Phishing (a variant of the word fishing) is an attempt by fraudsters with mala fide intentions, to use a bait to fish out your personal information. The fraudster (known as phisher) would send you an email posing to be your bank, your credit card company, your internet service provider, govt. tax department, or any organization with which you already have dealings and whose emails you trust. The phisher's email will state some matter of urgency so as to create a psychological panic, and request for a call to immediate action by following a link in the email. The link will take you to a fake website where you will be tricked to divulge sensitive personal information, such as your bank login id and password, your credit card number and associated PIN, your email account password, etc. Some emails may ask you to reply back with such personal information.
A typical phishing email would read as "…Your ICICI bank account has been compromised, due to which your account has been de-activated/suspended. You are advised to click here and verify your information and re-activate your account…". When you click at the link in the email, it will direct you to a spoofed website which will look exactly the same as the ICICI bank site. The counterfeit website is carefully designed to look real and familiar making you feel comfortable. You will be asked to feed in your bank login id and password to verify your information. The moment you do so, your login id and password is in the hands of the phisher.
At times, such phishing e-mails may contain spelling mistakes. Even the links to the counterfeit website may contain URL with spelling mistake, to take you to a fake website which looks like that of the genuine organization - example citibnak.com instead of citibank.com. Some fake e-mails promise a prize or gift certificate in exchange for your completing a survey or answering a few questions. In order to collect the alleged prize, you may be asked to provide your personal information. Such fake e-mails may also come from companies claiming to offer a job. These are often for work-at-home positions that are actually schemes that victimize the job applicant.
The damage caused by phishing could be significant. While on one hand, it may simply mean that you are unable to access your email account because the phisher changed your email password after gaining access to it. On the worse side, it could mean substantial financial loss if your credit card details or bank account details are fished our. It is estimated that the worldwide impact of phishing is as high as $5 billion per year.
Types of Phishing
Phishing scams have been categorized into various types in view of their multitude of approach, manner in which they are executed, and the entailed objectives.
A Phishing attempt directed at a specific individual based on his role, or a specific organization, is termed Spear Phishing. These are pin-pointed attacks where the attacker gathers specific personal or organizational information making the attack seem more believable, thus increasing the attacker's chances of success.
In this type of phishing the attacker begins by gaining access to a previously delivered legitimate email which contains an attachment or link. Using this email as the basis the attacker will send a follow-through email which will be almost identical to the previously sent genuine one. This is termed as a clone email. In this cloned email the attachment or link is replaced with a malicious version. The attacker sends the clone from a spoofed email address making it appear as if it came from the original sender, wherein it will state to be resending the original, in case the recipient missed it. Or it may claim that the first email was a mistake and the second (cloned one) is the correct version to be used.
The clone phisher can gain access to your first genuine email if your computer is infected with a spy ware that was planted by the attacker earlier to read all your incoming emails.
Whaling is quite similar to Spear phishing, except that it is targeted toward senior executives and high-profile individuals in businesses, government and other organizations.
7 Tips to protect yourself from Phishing
First of all, any reputed organization, be it your bank, your credit card company, or your email service provider, would never send such panic emails calling for action by clicking at email. So, if you receive such an email, it should immediately ring a bell. Be alarmed, and delete such suspicious emails without opening them. If you do happen to open them in a hurry, do not click at any link or attachment they may contain.
Before taking any action, verify that the email indeed came from the email address that it poses to be. This can be done by looking into the header information of the email which will tell you the actual mail server source from where the email originated. The mail server source should be in the same domain name as that of the organization the email claims to be from.
Whenever you click at a link in an email to access a website, even if the email is appearing to be from a genuine known source, be sure to check the URL string of the website as it appears in your web browser's address field. Phishing emails use some form of technical deception designed to make a link in the email and the spoofed website it leads to, appear to be genuine and belong to the organization that is being spoofed. These methods could be:
Mis-spelt URLs or the use of subdomains are common tricks used by phishers. In the example URL, http://www.citibank.cardverify2014.com/, it appears as if the URL will take you to the card verification section of the citibank website. Though, actually the URL points to the citibank section of cardverify2014.com website. Naturally cardverify2014.com is not citibank's website.
Another common trick is to make the displayed text for a link (the text between the <a> tags) suggest a reliable destination, whereas the link actually takes you to the phisher's website. For example, the link may display as http://www.citibank.com/cardverfiy, but when you take the mouse over the link, your email client will show you the actual <a> tag url that is hidden, which could be http://www.citibank.cardverify2014.com/.
Some smart phishers even go to the extent of spoofing the url that is displayed in the browser's address field. This has become possible now with the advent of internationalized domain naming (IDN), and modern browsers supporting it. The phisher can use an internationalized domain name (using the character sets of a language other than English) which will visually look identical to the genuine website's domain name. This is known as IDN spoofing or homograph attack.
So, the best form of defense would be to directly type the url of your bank in your web browser and visit their website to check if they have actually posted such attention seeking notices or not. You may even call your account manager at the bank and cross-check.
When you try to reply back to a phishing email, observe the email address that you are replying to – Is it indeed from the same domain as it pretended to be. For example, is it firstname.lastname@example.org or is it email@example.com. If it is the latter, it definitely is a fraud. An organization like Citibank would never use a gmail address.
As soon as you recognize a phishing email, delete it immediately from your Inbox, and then empty it from the deleted items folder to avoid accidentally accessing the website it points to.
Beware before revealing personal information at sites, especially social networking sites. Never tell people who you bank with, which company's credit card you use, and any such information.
Install a reputed anti-virus in your personal computer which provides for an email scanner. Email scanners scan each email before delivering to the inbox in your local email client. Such anti-virus software usually have an anti-phishing filter.
Rajeev Kumar CEO, Computer Solutions Jamshedpur, India
Rajeev Kumar is the primary author of How2Lab. He is a B.Tech. from IIT Kanpur with several years of experience in IT education and Software development. He has taught a wide spectrum of people including fresh young talents, students of XLRI, industry professionals, and govt. officials.
Rajeev has founded Computer Solutions & WebServicesWorldwide.com, and has hands-on experience of building variety of web applications and portals, that include - SAAS based ERP & e-commerce systems, independent B2B, B2C, Matrimonial & Job portals, and many more.