#NewsBytesExplainer: What are phishing attacks and how to avoid them?

One of the oldest in the hacking book, phishing is a cyber-attack that revolves around exploiting people's emotions and ignorance.

In regular hacks, the attacker directly compromises the system of the target by exploiting hardware/software vulnerabilities and steals their personal/financial data.

However, in phishing, the individual is targeted, or you can say tricked, into giving their information willingly, much like non-electronic confidence scams.

When phishing attacks are carried out, the hackers pretend to be a reputable source, social engineer their target, and win their confidence.

They masquerade as a renowned government entity, business, or individual and encourage the target to fill out a form or download something, eventually fooling the unsuspecting person into giving away their confidential personal or financial information.

In most cases, phishing attacks are carried out via fake emails and websites.

The hacker compiles a list of publicly available email addresses (leaked previously) and creates a fake email address of a reputed organization or agency as well as a website rigged to collect information.

Then, they use the fake email to target all the compiled accounts with the rigged website.

While the use of fake emails and websites remains constant, the message could vary.

Attackers could use a range of topics to exploit their targets' fear, greed, love, and other emotions to trick them into visiting the malicious website and submitting their data.

They could offer rewards/grants, prizes, free vacations, treatments, or create a sense of urgency, like, by warning about expiring bank accounts.

In its warning, CERT-In has warned about phishing attacks related to COVID-19 grants announced by the government.

The agency has emphasized that the malicious actors, presumably from North Korea's Lazarus group, have got 20 lakh emails and are looking to use them to target Indian individuals and businesses with "emails under the pretext of local authorities in charge of dispensing government-funded COVID-19 initiatives."

If you fall for a phishing attack, the fake website or the page mimicking the site of an official source could request for information ranging from credit card numbers to personal details to account login information and passwords.

Once provided, this data goes directly to the hackers' servers and they can use it for financial scams, online identity theft, and various other crimes.

To dodge phishing, one needs to know how to recognize such deceptive emails in the first place.

For this, you should look at the domain of the sender's email; if a mailer is claiming to be a government employee, they should be using an official email domain, not something like gmail.com.

To find the official domain, you can simply search with the company's name.

Among other things, you should look for things like spelling errors in the email domain (@paypaal.com instead of @paypal.com) and grammatical/spelling errors in the message itself to spot phishing.

Meanwhile, Gmail's filters will also do the job of warning about potential phishing-focused emails.

Specifically, the email service displays a direct banner saying that the message looks dangerous and has been used to steal information.

In case, an email looks very convincing (thanks to smart attackers), you should directly check with the organization mentioned in the message about the pitched matter.

If their website or customer representative confirms the same, you could proceed. If not, you would know that it's a phishing attack, which has to be avoided.

The key is to stop for a second, reflect, and verify.

Once a phishing email is identified, you should mark the message as spam and delete it, without interacting with its links/attachments.

If you think you have fallen for a phishing attack and given away information on a fake website, change the information divulged, and enable 2FA on all related accounts.

If any card information is leaked, contact your bank immediately for the next steps.