers and send them a convincing email or text involving a call to action that could open the corporate intranet to give access through the back door. Learn more about whaling phishing attacks.
4]Smishing and Vishing
When cybercriminals use the short messaging service (SMS) to locate victims’ personal information, it is phishing or SMS. Read the details of Smishing and Vishing.
5]QRishing scams
QR codes are not new. When information is supposed to be kept short and secret, QR codes are the best to use. You may have seen QR codes on different payment gateways, bank ads or just on WhatsApp Web. These codes contain information in the form of a square with black everywhere. Since we do not know what information is provided by a QR code, it is always best to stay away from unknown sources of the codes. This means that if you receive a QR code in an email or text from an entity you do not know, do not scan them. Learn more about QRishing scams on smartphones.
6]Tabnabbing
Tabnabbing changes a legitimate page you visit to a fraudulent page after you visit another tab. Let’s say:
- You are accessing a real website.
- You open another tab and browse the other site.
- After a while, you will return to the first tab.
- You are greeted with new login information, perhaps in your Gmail account.
- You log in again, not suspecting that the page, including the favicon, has actually changed behind your back!
It is Tabnabbing, also called Tabjacking.
There are other types of phishing that are not widely used these days. I did not name them in this post. The methods used for phishing continue to add new techniques to the crime. Know the different types of cybercrime if you are interested.
Identification of phishing emails and text messages
While cybercriminals are taking all measures to trick you into clicking on their illegal links so that they can steal your data, there are a few pointers that indicate that the email is fake.
In most cases, phishers use a name that is familiar to you. It can be the name of an established bank or any other company like Amazon, Apple, eBay, etc. Look for the email id.
Phishing criminals do not use persistent email like Hotmail, Outlook and Gmail, etc. They use temporary mail servers, so anything from an unknown source is suspect. In some cases, cybercriminals try to spoof email identifiers using a business name, for example, [email protected]. The email ID contains the name of Amazon, but if you take a closer look, it doesn’t come from Amazon’s servers but from a fakeemail.com server.
So, if a mail coming from http://axisbank.com comes from an email identifier which indicates [email protected], you must exercise caution. Also check for spelling errors. In the Axis Bank example, if the email ID is from axsbank.com, it is a phishing email.
PhishTank will help you check or report phishing websites
Phishing precautions
The section above talked about identifying phishing emails and text messages. As a basis for all precautions, it is necessary to verify the origin of the email instead of simply clicking on the links in the email. Do not give passwords and security questions to anyone. Look at the email ID from which the email was sent.
If it’s a friend’s text, you know, you might want to confirm if he really sent it. You can call him and ask him if he sent a message with a link.
Never click on links in emails from sources you don’t know. Even for emails that seem authentic, suppose from Amazon, do not click on linenk. Instead, open a browser and enter the Amazon URL. From there you can check if you really need to send details to the entity.
Some links indicate that you need to verify your registration. Check if you recently signed up for a service. If you don’t remember, forget the email link.
What if I click on a phishing link?
Close the browser immediately. Do not touch or enter any information if you are unable to close the browser, as in the default browser on some smartphones. Manually close each tab of these browsers. Remember to not log into any of your applications until you run a scan using BitDefender or Malwarebytes. There are also paid apps that you can use.
The same goes for computers. If you click on a link, the browser will launch and some sort of duplicate website will appear. Do not press or touch anywhere on the browser. Just click the Close browser button or use Windows Task Manager to close it. Run a malware scan before using other applications on the computer.
Lily: Where to report online scams, spam and phishing websites?
Please comment and let us know if I left anything out in this phishing cheat sheet.