Are you a Phishing Prevention Expert?

Phishing: Attempting to Trick a Person into Revealing Information

• Phishing is a type of social engineering where attackers deceive people into revealing sensitive information or installing malware such as ransomware.

• Phishing attacks have become increasingly sophisticated and often mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site.

• As of 2020, phishing is the most common type of cybercrime with the FBI's Internet Crime Complaint Centre reporting more incidents of phishing than any other type of computer crime.

• Measures to prevent or reduce the impact of phishing attacks include legislation, user education, public awareness, and technical security measures.

• Types of phishing include email phishing, spear phishing, whaling and CEO fraud, clone phishing, voice phishing, SMS phishing, page hijacking, and calendar phishing.

• Email phishing often targets financial institutions, email and cloud productivity providers, and streaming services. It may involve sending fraudulent emails or messages that appear to be from a trusted source.

• Spear phishing is a targeted phishing attack that uses personalized emails to trick a specific individual or organization into believing they are legitimate.

• Whaling and CEO fraud involve targeting senior executives and other high-profile individuals with customized content, often related to a subpoena or customer complaint.

• Clone phishing is a type of attack where a legitimate email is copied and modified to contain malicious content.

• Voice phishing or vishing uses automated phone calls to claim fraudulent activity on accounts and prompt victims to enter sensitive information.

• SMS phishing or smishing uses text messages to deliver a bait message and ask for private information.

• Page hijacking involves redirecting users to malicious websites or exploit kits through the compromise of legitimate web pages.

• Effective anti-phishing strategies include user training, legislation, and technology created specifically to protect against phishing.Approaches to Preventing Phishing Attacks

• Simulated phishing campaigns are commonly used to assess employees' training in recognizing phishing attempts.

• People can modify their browsing habits and be cautious of emails claiming to be from a company asking to "verify" an account.

• Legitimate e-mail messages from companies to their customers contain an item of information that is not readily available to phishers.

• Specialized spam filters can reduce the number of phishing emails that reach their addressees' inboxes.

• Web browsers contain anti-phishing measures such as maintaining a list of known phishing sites and checking websites against the list.

• Solutions have emerged using the mobile phone as a second channel for verification and authorization of banking transactions.

• Organizations can implement two-factor or multi-factor authentication, which requires a user to use at least 2 factors when logging in.

• Organizations that prioritize security over convenience can require users of its computers to use an email client that redacts URLs from email messages.

• Legal responses include imposing fines and prison sentences on criminals who use fake websites and emails to defraud consumers and prohibiting the development or possession of phishing kits with the intention of committing fraud.

• Companies have joined the effort to crack down on phishing by filing lawsuits against criminals who obtain passwords and confidential information or by reinforcing their efforts against phishing.

• A Brazilian phishing kingpin was arrested for leading one of the largest phishing crime rings, which in two years stole between US$18 million and US$37 million.

• In 2006, Japanese police arrested eight people for creating fake Yahoo Japan websites, netting themselves ¥100 million (US$870,000).