Phishing is a type of cybersecurity attack during which malicious actors send messages pretending to be a trusted person or entity. Phishing messages manipulate a user, causing them to perform actions like installing a malicious file, clicking a malicious link, or divulging sensitive information such as access credentials. Phishing is the most common type of social engineering, which is a general term describing attempts to manipulate or trick computer users. Social engineering is an increasingly common threat vector used in almost all security incidents. Social engineering attacks, like phishing, are often combined with other threats, such as malware, code injection, and network attacks.
Phishing is a form of fraud in which an attacker masquerades as a reputable entity or person in email or other forms of communication. Attackers will commonly use phishing emails to distribute malicious links or attachments that can perform a variety of functions. Some will extract login credentials or account information from victims.
Phishing attacks typically rely on social networking techniques applied to email or other electronic communication methods. Some methods include direct messages sent over social networks and SMS text messages.
Phishers can use public sources of information to gather background information about the victim's personal and work history, interests and activities. Typically through social networks like LinkedIn, Facebook and Twitter. These sources are normally used to uncover information such as names, job titles and email addresses of potential victims. This information can then be used to craft a believable email.
-
- Most phishing attacks are sent via email. Attackers typically register fake domain names that mimic real organizations and send thousands of common requests to victims. For fake domains, attackers may add or replace characters (e.g.
my-bank.com
instead ofmybank.com
), use subdomains (e.g.mybank.host.com
) or use the trusted organization’s name as the email username (e.g.[email protected]
). Many phishing emails use a sense of urgency, or a threat, to cause a user to comply quickly without checking the source or authenticity of the email.
- Most phishing attacks are sent via email. Attackers typically register fake domain names that mimic real organizations and send thousands of common requests to victims. For fake domains, attackers may add or replace characters (e.g.
-
- Whaling attacks target senior management and other highly privileged roles. The ultimate goal of whaling is the same as other types of phishing attacks, but the technique is often very subtle. Senior employees commonly have a lot of information in the public domain, and attackers can use this information to craft highly effective attacks.
-
- This is a phishing attack that uses a phone instead of written communication. Smishing involves sending fraudulent SMS messages, while vishing involves phone conversations.
- In a typical voice phishing scam, an attacker pretends to be a scam investigator for a credit card company or bank, informing victims that their account has been breached. Criminals then ask the victim to provide payment card information, supposedly to verify their identity or transfer money to a secure account (which is really the attacker’s).
- Vishing scams may also involve automated phone calls pretending to be from a trusted entity, asking the victim to type personal details using their phone keypad.
-
- These attacks use fake social media accounts belonging to well known organizations. The attacker uses an account handle that mimics a legitimate organization (e.g.
@instagramsupport
) and uses the same profile picture as the real company account. - Attackers take advantage of consumers’ tendency to make complaints and request assistance from brands using social media channels. However, instead of contacting the real brand, the consumer contacts the attacker’s fake social account.
- When attackers receive such a request, they might ask the customer to provide personal information so that they can identify the problem and respond appropriately. In other cases, the attacker provides a link to a fake customer support page, which is actually a malicious website.
- These attacks use fake social media accounts belonging to well known organizations. The attacker uses an account handle that mimics a legitimate organization (e.g.
- Threats or a Sense of Urgency
- Message Style
- Unusual Requests
- Linguistic Errors
- Inconsistencies in Web Addresses
To help prevent phishing messages from reaching end users, experts recommend layering security controls, including:
- Employee Awareness Training
- Both desktop and network firewalls
- Deploy Email Security Solutions
- Antiphishing toolbar (installed in web browsers)
- Gateway email filter
- Web security gateway
- Conduct Phishing Attack Tests
- Limit User Access to High-Value Systems and Data
Want to know more in detail ? Click Here
This tool is for educational purposes only, the author do not endorse or promote any illegal activity and are not responsible for any damage done henceforth.
This program is free software; you can redistribute it and/or modify it under the terms of the MIT License (MIT). See LICENSE for more details.