Hacking is a nightmare when it comes to using the internet. And a common method of hacking is phishing. Phishing attacks are used to trick users or organizations into obtaining important information. Let's get to know in detail what phishing is and how to protect yourself from it.

What is phishing?

Phishing is a type of hacking method that basically uses deceptive techniques to steal user data such as login details, credit card numbers, etc. The attacker or hacker usually disguises himself and manages to trick the victim into clicking on a link sent by email. or a message.

The victim is tricked into clicking on a link containing the malware, and when the link is clicked, the malware is downloaded onto the device. The attacker then locks specific programs or files on the computer or mobile, or leaks sensitive information in a ransomware attack or other malicious attack.

Phishing attacks can take dire forms. In most cases, there have also been things like unauthorized purchases, theft of digital money and even identity theft.

Phishing attacks are also carried out as part of a larger attack on a corporate or government network. When an employee inadvertently clicks on a malicious link, the attacker gains access to the network.

This type of phishing attack can cause serious problems for an organization. Organizations affected by phishing attacks lose market share, reputation, consumer trust, etc. Since phishing attacks occur for security reasons, the customer's trust in the organization's security is compromised. We have seen many such incidents in the past.

Examples of phishing attacks



Let's look at an example to understand a phishing attack. Many students at the same university were sent emails from an email address that appeared to be a university email saying their passwords had expired. It will also say that if the account password is not reset within 24 hours, the account will be locked.

After clicking the password reset link, students will be presented with an almost actual password reset page. A current and new password will then be requested, which, once provided, will be stolen and used to illegally access the student's original account. Also, when a link is clicked, malicious scripts can be installed into the browser via a redirect, thereby stealing the user's session cookies.

Similarly, a link sent with the name of Facebook password reset can also show a page that looks like Facebook, where your Facebook account can be hacked if you enter the password. In this way, by displaying fake pages, users are deceived and important information is stolen by phishing.


Phishing techniques



Phishing attacks can take many forms. Let's learn about the common phishing techniques used by a hacker to carry out a phishing attack.

Email phishing

Email phishing is essentially a numbers game. The attacker sends numerous fake and fraudulent emails threatening the victim(s) with money or account blocking. When one of these many email recipients clicks on the provided link, they become a victim of a phishing attack.

Attackers use an organization's logo, font, signature, etc. to trick a user into clicking on an email as part of impersonating the real organization.

The user is usually forced to make a quick decision. For example, in case of account expiration, password change, etc., if no action is taken within the specified time, the account lock issue is mentioned.

You need to understand very well whether the link or domain sent in these emails is real or fake. For example: facebook.com is a valid and safe domain to open emails from. Faceb00k.com is again not a valid email. Here "zero" is used instead of the English letter "o", which looks closer. Fraudsters use many such tricks. Therefore, always double check that the address is completely correct before clicking on any link or email.

Spear phishing

Specific individuals or organizations are chosen as targets for spear phishing. Rather, a phishing attack is an enhanced version where sensitive information about a person or organization is used as leverage in a phishing attack.

An attacker can do things like:

• The intruder examines the names of the organization's marketing department employees and gains access to the project's most recent invoices

• The marketing director of the organization imitates it. Even using the same text, style and logo as the company's standard email

• Click on the link provided to view a password protected internal document which is actually a fake version of the stolen invoice.

• Login is required to view the document. Once logged in, the credentials are stolen and used to infiltrate the organization's network.

How to stay safe from phishing



Whether individuals or organizations, there are several important steps to take to survive a phishing attack. Caution is the key to surviving these problems. Fake messages often contain very small errors such as spelling errors, slightly incorrect email addresses, etc. Phishing attacks can be largely avoided if the user takes some time to check before clicking on such a message or email.

Follow these tips to avoid phishing attacks:

• Two-factor authentication makes hacking almost impossible. So use two-factor authentication for any account. Even if a hacker gets the username and password, they won't be able to access the account. And don't share the OTP code in your message or email to anyone. This will protect you from hacking.

• Security software should be used in the establishment. This software should also be updated to prevent new security threats.

• Save data by backing it up. You can back up to non-network media such as an external hard drive or cloud storage.

• Asking for sensitive information via email can be considered a scam.

• Check the e-mail for spelling and grammatical errors, as professional e-mails do not contain such errors.

• Do not trust sources that do not know your name or account information. Be careful if you see a generic greeting, it's probably a phishing message sent to many people.

• Verify everything before clicking on attachments received in e-mails.

• Check that the email address of the person or organization from which the email is being sent is correct.

• Verify that the site you are accessing is secure. If the URL of the website does not start with "https", it is better not to use the website.

• Always keep your browser, antivirus and operating system updated to provide the latest virus and malware protection.

• You can check if a link is malicious by going to the VirusTotal website by copying the link without directly clicking on the link found in the suspicious email.

I hope this post helps you stay safe online. Share your experiences and ideas in the comments!