.png)
(and, indirectly, money), often for malicious reasons, by disguising as
a trustworthy organization in an electronic communication (most cases via mail).
Phishing is usually done via email spoofing or instant messaging, and it often
directs users to enter personal information at a FAKE website, that looks and feels like the real site.
These links supposedly come from social web sites, auction sites, banks,
online payment processors etc, they may contain links to websites that are
infected with malware.
According to Wikipedia, here are the 10 types of Phishing fraud you should look out
for:
1. SPEAR PHISHING: This type of Phishing is directed at specific individuals
or companies, this attack is designed to gather personal information about
their target to increase their probability of success. For instance, to get,
your Internet banking login detail, your email address password, credit/debit
card details or PIN etc. This technique is by far the most successful on the
internet today, accounting for 91% of attacks.
2. CLONE PHISHING: This is the type of phishing where by the "Phisher" uses a
legitimate and previously delivered email with attachement or link to create
an identical or cloned email. The attachment or link within the email is
replaced with a malicious version and then sent from an email address spoofed
to appear to come from the original sender. It may claim to be a resent of the
original or an updated version to the original. In most cases, the recepient
don't take their time to check properly, having in mind that they have received
mail or same mail from the sender before.
3. WHALING PHISHING: This type of attack is directed specifically at
senior executives and other high-profile targets within businesses.The content of a
whaling attack email is often written as a legal subpoena, customer complaint, or
executive issue.Whaling phishers have also forged official-looking FBI subpoena
emails, and claimed that the manager needs to click a link and install special
software to view the subpoena.
4. LINK MANIPULATION: This methods of phishing use some form of technical
deception designed to make a link in an email (and the spoofed website it
leads to) appear to belong to the spoofed organization. Misspelled URLs
or the use of subdomains are common tricks used by phishers. In the following
example URL, http://www.gtbank.internetbanking.com/, it appears as though the URL
will take you to the internet banking section of the Gtbank website; actually
this URL points to the "internet banking" (i.e. phishing) section of the gtbank
website. Another common trick is to make the displayed text for a link
suggest a reliable destination, when the link actually goes to the phishers'
site. Many desktop email clients and web browsers will show a link's target URL in
the status bar while hovering the mouse over it. This type of link is usually
sent to customer's and non-customer's of a bank asking them to click on the
link to re-activate their card/update or unblock their supposed blocked card.
5. FILTER EVASION: This type of Phishing mail comes as an image instead of
text to make it harder for anti-phishing filters to detect text commonly used in
phishing emails. However, this has led to the evolution of more
sophisticated anti-phishing filters that are able to recover hidden text in
images. So scan carefully before downloading or saving any unknown or unusual
image that is sent to your email.
6. WEBSITE FORGERY: Here the victim is lured to a forged Phishing website that looks
like the real site. Some phishing scams use JavaScript commands in order to alter the
address bar. This is done either by placing a picture of a legitimate URL
over the address bar, or by closing the original bar and opening up a new one
with the legitimate URL. An attacker can even use flaws in a trusted website's
own scripts against the victim. These types of attacks
(known as cross-site scripting) are particularly problematic, because they
direct the user to sign in at their bank or service's own web page, where
everything from the web address to the security certificates appears correct.
In reality, the link to the website is crafted to carry out the attack, making
it very difficult to spot without specialist knowledge. Such flaw was
used in 2006 against PayPal.
7. COVERT REDIRECT: This type of Phishing usually comes under a log-in popup
that appears legitimately on a genuine website but actually redirect a victim
to an attacker's website. This often makes use of open redirect and XSS
vulnerabilities in the third-party application websites. For example, suppose
a victim clicks a malicious phishing link beginning with Facebook. A popup
window from Facebook will ask whether the victim would like to authorize the
app. If the victim chooses to authorize the app, a "token" will be sent to
the attacker and the victim's personal sensitive information could be exposed.
8. SOCIAL ENGINEERING: Users are made to click on a link all in the name of
getting an incentive or reward or token for various kinds of unexpected
content for a variety of technical and social reasons. For example,a malicious
attachment might be masked as a benign linked Google doc. Also, Alternatively
users might be outraged by a fake news story, click a link and become infected.
9. PHONE PHISHING: This comes in two dimensions, Call and SMS Phishing.
Call Phishing is also known as Vishing where messages that claimed
to be from a bank telling users to dial a phone number regarding problems
with their bank accounts. Once the phone number (owned by the phisher, and
provided by a voice over IP service) was dialed, prompts tells users to enter
their Internet banking User ID and password. Sometimes uses fake caller-ID data
to give the appearance that calls come from a trusted organisation
(Bank's most especially) in some cases, they ask the victim to call out their
Pin or Token code.
SMS phishing uses cell phone text messages to induce people to divulge their
personal information.
Most times they make victims think that their account has been restricted for
transactions and will not be rectified until the victims call their number.
So before calling any strange number for confirmation, first dial your bank's
customer care line, you can google the number if you don't have it or better still
check the bank's website or the back of your debit card to get the real number.
10. EVIL TWIN: is a phishing technique that is hard to detect. A phisher
creates a fake wireless network that looks similar to a legitimate public
network that may be found in public places such as airports, hotels or coffee
shops. Whenever someone logs on to the bogus network, fraudsters try to
capture their passwords and/or credit/debit card information.
In Conclusion: I will always suggest that people should make sure they have
their bank's customer care number in case of Phishing so they can always call
to clarify. And they should stop panicking when they get a mail or call that
their account or card is restricted and won't be able to initiate transactions.
Before you think of clicking on any link or even calling them back, first of all
call your bank and you would be shocked that your account is fine.
Nice one!
ReplyDeleteGreat job, God bless your hustle.
ReplyDelete