What is phishing?

Phishing attacks are pretending to be a legitimate person or company that claim who they say they are but actually not.

They are trying to get you to click the link in a massage that redirects you to spoofed website. So they can gather some type of information from you.

A phishing email which you got pretends to be your email provider to fool you. If you click the link in a phishing email or massage, it will bring you to a page that looks exactly the same page that you would have visited but actually it is not the same page and it is fake malicious website to get your information.

You may trust these massages because they often impersonate to be large organisations that you probably know. This is one of the reasons people get tricked by malicious actors.

Phishing attacks are not only using emails and massages. Malicious actors also use phone calls and other type of communication tools.

This kind of cyber attack is the most common type of social engineering attack. Social engineering is used for lots of cyber attacks like phishing and it usually combine with other cyber threats such as malware, code injection and network attacks.

How phishing works

Phishing is a type of social engineering and cybersecurity attack. Attackers are pretending as though they are legitimate user or company to send an email to a victim.

Attackers often use to gather information of victims via social media such as LinkedIn, Facebook, Twitter(X), and Instagram to disclose victim’s personal information such as job title, address, and work history.

Then attackers can send fake emails to victims as if they already know about victim’s personal detail to be trusted.

Victims often believe that the emails are legitimate because they are coming from known organisations.

Then attacks are carried out when victims click the malicious links or attachment files to redirect them to malicious website to trick victims to gain their sensitive information or company’s confidential.

Although many phishing emails or massages are poorly written and easy to recognise. Attackers now use AI ( artificial intelligence ) to make unrecognisable emails and massages. It is getting more sophisticated and more real.

As I mentioned above statement phishing is a type of social engineering and attackers also use a phone call as an attack vector. So there are many attack vectors to send malicious emails and massages to trick people.

Types of phishing attacks

Spear Phishing

Spear phishing attacks targets at specific users or organisations. For instance, if an attacker would like to know an employee’s personal information or company’s credential, attacker would gain target’s detail first then use the information they gathered such as name, job title and location.

Whaling

Whaling is a type of spear phishing attack which only targets executives who are high rank and important in organisations. This sort of attacks aim to get large amount of sensitive credentials. Executives who make payments could often be targets because they make big payments so attackers would like to get the money that is supposed to be sent to legitimate organisation.

Pharming

Pharming is a type of phishing attack that redirects victims from legitimate website to malicious one. This kind of cybercrime attempts to fool users to login fake webpage to obtain their login credentials.

Vishing and Smishing

Vishing attacks use a phone as an attack vector instead of massaging an email or SMS. It involves phone conversations to trick a victim to gain sensitive information. While smishing involves sending fraudulent massages like SMS.

In a voice phishing attack, an attacker pretends to be a someone from a bank or a credit card company. They try to get your account information or card number and PIN number to verify your identity or transfer money.

Vishing phone call often involves automated phone calls to meke victims type their credentials using phone keypad.

How to prevent phishing attacks

Phishing is a type of cyber threats and you need to protect your site or organisation from the attack.

There are some tips to protect your organisation from scams.

Employee phishing awareness training

It is important to train employees to understand how phishing attacks occur and what sort of strategies attackers use. If an organisation can train employee, less likely to get tricked by phishing attacks. Without knowledge of phishing attacks, chances of getting hacked is high and it impact an organisation a lot and recovery process is time consuming.

Enable Two Factor Authentication (2FA)

Enable two factor authentication is another way to protect you from phishing attacks. Two factor authentication is described as three things such as Something you have, Something you know and Something you are.

First, Something you have is that something you have like smartphone to things you have.

Next, Something you know is that something you know such as password or questions about yourself, for instance your pet’s name or something you know and can be used as secret question.

And Something you are is that uses biometric characteristic, for instance fingerprint, voice and facial recognition.

Combining these three factors make your login process stronger and even though an adversary could guess your password correctly, it is not easy to login because two factor authentication requires one more factor to login. For that reason, Two factor authentication is highly recommended.

Use anti-malware programs

Anti-malware programs are things that protect you from malware (malicious software).

Malware infects you by clicking malicious link which is attached to an email and once you are infected, it is hard to remove and recovering your phone or laptop takes long time. Hence, using anti-malware is important and highly recommended.

Use firewalls

A firewall is network security device that monitors incoming and outgoing network traffic and devices. You can set specific setting whether what kind of traffic you allow and block based on security rule you set.

Firewalls have been a first line of defence in network security. They can control traffic whether it is trusted or not and protects inside of network from the internet.

A firewall can be hardware, software, software as a service (SaaS), public cloud or private cloud (virtual)

Be suspicious of email attachments from known and unknown sources

It is important to notice any suspicion that you get from adversaries. And if you realise that you get suspicious email or a scam from an organisation which pretends a big major company, you are less likely to get in trouble.

So again, getting proper knowledge helps you significantly.

Even though you get an email from a well known company, it is better to be suspicious a little bit and check an address where you get the massage from. You may think it is overthinking but always checking an address is important actually.