Introduction to Phishing

Phishing is a cyberattack where attackers use fake messages or websites to trick victims into giving away sensitive information. It works like “fishing,” using bait to lure targets into clicking harmful links or entering confidential data.

• Goal: steal sensitive info (passwords, credit card details, SSNs, DOB).
• Attackers impersonate trusted brands or services.
• Most phishing happens through emails that look genuine.
• Fake websites often mimic real ones but have suspicious URLs.

Methods Used to Carry Out Phishing

Phishing can occur in several ways. Any of the methods below can lead a user into a phishing attack:

1. Clicking on an Unknown File or Attachment

Attackers send malicious files that trigger malware installation or ask for confidential information when opened.

• Suspicious email attachments often contain malware
• Files may prompt users to enter sensitive data
• Common in spam or fake corporate emails

2. Using an Open or Free Wi-Fi Hotspot

Attackers lure users with free Wi-Fi and secretly monitor or steal their data.

• Hackers can intercept browsing activity
• Login credentials and personal data can be captured
• Fake Wi-Fi hotspots mimic legitimate networks

3. Responding to Social Media Requests

Through social engineering, attackers trick users into accepting fake friend requests or revealing personal details.

• Fake profiles are used to gain trust
• Users may unknowingly share private information
• Attackers gather data for further targeted attacks

4. Clicking on Unauthenticated Links or Ads

These links redirect users to fake websites that mimic real ones to steal confidential information.

• Fake URLs closely resemble legitimate sites
• Users are prompted to enter passwords or financial data
• Often seen in emails, pop-ups or unsafe websites

Types of Phishing Attacks

Below are the different types of phishing attacks:

1. Email Phishing

Attackers send fake emails pretending to be trusted organizations to trick users into sharing sensitive data.

• Sent to large groups
• Aims to steal bank details, credit card numbers or login credentials
• May contain malware-infected attachments or links

2. Spear Phishing

Targets a specific person or organization using personalized information.

• Attackers research the victim beforehand
• Emails appear more convincing and customized
• Often used to steal confidential corporate data

3. Whaling

A specialized spear-phishing attack targeting high-level executives.

• Targets CEOs, CFOs, directors or senior managers
• Uses urgent or high-pressure messages
• Designed to steal sensitive business information or authorize fraudulent payments

4. Smishing

Phishing conducted through SMS messages.

• Contains malicious links or fake warnings
• May ask users to click a link or call a fraudulent number
• Often disguised as bank alerts, delivery updates or OTP messages

5. Vishing

Voice phishing carried out through phone calls.

• Attackers use fake caller IDs or IVR systems
• Pretend to be banks, tech support or government agencies
• Trick victims into sharing OTPs, PINs or personal details

6. Clone Phishing

Attackers duplicate a legitimate email and replace its links or attachments with malicious ones.

• Sent from a spoofed address resembling the original sender
• Appears highly trustworthy as it copies a real email
• May spread through the victim’s contact list once compromised

Signs of Phishing 

Identifying the signs of phishing helps users avoid falling victim:

• Suspicious email addresses: Look for slight misspellings or altered domains.
• Urgent requests for personal information: Phishing emails often pressure victims.
• Poor grammar and spelling: A common indication of a fake message.
• Requests for sensitive information: Legitimate organizations rarely request such data via email.
• Unusual links or attachments: Avoid clicking links from unknown sources.
• Strange URLs: Fake websites often mimic real ones but with slight variations.

Preventive Measures for Phishing

Users can avoid phishing by following these precautions:

• Authorized Sources: Download software only from trusted platforms.
• Confidentiality: Never share private details with unknown links or websites.
• Check URLs: Verify website addresses to avoid fake sites.
• Avoid replying to suspicious emails: Contact the sender through a fresh email if unsure.
• Use phishing detection tools: These help identify malicious websites.
• Avoid free Wi-Fi: Public hotspots may expose sensitive data.
• Keep your system updated: Updates patch vulnerabilities.
• Enable firewalls: Firewalls filter suspicious traffic.

Distinguishing Between a Fake Website and a Real Website

Here are ways to identify legitimate websites:

1. Check the URL of the Website

• A good and legal website always uses a secure medium to protect yourself from online threats.
• So, when you first see a website link, always check the beginning of the website.
• That means if a website is started with https:// then the website is secure because https:// "s" denotes secure, which means the website uses encryption to transfer data, protecting it from hackers.
• If a website uses http:// then the website is not guaranteed to be safe.
• So, it is advised not to visit HTTP websites as they are not secure.

2. Check the Domain Name

• The attackers generally create a website whose address mimics large brands or companies like www.amazon.com/order_id=23.
• If we look closely, we can see that it's a fake website as the spelling of Amazon is wrong, that is amazon is written.
• So it's a phished website.
• So be careful with such types of websites.

3. Analyze the Site Design

• If you open a website from the link, then pay attention to the design of the site.
• Although the attacker tries to imitate the original one as much as possible, they still lack in some places.
• So, if you see something off, then that might be a sign of a fake website.
• For example, www.sugarcube.com/facebook, when we open this URL the page open is cloned to the actual Facebook page but it is a fake website. The original link to Facebook is www.facebook.com.

4. Check Available Web Pages

• A fake website does not contain the entire web pages that are present in the original website.
• So when you encounter fake websites, then open the option(links) present on that website.
• If they only display a login page, then the website is fake.

Anti-Phishing Tools

These tools help detect phishing attacks:

• Anti-Phishing Domain Advisor (APDA): Warns users about phishing websites with real-time alerts.
• PhishTank: A community-driven database of reported phishing sites.
• Webroot Anti-Phishing: Uses machine learning to detect suspicious websites.
• Malwarebytes Anti-Phishing: Blocks malicious websites using real-time detection.
• Kaspersky Anti-Phishing:Provides integrated protection using known phishing database lists.

Note: Anti-phishing tools help add protection but are not a complete solution. Users must remain cautious and practice safe browsing habits to avoid falling victim.