Content:
What is phishing, history, how it works, statistics, types of phishing, how to identify it, how to take countermeasures, phishing kit, example of phishing attack.
2. Phishing is a type of social engineering
attack often used to steal user data,
including login credentials and credit card
numbers.
It is a cyber attack that mostly uses
disguised email as a weapon.
The goal is to trick the email recipient into
believing that the message is something
they want or need and to click a link or
download an attachment.
3. It's one of the oldest types of cyberattacks, dating back to the 1990s, via America
Online, or AOL.
It's still one of the most widespread and pernicious, with phishing messages and
techniques becoming increasingly sophisticated.
A group of hackers and pirates that banded together and called themselves the
warez community are considered the first “phishers.”
In an early scam, they created an algorithm that allowed them to generate
random credit card numbers, which they would then attempt to use to make
phony AOL accounts.
4.
5.
6. Spear Phishing
Attackers will often gather information about their targets to fill emails with more
authentic context. Some attackers even hijack business email communications and create
highly customized messages.
Clone Phishing
Attackers are able to view legitimate, previously delivered email messages, make a nearly
identical copy of it—or “clone”—and then change an attachment or link to something
malicious.
Whaling
Whaling specifically targets high profile and/or senior executives in an organization. The
content of a whaling attempt will often present as a legal communication or other high-
level executive business.
7. Vishing
Vishing refers to phishing done over phone calls. Since voice is used for this type of
phishing, it is called vishing → voice + phishing = vishing.
Smishing
SMS phishing or SMiShing is one of the easiest types of phishing attacks. The user is
targeted by using SMS alerts.
In-Session Phishing
Pop-up messages are the easiest way to run a successful phishing campaign. Through pop-
up messages, attackers get a window to steal the login credentials by redirecting them to a
fake website.
Search engine phishing
The scammers target certain keywords and create web pages they hope show up in the
search results. Visitors clicking on the link from Google may not realize it’s a phishing
scam until it’s too late.
8. The message is sent from a public email domain
The domain name is misspelled
The email is poorly written
It includes suspicious attachments or links
The message creates a sense of urgency
Legit companies usually call you by your name
9. Use HTTPS
A properly configured Web Browser
Monitoring Phishing Sites
Proper Email Client Configuration
Using SPAM Filters
10. Phishing kits as well as
mailing lists are available
on the dark web.
A couple of sites such
as Phishtank and OpenPhis
h keep crowd-sourced lists
of known phishing kits.
11. The story of Austrian aerospace executive Walter Stephan holds the record for being
the individual to lose the most money in history from a single scam – around $47
million.
During his tenure as CEO of FACC, which manufactures aircraft components for
Boeing and Airbus, cybercriminals faked Stephan’s email and demanded a lower-level
employee to transfer the enormous sum to an unknown bank account as part of an
“acquisition project”.
FACC’s systems were not hacked. The attacker seems to have simply guessed
Stephan’s email correctly, created a look-alike spoof email address, and then targeted
an entry-level accountant.
The employee immediately trusted the email and sent the wire. In the aftermath of
the loss, Stephan lost his position as CEO, FACC fired its chief financial officer, and
the company scrambled to retrieve the money – eventually recouping around one-fifth
of the loss.
To avoid the fate of FACC, businesses need to empower employees to verify email
communication that appears to come from senior board members.
13. The word “phishing” (a play on the word “fishing”) is an attempt, originally via a
message or email, to lure computer users to reveal sensitive personal information such
as passwords, birthdates, credit cards, and social security numbers. To perpetrate this
type of con, the communication pretends to be from an official representative of a
website or another institution a person has likely done business with (e.g., PayPal,
Amazon, UPS, Bank of America, etc.).
97% do not spot phishing emails
As people became more savvy about messenger scams, phishers switched to email
communications, which were easy to create, cheap to send out, and made it nearly
impossible for them to get caught
And while most of these phishing messages were poorly constructed and full of
grammatical errors at first, they quickly began to get more sophisticated.
There are many different methods and subcategories of phishing, but there is one thing
they all have in common: They want to fool you into giving up your personal
information.
Spear phishing email messages won’t look as random as more general phishing
attempts.
