What is phishing attack?, What are the different phishing types and how do we protect ourselves from this attack?
Phishing is a form of social engineering attack focused on stealing credentials or identity information from any potential target. It can be done by installing malware on user systems and applying combination of crafted social engineering techniques to gain access to critical infrastructures and sensitive data.
In essence, by social engineering we mean the practice of human manipulation that involves an attacker pretending to be someone else in an effort to retrieve sensitive data.
Phishing is the most common form of social engineering, and email based phishing is considered the most pervasive technique to deceive users.
According to some researches, phishing is routinely at the top of the most common security concerns nowadays, because it can evade many of your most sophisticated security tools or controls and compromise an organization’s weakest link — its people and their compromise our highly critical infrastructures and our privacy.
Sophisticated phishing attacks have been conducted now and then in which a fake websites are set up for users to log into with their credentials, and layperson, high profile individuals and companies of all size are already victims of frequent phishing attack.
Common types of phishing types includes, but not limited to:
- Spear phishing is a more targeted form of phishing where the message is crafted and directed specifically to a group of individuals.
- Whaling is a form of spear phishing that targets specific high-value individuals (by title,
by industry, from media coverage, and so forth), such as the CEO or other C-level executives, administrators, or high-net-worth clients. - Short Message Service (SMS) phishing or smishing (Spam over instant messaging [SPIM]) is a social engineering attack that occurs over or through standard text messaging services.
- Vishing (i.e., voiced-based phishing) or SpIT (Spam over Internet Telephony) is phishing done over any telephony or voice communication system.
- Spam is any type of email that is undesired and/or unsolicited. But spam is not just unwanted
advertisements; it can also include malicious content and attack vectors as well. Spam is
often used as the carrier of social engineering attacks.
Phishing attacks mainly occur through three common ways namely when victims respond by returning unsolicited email, fill out an email web form, and click on a website link of unknown origin.
Some mechanism to protect phishing attacks:
- Multi-factor authentication should be used to defeat phishing attacks.
- User awareness, training, and education programs on the harmfulness of this nefarious attacks are very effective techniques to spot phishing attacks and protect users and systems from phishing attacks. We can employ simulated phishing campaigns to test the effectiveness of these programs on users as well.
- We should never click on links that originate from unknown senders or destinations, and we should double check messages from known senders before we click on it as well.
- we can employ anti-spam and anti-phishing techniques to minimize phishing attacks, and so forth.