#NewsBytesExplainer: What are phishing attacks and how to avoid them?
What's the story
A few hours ago, the Indian Computer Emergency Response Team (CERT-In) issued an advisory warning about a massive phishing attack campaign. The agency said that the attack is being planned by certain malicious actors and is likely to start today, targeting both individuals and businesses in India. So, what exactly is a phishing attack and how can you avoid it? Let's find out.
Phishing explained
First, let's understand phishing
One of the oldest in the hacking book, phishing is a cyber-attack that revolves around exploiting people's emotions and ignorance. In regular hacks, the attacker directly compromises the system of the target by exploiting hardware/software vulnerabilities and steals their personal/financial data. However, in phishing, the individual is targeted, or you can say tricked, into giving their information willingly, much like non-electronic confidence scams.
Working
What happens in phishing attacks?
When phishing attacks are carried out, the hackers pretend to be a reputable source, social engineer their target, and win their confidence. They masquerade as a renowned government entity, business, or individual and encourage the target to fill out a form or download something, eventually fooling the unsuspecting person into giving away their confidential personal or financial information.
Attack vector
Attack vector remains same most of the time
In most cases, phishing attacks are carried out via fake emails and websites. The hacker compiles a list of publicly available email addresses (leaked previously) and creates a fake email address of a reputed organization or agency as well as a website rigged to collect information. Then, they use the fake email to target all the compiled accounts with the rigged website.
Message
Only the topic of persuasion differs
While the use of fake emails and websites remains constant, the message could vary. Attackers could use a range of topics to exploit their targets' fear, greed, love, and other emotions to trick them into visiting the malicious website and submitting their data. They could offer rewards/grants, prizes, free vacations, treatments, or create a sense of urgency, like, by warning about expiring bank accounts.
Warning
Indian Government has warned about COVID-19-related phishing
In its warning, CERT-In has warned about phishing attacks related to COVID-19 grants announced by the government. The agency has emphasized that the malicious actors, presumably from North Korea's Lazarus group, have got 20 lakh emails and are looking to use them to target Indian individuals and businesses with "emails under the pretext of local authorities in charge of dispensing government-funded COVID-19 initiatives."
Impact
If you fall for it, information is stolen immediately
If you fall for a phishing attack, the fake website or the page mimicking the site of an official source could request for information ranging from credit card numbers to personal details to account login information and passwords. Once provided, this data goes directly to the hackers' servers and they can use it for financial scams, online identity theft, and various other crimes.
Information
In some cases, visiting fake websites will download malware
Notably, in some cases, visiting the phishing website through any link received via email could also download malware which may compromise or lock your device and automatically mine critical information from its storage as well as steal passwords.
Detection
How to spot a phishing attack?
To dodge phishing, one needs to know how to recognize such deceptive emails in the first place. For this, you should look at the domain of the sender's email; if a mailer is claiming to be a government employee, they should be using an official email domain, not something like gmail.com. To find the official domain, you can simply search with the company's name.
Other ways
What are the other ways?
Among other things, you should look for things like spelling errors in the email domain (@paypaal.com instead of @paypal.com) and grammatical/spelling errors in the message itself to spot phishing. Meanwhile, Gmail's filters will also do the job of warning about potential phishing-focused emails. Specifically, the email service displays a direct banner saying that the message looks dangerous and has been used to steal information.
Double check
Double check with the agency, organization in question
In case, an email looks very convincing (thanks to smart attackers), you should directly check with the organization mentioned in the message about the pitched matter. If their website or customer representative confirms the same, you could proceed. If not, you would know that it's a phishing attack, which has to be avoided. The key is to stop for a second, reflect, and verify.
Action
What to do after identifying a phishing email
Once a phishing email is identified, you should mark the message as spam and delete it, without interacting with its links/attachments. If you think you have fallen for a phishing attack and given away information on a fake website, change the information divulged, and enable 2FA on all related accounts. If any card information is leaked, contact your bank immediately for the next steps.