Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Detecting and guarding against phishing attempts

Jeff Hurmuses, Area Vice President and Managing Director, APAC, Malwarebytes | Oct. 30, 2017
Here are some ways to better detect and prevent oneself from being a victim of phishing attacks.

This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.

detecting phishing attempts
Credit: Storyblocks 

Long gone are the days where phishing attacks were blatantly obvious fakes pretending to be from Nigerian princes. Modern-day phishing campaigns are decidedly more sophisticated, incorporating stealthy techniques that trick their targets into believing that phishing emails are wholly legitimate.  

Phishing attacks aim to collect personal data-including login credentials, credit card numbers, social security numbers and bank account numbers-for fraudulent purposes. In Singapore, there has been recent phishing scams purporting to be from enterprises such as Singapore Post and Singapore Airlines. But while phishing attacks are most commonly delivered as an email communication that spoofs a known enterprise, it can also appear to come from individuals, including bosses and acquaintances.

These emails always contain a link that sends users to a decent impersonation of a valid website where credentials will be collected and sent to the attacker, instead of the supposedly trusted source. From there, the attacker can exploit credentials to commit crimes such as identity theft, draining bank accounts, or selling personal information on the black market.

While the phishing email is the most basic and common phishing attack, there are other attack forms that are directed towards a more targeted group. For instance, spear phishing involves crafting a believable email to extort information (or money) from a specific person or organisation. Whaling, a specific form of spear phishing, is directed towards executives or other high-profile targets within a government or business such as a CEO, senator, or someone who has access to financial assets. Meanwhile, smishing or SMS phishing involves SMS text messaging on mobile devices. A similar technique, vishing, is voice phishing conducted over the phone.

There truly are a lot of "phish" in the sea. Phishers today are also known to create malicious websites with attractive offers, which are indexed by search engines. Known as search engine phishing, this form of phishing attack extorts the personal information of those who have stumbled across malicious sites through their online searches.

On the other hand, content-injection phishing, a form of content spoofing, involves inserting malicious code or misleading content into legitimate websites that instruct users to enter their credentials or personal information.

Some common phishing attacks can easily escape users' notice, too. Phishers sometimes position themselves between people and websites such as social networking sites or online banks, to extract information as it's being entered by the users. Man-in-the-middle phishing, as this attack is more commonly known, is more difficult to detect as attackers continue to pass on users' information (after collecting it) to avoid disrupting transactions. Users should also guard against pharming, or DNS-based phishing, which involves modifying or tampering a system's host files or domain name system to redirect requests for URLs to a fake site. As a result, users have no idea that the website they are entering their personal details into is fake.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.