Sunday, December 20, 2015

How to prevent Phishing ?

What is Phishing ?

Phishing is a technique used by attackers to acquire sensitive information like username, passwords, credit card numbers etc of victims for using those information in malicious purposes. Generally the attackers masquerade them to be trustworthy entity and communicate the victims in an electronic communication, convincing them to provide sensitive information.

The term Phishing is obtained as a homophone of fishing, as the attackers use fake bait to trap victims.

We see the first example of Phishing back in 1995. Attackers used to pose to be AOL company representatives and contact AOL users saying “to verify account” or “confirm billing information”. Some users would get trapped and provide sensitive information like account number, password, credit card etc. Lots of AOL users were victims. Eventually, AOL's policy was enforced against Phishing and lots of steps were taken, which almost stopped the illegal activities. But, since then on, attackers started applying many new fraudulent techniques and now also they trap many victims.

Different Types of Phishing 

There are mainly four different types of Phishing.

Sometimes, the attackers do not target any individual victim as such. Instead, they masquerade them to be trustworthy authority and send fraudulent emails to thousands of recipients together. Some of them fall in trap and end up providing sensitive information.

But, sometimes individuals or a company are targetted seperately. This is called Spear Phishing. This is reported to be the most widely used Phishing technique.

In one Phishing technique, attackers copy a legitimate email sent by actual authority and replace the links with the fraudulent website. They also change the sender email id to look like that of the trustworthy entity and claim to be an updated version of the original email. Lots of victims cannot detect this fraudulent techniques and fall in trap, ending up in providing sensitive information visiting the fraudulent links provided by the attackers. This is called Clone Phishing.

In another Phishing technique, attackers target senior executives. They send emails claiming to be customer complaint or executive issue or even legal subpoena. The emails contain fraudulent links which look real, but actually they collect sensitive information. Sometimes, the emails also ask to install some software from the link to visit the email and trap the victims. This is called Whaling.

Different Techniques Used in Phishing 

The attackers use various techniques for Phishing. Some mostly used techniques are mentioned below.

Attackers sometimes manipulate the links to look like coming from trustworthy entity. For that purpose, they often use misspelled URLs of the actual website. Sometimes, they even use trickery of using subdomains. For example, may appear to come from “example” section of website, but actually, it may be “some” section of fraudulent website. (What is Typosquatting and how is it used in phishing ?)

Attackers sometimes use images containing texts instead of plain texts in emails. As a result, it becomes much harder for anti-phishing software to detect the Phishing. But, today many anti-phishing filters use OCR or Optical Character Recognition to detect texts inside images and filter them.

Sometimes, the attackers use javascript to change address bar and place a legitimate iage of actual URL over the address bar. As a result, once the victims click on the fraudulent links, it becomes very difficult for them to understand the deception.

Sometimes the attackers corrupt the actual officcial website and once a user visits the website, a fraudulent pop-up appears asking them to provide sensiive information like account name, password etc. Just to give a more specific example, a user might click on a link appear to be coming from official networking website and while clicking on it, it might ask, whether the user wants to authorize the appplication. If a user clicks on “yes”, it may send a token to the attackers containing sensitive information like mail-id, friend list etc. This sort of Phishing is called Covert Redirect and it is much harder to detect.

In Phone Phishing, the attackers call a victim using phone and convince him using trickery to type bank account number, PIN etc over the phone. The victims cannot understand the deception and fall in trap. (What is Vishing and how to prevent it ?) And, Smishing is a technique of phishing using SMS (What is Smishing and how to prevent it ?)

In Tabnabbing, the attackers load a webpage of their fraudulent website in one of the open tabs of the victim and silently redirect him to the fraudulent website to steal sensitive information.

Attackers can also use Pharming to redirect legitimate traffic to a malicious website covertly and use it for phishing (What is Pharming ?).

And some attackers are even more evil. They create a wifi network looking identical to an official public wifi network. Some users cannot detect the difference and they start using the fraudulent network. And, whatever unencrypted information gets transferred through the network gets stolen. (How to deal with Evil Twin ?)

You can find more information in various techniques used in phishing here : What is social engineering and what all are the various techniques used in social engineering ?


How to prevent Phishing ?

We can educate ourselves to be aware of the most common Phishing techniques, so that we do not fall in trap. Here, I am writing down few steps that can easily be taken by anyone :

  • If a user is contacted to verify or confirm his account, it contains at least the username. So, if you get such email which do not contain any personal information, especially your username, it is most likely a Phishing email. If you are still doubtful, contact the authority directly, instead of clicking on any link on the email.
  • If a bank contacts you, it will use at least few digits of your account number, masking the other digits. So, if you get an email asking for account verification etc and it does not contain any digits of your account number, it is most likely a Phishing email. Instead of clicking on any link on that email, directly contact the bank and verify its authenticity.
  • Use trusted security software and update it regularly.
  • Update the software you use in your computer with recent security patches. Attackers often use security holes in common software to perform all these attacks.
  • Do not click on any link if you are not very sure of its trustworthiness. It may cost you heavily.
  • If you get fake phone calls, take down the caller's information and report it to local authority.
  • If you get spam emails in your inbox, select the email and mark it as spam. Normally, machine learning is used to detect spams in inbox. So, more you help the software in detecting spams, the more the software will help you in future to detect spams. (How are spamtraps used to detect spam emails automatically ?)
  • Verify the green padlock in the URL in the address bar before making any sensitive transaction (What is EV Certificate and how does it help to prevent phishing ?). 
  • And last but not the least, configure proper firewall in your system. You can close unused ports and prevent unnecessary applications from using the Internet when it is not needed (What is firewall and how can it protect us ?). You can also use an Intrusion Detection System to protect your system (What is an Intrusion Detection System ?

Purpose of Phishing

The attackers use so much deception to collect personal information, but what do they do with that ?

Sometimes the attackers do collect bank information etc to steal money. But mostly, this personal information are sold to other software attackers for money. So many times we hear about various attacks, have we ever wondered how do the attackers target victims ?

So, follow the simple rules stated above and never, ever reply to any fraud emails. Sometimes, these emails are sent in bulk and if you send a reply, it would at least confirm the attackers that your email id is a valid one. So, you may end up getting even more fraudulent emails later, if not anything else. And stay safe, stay protected.

Read More

What is Social Engineering ?

What is Vishing ?

What is Smishing ?

What is Pharming ?

How do attackers use Typosquatting for phishing and spreading malware ?

How to safeguard oneself from Evil Twin ?

What are EV Certificates ?

Infographic : How to prevent malware ? 

What is 2 Factor Authentication and why should we always enable it if possible ?



  1. Here is another step that can be taken.
    Ask your bank, your insurance company etc to deploy DMARC (
    Companies likes Paypal, Twitter, Facebook, Netflix, UPS, DHL, LinkedIn and many others have been using DMARC for years to protect it's customers from phishing.