“Congratulations, you’ve won a Macbook, click here & fill in your details”
“Your payment is on hold, please enter this code & sign in to your Netflix account”
“Please click on this link to claim your reward of 10,000rs, just enter your bank details”.
Are you familiar with these types of emails or WhatsApp messages? Surely, many of us could relate to such emails. Did you know that as per Hindustan times, India has been ranked 3rd globally & 1st in the Asia-Pacific country affected by cyberattacks?
In recent years, cybercrime has crept into every industry, particularly the financial sector. The motive of these hackers is to access your finances, whether it is through emails, WhatsApp messages, or even phone calls. An excellent web series like Jamtara covers the real-life incident & explained how hackers get your card details from a service perspective and then use the OTP to access your financial information.
There are many ways cybercrimes take place. Today, in this blog we’ll be covering one cybercrime, Phishing. We will also talk about how to secure emails from these online attacks!
History of Phishing:
Some say the term phishing got influenced by the word fishing. Similar to fishing, phishing is also a technique to “fish” for usernames, passwords, and other sensitive information, from a “sea” of users.
In the early days of computers, crimes related to computers were only physical attacks on computers and physical destruction of them. As far as cybercrime is concerned, there were none. During the 1870s, teenagers were known for telephone phrasing, which was the first instance of cybercrime.
In the early 1990s, the internet was perceived as a unique medium that offered the fastest speeds in human history and a greater reliance on technology. It was in 1992 when the first polymorphic virus was released that the first cyber crime occurred. It was Yahoo v. Akash Arora that led to the first cybercrime case in India.
The incident occurred in 1999. It was alleged in this case that the defendant Akash Arora had unlawfully used the domain name yahooindia.com. A permanent injunction was sought against the defendant.
Mobile apps have also become the victim of cybercrime. Cybercriminals create apps to harm users and their devices. Malicious apps are designed to look like legitimate apps but carry out malicious activities instead. You can be monitored, installed with malware, shown annoying ads, or your personal information may be stolen.
Various methods can be used to distribute fake apps. It is possible for them to be hosted on fake app stores or third-party app stores. It is possible for cybercriminals to distribute fake apps even through official app stores, despite the security measures in place.
Online fraud has recently hit the ICC (International Cricket Council). Fraudsters tricked ICC officials at its Dubai headquarters office out of over $2.5 million using deception and forgery. As reported by Cricbuzz, the ICC was victimized by a phishing attack in which a scammer created a fake email id, pretending to be an ICC consultant.
What is Phishing?
In the age of technology, humans are increasingly dependent on the internet for all of their needs. Having access to everything via the internet while sitting in one place has made our lives much more convenient. Through the internet, one can do anything imaginable, including social networking, online shopping, data storage, gaming, online schooling, and online jobs.
In parallel with the emergence of the internet and its associated advantages, cybercrime grew in popularity. Phishing is one of the crimes that gained severe popularity.
A phishing attack is designed to collect usernames, passwords, and other personal information from users. Usually, it takes the form of an email or message with a link or attachment, pretending to be a trustworthy entity such as a bank or a company. Approximately 32% of all breaches and 78% of all cyber-attacks are the results of phishing, according to an Akamai report.
Phishing attacks come in different forms. What are they?
- Spear phishing
There might be a lot of emails from your bosses or employees, but verify the email ID you receive the email from. A spear-phishing attack targets a specific group of people, such as a company’s system administrator. Below is an example of a spear phishing email. Observe the attention paid to the industry in which the recipient works, the download link the victim is asked to click, and the immediate response required.
Whale phishing is an even more targeted form of phishing that targets whales, which are larger than fish. CEOs, CFOs, and other CXXs within an industry or specific business are usually targeted in these attacks. You may receive an email stating that a whaling company is facing legal consequences and that you need to click on the link for more information.
It directs you to a page where you are asked to enter critical information about the company, such as its tax ID and bank account number.
In smishing, text messages or short message services (SMS) are used to execute the attack. SMS smishing involves delivering a message to a mobile phone that contains a clickable link or a phone number that can be called back.
An SMS message that appears to come from your bank is an example of a smishing attack. The message informs you that your account has been compromised and that you must respond immediately. The attacker asks you to verify your bank account number, aadhaar number, pan number, etc. You lose control of your bank account once the attacker receives the information.
In essence, vishing is similar to other types of phishing attacks. As always, attackers are trying to get their hands on sensitive personal or corporate data. Voice calls are used to carry out this attack. Hence the “v” rather than the “ph” in the name.
It is common for someone to claim to be a representative from Microsoft to perpetrate a vishing attack. Someone informs you that your computer has a virus. Afterward, the attacker asks for your credit card information in order to install anti-virus software on your computer. Your card information is now in the hands of the attacker, and your computer may have been infected with malware.
Depending on the malware, it can include anything from a banking Trojan to a bot (short for robot). Banking Trojans monitor your online activity to steal more details, including your passwords and bank account information.
In computing, a bot is a piece of software that is designed to do whatever the hacker wants it to do. In addition to mining bitcoins, sending spam, and launching distributed denial of service (DDoS) attacks, it is controlled by command and control (C&C).
The most common type of phishing is email phishing, which has been around since the 1990s. Hackers send these emails to any email address they can obtain. In most cases, the email informs you that your account has been compromised and that you must click a link provided immediately to resolve the issue. Language in the email is often grammatical and/or spelling errors, so these attacks are usually easy to detect.
Emails that are more carefully crafted can make it harder to recognize them as phishing attacks. You can determine if the source is legitimate by looking at the source’s email and the link it directs you to.
How to prevent yourself from phishing attacks?
- Don’t click on any link you receive
Clicking on a link in an email or instant message is generally not a good idea, even if you know the sender. At the very least, you should hover your cursor over the link to ensure that the destination is correct. The destination URL of some phishing attacks can look like a carbon copy of the genuine site, set up to capture keystrokes or steal login/credit card information. Instead of clicking on the link, you should go directly to the website through your search engine.
- Don’t give your information to an unsecured site
Do not enter sensitive information on a website that does not start with “https” or does not have a closed padlock icon next to the URL. You should avoid websites without security certificates, even if they are not intended to be used as phishing scam websites.
- Rotate passwords regularly
To prevent an attacker from gaining unlimited access to your online accounts, you should regularly rotate your passwords. Password rotation can prevent ongoing attacks and lock out potential attackers if your accounts have already been compromised without you knowing.
- Install firewalls
Your computer’s firewall acts as a shield between an attacker and your computer, preventing external attacks. By combining desktop firewalls and network firewalls, you can improve your security and reduce the chances of hackers infiltrating your network.
- Don’t be tempted by those pop-ups
Pop-ups aren’t just annoying, they are often associated with malware during phishing scams. You can now download and install free ad-blocker software that automatically blocks most malicious pop-ups on most browsers. When one manages to evade the ad blocker, don’t click! In some cases, pop-ups will deceive you with the “Close” button, so always look for an “x” in the corner.
Don’t give out important information unless you must
Don’t willingly give out your card information unless you trust the site 100%. Be sure to verify the website’s authenticity, the company’s legitimacy, and the site’s security before providing any personal information.