Good morning dears 🙂
Most of you have heard the word “Phishing” recently and many of you know what is it. For those who do not know what it is, let me tell about it.
Phishing is a new age crime using internet. It is happening recently in increasing numbers due to wide use of internet (BIG THANKS TO OUR GOVERNMENT AND MINISTERS AND INTERNET PROVIDERS TO MAKE FREE WiFi AVAILABLE IN PUBLIC PLACES AND REMOTE AREAS), cheap price of making a website, unawareness about SAFE and MINDFUL use of internet, paperless payments (BIG THANKS TO OUR PM FOR DEMONETIZATION) and EDUCATED CRIMINALS.
Phishing is a form of identify theft in which a cyber criminal attempts to obtain our sensitive information like usernames, passwords, bank account and credit card details. Some of these criminals sent us emails, mobile text messages etc. telling us we have won millions of price money, an Iphone, need help for money transfer from their account to ours due to some reasons….etc., etc. and to provide them our bank account details, full address etc.
More recently, these criminals are getting our mobile contacts through different medias (SOME PEOPLE ARE MAKING MONEY BY SELLING PEOPLES CONTACT DETAILS – THEY COLLECT CONTACT DETAILS FROM THE MOBILE NUMBER/EMAIL/HOUSE/OFFICE ADDRESS WE GIVE FOR PRIZE DRAWS AT EXHIBITIONS, FESTIVALS, DONATION CAMPS, etc.) and call us asking to do donation for NGO for children or someone for heart operation etc. They plan the crime very well, so if we ask them more details they provide us with information of websites for us to look at and tell us they will guide us how to go through each links, what all details to fill in and then do the payment. If we are having soft heart for children and poor people, but unaware of how to distinguish genuine and fraud people, we fell in their traps.
If we go through the website mentioned by them while in call, our focus will be on call and on the website and we follow their instructions and simply our bank account/credit card details including username, password, mobile number, OTP will be in their hands.
When we look a phishing website, it may look like a genuine one. Earlier, we would have been able to distinguish a safe and unsafe website by looking at the https:// before the www. and website name followed by .com, .org, .in, .co.uk, etc. But now, these fraud people understood it and they too make websites with https:// and .com, .in, .org, etc. to cheat people. Check the entire url and not just the domain part. Check for tags like <script> etc. Phishing websites uses a domain name which looks exactly like the real one with one or two characters different. Eg: Gooogle.com instead of Google.com
Sometimes the phishing happens through Ads, Videos, etc. seen on a website. If we click on these, it may lead us to a phishing site (mostly game sites, film sites, porn sites etc).
Some cyber criminals create approximately 1.4 million phishing websites every month with fake pages designed to mimic an NGO, a job portal, etc. and replace them within hours in order to ensure they are not detected. By creating phishing websites with such short life span, cyber criminals make it hard for police authorities to find their fake web page, especially if there are no links to other sites.
HOW TO PREVENT PHISHING?
1. Be aware not all people are genuine.
2. Use a good antivirus in computer, android phone and tablets (For me, Kaspersky detected many phishing sites and malwares – Thanks Kaspersky).
3. To prevent bank phishing and credit card phishing scams, you should personally check your statements regularly. Get monthly statements for your financial accounts and check each and every entry carefully to ensure no fraudulent transactions have been made without your knowledge.
4. Do a google search of the website you doubt genuineness instead of visiting the website in a jiffy. If you are lucky, your good antivirus will show you it as a phishing or genuine site (Kaspersky shows red color for phishing site and green color for genuine site) and also google will show you is it a blacklisted site, reviews and complaints of other people who have used that website earlier, etc.
5. Stay aware, alert and relaxed. Most times, the cyber criminals call us at busy working hours.
6. Use call recorder in your mobiles.
7. Whenever you are faced with such fraudulent phone calls followed by text messages, immediately sent the details to nearest cyber cell along with the call recordings and text messages sent to you by the fraud person.
NOTE: If you have other ideas to prevent phishing, please do share…sharing is caring.
Thanks for reading. Let us live and let live 🙂
Awesome information shared to me by Arjun V, Threat Hunter & VAPT at Amrita Center for Cyber Security Systems and Networks:
- We usually label a website as a phishing website if and only if it’s masquerading as a famous website. The difference would be in the domain name or the url alone. And by that nomenclature, the other types of websites you mentioned will be labeled as fake websites.
- Common methods used in phishing are: using a domain name which looks exactly like the real one, but with one or two characters different. Say Gooogle.com instead of Google.com Domain name looks authentic say www.google-site.com Puny code domains https://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html
- Sometimes phishing is done by exploiting a real website’s vulnerabilities, a quite common attack vector being Cross Site Scripting attacks In these attacks the domain name would be the real one making it extremely hard to detect as malicious. But the url itself will contain payload (ie it will contain tags like <script> etc)
- Quite a lot of phishing attacks also makes use of shortened urls using Google’s url shortner which makes it look authentic. Tell the users to make use of online services which will expand the shortened url to the long url before visiting it. http://urlex.org/
- Puny code attacks are being increasingly used these days. And not enough blogs on phishing mention that. Even the Wikipedia page doesn’t mention it, when I checked it last time.
- Do not click URLs sent from suspicious email ids (which are also spoofed and look like real and authentic ones).
- Do not get tempted by all those offers and discount links people send you in WhatsApp and other messaging platforms as they are almost exclusively phishing attacks.
- Do not put your banking information on links followed from emails. Just Google search and reach the link directly instead. For example, a lot of mails about Aadhar cards or some government project for free LPG, etc., are usually redirecting to fraud websites.
- Do not put your work email address in any websites. For that, you can create a secondary Google account OR can even use free temporary email services available online for one time account creations (say for downloading a pdf and all). A secondary Google account for that purpose won’t hurt either since Google allows you to create and connect any number of email accounts.
Thank you Arjun V for sharing this awesome information.