they often use a misspelled URL that looks very similar to the URL of the actual website (What is typosquatting, and how do attackers use it for phishing ?). Sometimes, they even use subdomains in a deceptive way. For example, www.some.example.com may appear to come from the “example” subdomain of www.some.com website, but actually, it may be “some” subdomain of the fraudulent website www.example.com.
Attackers sometimes use images with text instead of plain text in emails. As a result, it becomes much harder for anti-phishing software to detect phishing. But, today, many anti-phishing filters use OCR or Optical Character Recognition to detect texts inside images and filter them.
Sometimes, the attackers use JavaScript to change the address bar and place a legitimate image of the actual URL over the address bar. As a result, once the victim clicks on the fraudulent link, it becomes very difficult for him to understand the deception.
Sometimes, attackers compromise a legitimate website. Once a user visits the legitimate website, a fraudulent pop-up appears that asks him to provide sensitive information like account name, password, etc.
A user may click on a link that appears to be coming from an official social networking website. While the user clicks on it, it may ask whether the user wants to authorize an application. If a user clicks on “yes”, it may send a token containing sensitive information like mail-id, friend list, etc. to the attackers. This sort of phishing is called Covert Redirect, and it is much harder to detect.
In phone phishing (What is vishing and how to prevent it?), the attackers call a victim using a phone and convince him to type a bank account number, PIN, etc, over the phone. Sometimes, the victims cannot understand the deception and fall into the trap. Attackers can also do phishing by sending SMS to mobile phones. This is called smishing (What is smishing and how to prevent it ?).
In tabnabbing (What is tabnabbing and how to prevent it?), the attackers load a webpage of their fraudulent website in one of the open tabs in the victim’s browser. Then, the opened tab silently redirects the victim to a similar-looking fraudulent website (e.g., a similar-looking but fake social networking website) to steal sensitive information.
Sometimes, attackers create a wifi network that looks identical to an official public one. It is called evil twin (How to protect oneself from evil twin?). Some users cannot detect the difference, and they start using the fraudulent network. And, whatever unencrypted information gets transferred through the network gets stolen.
How to prevent phishing?
We can educate ourselves to be aware of the most common phishing techniques so that we do not fall into the trap.
- If an email asks a user to verify or confirm his account, it should contain at least the username. So, if you get an email that does not contain any personal information, especially your username, it is most likely a phishing email. It is better to contact the authority directly instead of clicking on any link in the email.
- If a bank contacts you, it will use at least a few digits of your account number and mask the other digits. So, if you get an email asking for account verification, etc, and the email does not contain any digits of your account number, it is most likely a phishing email. Instead of clicking on any link on that email, directly contact the bank and verify the authenticity of the email.
- Use security software from trusted sources and update them regularly.
- Update all the software you use on your computer with recent security patches. Attackers often use security vulnerabilities present in commonly used software to perform cyber attacks.
- Do not click on any link if you are not very sure of its trustworthiness.
- If you get fake phone calls, take down the caller’s information and report it to the local authority.
- If you get spam emails in your inbox, select the email and mark it as spam. Usually, spam filters use machine learning to detect spam in the inbox. So, the more you help the software in detecting spams, the more the software will help you in the future to detect spams. (How does a spam filter work, and what is a spam trap?)
Purpose of phishing
Why do attackers commit phishing?
Sometimes, attackers collect financial data from victims to steal money from the victims’ bank accounts. And sometimes, the collected personal …






0 Comments