Click here to listen to What is Phishing podcast

What is Phishing

Phishing is fraud where the attacker tries to gain confidential information such as login and password or credit card details by masquerading as a reputable organisation in email or on social media, text messages or other communication channels.

Phone Phishing is where someone phones the victim to try to gain their confidential information. However, phishing is more commonly carried out electronically. Typically a victim receives a message that appears to have been sent by a known contact or organization. There may be a link in the message or an attached file. Clicking the link or opening the file can lead to a virus or other malware being installed on the computer and then it steals the victim’s identity information, credit card details etc. as available.

Phishing is very prevalent and rising rapidly as scammers know it’s an easy way to gain access to the information needed to defraud people.

Phishing attacks can be based on recent events  or just by picking a popular bank or other trusted organisation.

Some scammers use Marketing techniques to identify the most effective types of messages --  the "hooks" that get the highest "open" or click through rate and the Facebook posts that generate the most likes. Phishing campaigns are sometimes based on major events, holidays and anniversaries, or take advantage of news stories.

The scammers can sometimes go to a lot of trouble to make their messages appear genuine e.g. by copying real text from the trusted organisation’s website or by ‘spoofing’ the email address so it looks to have come from the trusted organisation. At other times, the scammers deliberately put mistakes in their message so that only the most gullible reply.

In 2005, there were between 12000 and 17000 phishing attacker month recorded

By 2010, that had risen to between 21,000 and 30,000 per month

And by 2015 had risen to between 50,000 and 195,000 per month

Phishing Techniques

The basic form of phishing is to offer an inducement to the victim to either reply by email with their confidential information or to click a link.

The inducement can be anything from the promise of riches to having your bank account unblocked or your Netflix account registered etc. The link  is typically to a website owned by the scammer with a landing page that probably resembles a trusted organisation e.g. your bank or Amazon or Marks and Spencer or BT etc.

Sometimes the link is to a website with almost the same name as the trusted organisation e.g.  www.marksadspencer.com but this will be a scam website.

Also, the scammers use what are called subdomains e.g. www.natwestbank.orgsone.com is not a Natwest bank website.

Spear phishing is where the scammer uses information from other sources e.g. social media, to make the messages more believable such as by using the victim’s name.

Clone phishing is where the scammer copies a legitimate email belonging to the victim to create a message that looks genuine but isn’t.

Whaling is where the phishing is aimed at company executives and may take the form of a legal document or company document. The name Whaling refers to a large important target. The scammer may put a  lot more effort into these attacks as the payoff is potentially higher.

How to Prevent Phishing

Most users are familiar with the padlock symbol which appears in the browser window when the website is secure (using https). Any login and password should only happen if the padlock is showing. 

Anti-virus scanners can sometimes pick out phishing emails and warn of their content. To combat this, some phishing emails are made up of images with the text in the image. These are almost impossible for the anti-virus scanners to identify as phishing.

Browsers and Anti-Phishing Software

Recent versions of the main browsers – Chrome, Edge etc. have built in phishing detection algorithms and these can warn of some fraudulent websites. This is done by the organisations maintaining lists of hacked and known phishing websites. 

There is also specialist software available that can detect phishing emails. This is for businesses rather than the public.

Beware of any electronic communication that asks for confidential information.

 Do click on the Facebook or Twitter icons on top right to follow Fight Back Ninja

 


Comments