How to recognise and avoid phishing attacks

Phishing is a method of trying to gather personal/sensitive information and steal data or money from victims

Hacking the human mind is much easier than hacking a computer or business. Attackers prey on human weaknesses like fear, greed, trust, desire, ego, sympathy, ignorance, carelessness and haste.

Fraudsters scam people using (1) Phone Calls – referred to as Vishing (2) SMS – referred to as Smishing (3) Email – referred as Phishing.

---

Phishing is a method of trying to gather personal/sensitive information using deceptive phone calls, SMS, emails, blogs, and website and then steal data or money from the victims. The analogy is of an angler throwing a baited hook (the phishing email) and hoping the victim to bite. It appears to be an increasingly sophisticated, form of cyber attack but is just that, they play with the common sense and steal from individuals.

The availability of data on the dark web makes it easy for cyber criminals, even those with minimal technical skills launch phishing campaigns. Jamtara, a series on Netflix is an account of how phishing is done in Jamtara, a city in Jharkhand.

Once the data from the dark web is purchased, all the attacker needs to do is send out emails, SMS and WhatsApp messages to potential victims. Phishtank and OpenPhish are few sites where crowd-sourced lists of known are kept and often referred to as phishing kit sites.

Often malware is also sent via phishing emails and their aim is to infect victim devices with malware. Often the messages are soft targeted, to illustrate an example they will send a spoofed email as the boss with a request to transfer a fund on an urgent and priority basis, many corporates have fallen to this fraud. Few emails often used for phishing contain .zip files or Microsoft Office documents with malicious embedded code with some of them leading to ransomware.

Other forms of phishing are (a) Spear phishing – Where fraudsters try to send a spoofed message to appeal to a specific individual (b) Whale phishing – A form of spear phishing aimed at the very big fish i.e., CEOs or other high-value targets.

If you have been a victim of phishing, report on https://cybercrime.gov.in/. It hardly takes few minutes and you don’t even need to visit a police station to register a complaint.

Psychological factors used by scammers:

* Trust: Exploiting that impulse is the basis of social engineering.

* Ignorance: Lack of knowledge about social engineering attacks makes people and organisations vulnerable, pretending they are in a position of authority (like executive or manager of any bank).

* Fear: People are afraid of loss, and fraudsters exploit people’s fears. For example, they might send a message or make a call warning about the possible loss of employment or money, or access.

* Greed: Scammers/fraudsters promise rewards in exchange for divulging information, it will be in the form of seeking advance taxes or security deposits or customs fees before they actually receive.

* Moral duty: People often feel obliged to help scammers/fraudsters when asked for help especially seeking donations during floods or Covid19

* Urgency: Scammers/fraudsters might call or email in the guise of a high-ranking chief executive officer who requires an urgent transfer of funds, they usually spoofed emails posing as their boss.

* Panic / Anger: People don’t think clearly when they’re pressured to act quickly. When social engineers call you pretending to support and provide a frantic scenario that compromises your safety (like resetting the expiry date of your credit/debit card)

Digital safety tips:

* Verify the short URLs/links using www.unshorten.it or www.checkshorturl.com, even if it was sent by known sources

* Double check a weblink link before clicking or downloading attachments sent by unknown contacts, they will lead to unfamiliar site (Hover over them and check) and verify all links using www.isitphishing.org or www.urlvoid.com

* Never send sensitive, personal, or proprietary information via email, regardless of who is asking for it.

* If you get an email asking for a fund transfer, even it was from your boss (It could be a spoofed email), first check complete headers of the email using https://mxtoolbox.com/EmailHeaders.aspx or https://dnschecker.org/email-header-analyzer.php

* You will notice poor spelling and grammar throughout the email or SMS

* Links/forms asking for personal information (passwords & bank information)

* Never search for customer care numbers on search engines – open the respective app or respective application’s website for the correct customer care number

* Scanning QR Code or giving OTP, UPIN, Bank Card and CVV number’s, means you are TRANSFERRING the money from YOUR account and NOT Receiving

* Enable Two Factor Authentication (2FA) for all social media, banking and email accounts

* Never share your screen while doing banking or when logging onto social and email accounts

* Install original antivirus and anti malware software on your devices

Stay Tuned to Cyber Talk Column to know more about internet ethics and digital wellness brought to you by Anil Rachamalla, End Now Foundation, www.endnowfoundation.org

---

Now you can get handpicked stories from Telangana Today on Telegram everyday. Click the link to subscribe.

Click to follow Telangana Today Facebook page and Twitter .

---