Phishing is a cybercrime in which the target is contacted by email, telephone or text message by someone claiming as a legitimate institution to tempt people into giving out sensitive and personal data such as personally identifiable information, banking and credit card details, and passwords. Phishing is an increasingly sophisticated form of cyber-attack. ‘Phish’ is pronounced exactly the way it is spelled, i.e., ‘fish’; the analogy is that of an angler throwing a baited hook and hoping the recipient to bite.
The main purpose of a phishing attack is to trick a recipient into believing that the message is important or useful for them. The attackers mask themselves as a trusted body of some kind to which the victim falls prey to. These attackers usually use ‘Phishing kits’, which makes it easier for them to work. The anatomy of a phishing kit is as follows:
- The legitimate website is cloned.
- The login page is changed to a point to a credential-stealing script.
- The modified files are bundled into a zip file to make a phishing kit.
- The phishing kit is uploaded to the hacked website, where the files are unzipped.
- Messages are sent with links pointing to the new spoofed website.
Following are a few real-world examples of how you can get to know that phishing has taken place and protect you from frauds:
Your account has been hacked: Attackers send out fake messages telling you that your account has been hacked. This can most probably be a scam. So one needs to check if the message is from an original sender.
Password reset: A message asking you to reset your password, out of the blue, could be a phishing message. So it is necessary to check if the message is sent from a genuine sender before clicking on the link provided.
Payment requests: Messages informing you about pending payments could be deceptive. These messages generally ask you to enter your card details which later are misused.
Charity donations: Certain messages telling you that a person is in genuine need of money and requests you to donate could be duplicity. So it is necessary to check if the sender of the message is veritable or not. Opening such messages or clicking on the links provided, can help the attacker install a Trojan in your system and they can have complete access to all your important personal details.
HOW TO AVOID IT?
A number of steps can be taken and mindsets can be adapted that one should get into which will keep you from becoming a phishing statistic.
- Always make sure to check the spelling of the URLs in the links before you click on it or enter sensitive information.
- Keep track of URL redirects, where you are indistinctly sent to a different website with an identical format.
- If you receive an email from a source you know but it seems slightly suspicious, contact that particular source with a new email, rather than replying back to that particular email.
- Do not post personal data, like your birthday, vacation plans, or your address or phone number, publicly on social media and your card details on non-trustworthy sites.
One can report phishing in the nearest local police station by filing an FIR, which then is sent forward to the cybercrime department.