Whaling is not very different from spear phishing, but the targeted group becomes more
14. According to Verizon’s 2019 Data Breach Investigations Report, 32% of all cyber
attacks involved phishing.
The email itself may contain the company’s logo and phone number, and otherwise
look completely legitimate; another common tactic is to make it look like a
personal email from a friend or relative who wants to share something with you.
No legitimate organization will contact you from an address that ends
‘@gmail.com’.
The problem is that anyone can buy a domain name from a registrar.
Look not for spelling mistakes but for grammar mistakes
This will either be an infected attachment that you’re asked to download or a link
to a bogus website that requests login and other sensitive information. The longer
you think about something, the more likely you are to notice things that don’t
seem right.
Phishing emails typically use generic salutations such as “Dear valued member,”
“Dear account holder,” or “Dear customer.”
15. Using HTTPS means that the information passed between the browser and intended
server is all encrypted
Browser settings
Warn me when sites try to install add-ons, Block reported attack sites, Block reported web
forgeries
There are also online tools available that can be used to check a site out before
navigating to it. Google Safe Browsing is one of the popular online tools available.
Disable links, and to receive warnings about suspicious domains and email addresses.
Along with proper email client configuration, you want to implement the use of SPAM
filters in your email.
Pay attention to is examining the “To” and “From” in the address line of a suspicious
email. Ensure the email came from a sender you actually know. Even if it does come
from a trusted sender, look in the To line to see if you are the only recipient.
Before opening an email, you can use your mouse to point and then hover over the
email to see if the Sender that appears in the from line, is actually the sender. As you
hover over a smaller box will appear with metadata information concerning the email.
Hinweis der Redaktion
The word “phishing” (a play on the word “fishing”) is an attempt, originally via a message or email, to lure computer users to reveal sensitive personal information such as passwords, birthdates, credit cards, and social security numbers. To perpetrate this type of con, the communication pretends to be from an official representative of a website or another institution a person has likely done business with (e.g., PayPal, Amazon, UPS, Bank of America, etc.).
97% do not spot phishing emails
As people became more savvy about messenger scams, phishers switched to email communications, which were easy to create, cheap to send out, and made it nearly impossible for them to get caught
And while most of these phishing messages were poorly constructed and full of grammatical errors at first, they quickly began to get more sophisticated.
there are many different methods and subcategories of phishing, but there is one thing they all have in common: They want to fool you into giving up your personal information.
Spear phishing email messages won’t look as random as more general phishing attempts.
Whaling is not very different from spear phishing, but the targeted group becomes more specific and confined in this type of phishing attack.
Considering the ease and enormity of data available in social networks, it is no surprise that phishers communicate confidently over a call in the name of friends, relatives or any related brand, without raising any suspicion.
According to Verizon’s 2019 Data Breach Investigations Report, 32% of all cyber attacks involved phishing.
The email itself may contain the company’s logo and phone number, and otherwise look completely legitimate; another common tactic is to make it look like a personal email from a friend or relative who wants to share something with you.
No legitimate organisation will contact you from an address that ends ‘@gmail.com’.
The problem is that anyone can buy a domain name from a registrar.
Look not for spelling mistakes but for grammar mistakes
This will either be an infected attachment that you’re asked to download or a link to a bogus website that requests login and other sensitive information.
the longer you think about something, the more likely you are to notice things that don’t seem right.
Phishing emails typically use generic salutations such as “Dear valued member,” “Dear account holder,” or “Dear customer.”
Using HTTPS means that the information passed between the browser and intended server is all encrypted
Browser settings
Warn me when sites try to install add-ons Block reported attack sites Block reported web forgeries
There are also online tools available that can be used to check a site out before navigating to it. Google Safe Browsing is one of the popular online tools available.
disable links, and to receive warnings about suspicious domains and email addresses.
Along with proper email client configuration, you want to implement the use of SPAM filters in your email.
pay attention to is examining the “To” and “From” in the address line of a suspicious email. Ensure the email came from a sender you actually know. Even if it does come from a trusted sender, look in the To line to see if you are the only recipient.
Before opening an email, you can use your mouse to point and then hover over the email to see if the Sender that appears in the from line, is actually the sender. As you hover over a smaller box will appear with metadata information concerning the email.