Phishing to date remains a popular method of stealing credentials, committing fraud, and distributing malware. But what appears on the surface to be a juvenile form of cybercrime can be, in practice, a well-orchestrated, multi-faceted, and sustained attack campaign by organized crime groups.
– From finding victims and creating phishing sites to harvesting and fraudulently using victims’ credentials, it can be difficult to build a complete picture of the end-to-end process. Always keen to hook onto emotive topics, cybercriminals were quick to capitalize on the global outbreak of SARS-CoV-2, colloquially known as Coronavirus or COVID-19.

While millions of people struggled to learn the real facts about the pandemic from world leaders, the morally absent cybercriminal community saw their opportunity. Phishing emails began hitting inboxes around mid-March with subject lines such as “Covid-19 in your area?” and “Message from the World Health Organization.”

Three primary objectives for COVID-19­­ related phishing emails became apparent. Fraudsters focused their efforts on- Asking for donations to fake charities, Credential harvesting, or Malware delivery.

For example:
A spoofed email ostensibly from peachuniversity.edu is mass-distributed to as many faculty members as possible.
The email claims that the user’s password is about to expire. Instructions are given to go to myuniversity.edu/renewal to renew their password within 24 hours.

– Several things can occur by clicking the link. For example:
The user is redirected to peachuniversity.edurenewal.com, a bogus page appearing exactly like the real renewal page, where both new and existing passwords are requested. The attacker, monitoring the page, hijacks the original password to gain access to secured areas on the university network.

The user is sent to the actual password renewal page. However, while being redirected, a malicious script activates in the background to hijack the user’s session cookie. This results in a reflected XSS attack, giving the perpetrator privileged access to the university network.

• Like what you’re reading, click to know more https://www.tikaj.com/blog/phishing/

TYPES OF PHISHING STRATEGIES

1. EMAIL PHISHING
A major chunk of phishing attacks is sent by email. The fraudster will register a fake domain that mimics a genuine organization and sends thousands out thousands of generic requests.

The fake domain often involves character substitution, like using ‘r’s and ‘n’ next to each other to create ‘rn’ instead of ‘m’. There are many ways to spot a phishing email, but as a general rule, you should always check the email address of a message that asks you to click a link or download an attachment.

2. SPEAR PHISHING
Spear phishing is a more sophisticated, type of phishing involving email which describes malicious emails sent to a specific person.

Criminals who do this will already have some or all of the following information about the victim:
NAME
OFFICE NAME
DESIGNATION
EMAIL ADDRESS

– And Specific information about their job role.
One of the most famous data breaches in recent history, the hacking of the Democratic National Committee, was done with the help of spear phishing.

3. WHALING
Whaling attacks just like spear are more sophisticated, types of phishing involving email but even more targeted, aiming at senior executives. Although the end goal of whaling is the same as any other kind of phishing attack, the technique tends to be a lot subtler.

– Scams involving bogus tax returns are an increasingly common variety of whaling. Tax forms are highly valued by criminals as they contain a host of useful information: names, addresses, Social Security numbers, and bank account information.

4. SMISHING AND VISHING
With both smishing and vishing, emails are replaced by telephones as the mode of communication. Smishing involves criminals sending text messages, and vishing involves a telephone conversation where the trickster poses as a fraud investigator telling the victim that their account has been breached.

The criminal will then ask the victim to provide payment card details to verify their identity or transfer money into a ‘secure’ account. They mean the criminal’s account.

5. ANGLER PHISHING
A relatively new attack vector, social media offers several ways for criminals to trick people. Fake URLs; cloned websites, posts, and tweets; and instant messaging can all be used to persuade people to divulge sensitive information or download malware.
Alternatively, criminals can use the data that people willingly post on social media to create highly targeted attacks.

STEPS TO PROTECT ONESELF FROM PHISHING

1. The computer can be protected by using security software. Set the software to update automatically so it can deal with any new security threats.
2. Protect your mobile phone by setting software to update automatically. These updates could give you critical protection against security threats.
3. Prevent coming accounts by using multi-factor authentication. Some accounts offer extra security by requiring two or more credentials to log in to your account. This is called multi-factor authentication.
4. Protect your data by backing it up. Back up your data and make sure those backups aren’t connected to your home network. You can copy your computer files to an external hard drive or cloud storage. Back up the data on your phone, too.