Phishing (pronounced as “fishing”) is an attempt to lure recipients into providing sensitive information (such as usernames, passwords, account IDs, ATM PINs, or credit card details) by disguising as trustworthy entities such as banks or well-known institutions to send a number of spoofed spam emails.
Phishing attacks use a variety of techniques to make an email or web page display and run like one from the authentic source. Some common attacking techniques are listed as follows.
Most browsers display URLs in Sans-Serif (a font-style). The attackers may register a domain name similar to the name of the website they want to imitate. Sometimes attackers may change the case style or use special characters. For example, “paypaI.com” can be used to counterfeit “paypal.com”, and “barcIays.com” can be used to counterfeit “barclays.com”.
A fake domain name can also incorporate part of the real domain name. For example, “ebay-members-security.com” is used to counterfeit “ebay.com” and “users-paypal.com” is used to counterfeit “paypal.com”. Most users lack the tools and knowledge to identify whether a fake domain name is really owned by the company being counterfeited.
URL hiding takes advantage of a type of less-used URL syntax. In the URL, the user name and password can be inserted in front of the domain name by using the syntax:
http://username:password@domain/. Attackers can place a seemingly reasonable domain name at the username position, and hide the real domain name or place it at the end of the address bar. For example,
Recent updates to the web browser have eliminated this vulnerability by removing the username and password in the URL before displaying the URL in the address bar, or by completely prohibiting the URL syntax with the username/password. Internet Explorer takes the latter approach.
The easiest way to hide a server’s identity is to display it as an IP address, such as
http://126.96.36.199. Because many legitimate URLs also contain some opaque numbers that are difficult to understand, only users who know URL parsing and are alert enough can be suspicious with such addresses.
The title of a hyperlink is completely independent of the URL it actually points to. Attackers can exploit such difference to display a URL in the link title and use an entirely different URL on the backend. Users often do not double check the real URL when the URL is explicitly displayed in the message.
Attackers may create a message window asking for your personal information when you are browsing a real web page such as a Citibank page.
Social engineering indicates using non-technical means to lure users into a trap.
- One of the tricks is to create an urgent atmosphere, so that users may take action without enough time to validate the message’s authenticity.
- Another trick is to threaten users, alerting them of the severe consequences (such as service termination or account closure) if they fail to follow the instructions. A small number of attacks also promise a huge return (such as “You win a prize!”). Threatening attacks are more common.
Phishing attackers use phishing emails and forged websites to run online frauds. Fraudsters usually disguise themselves as trusted brands such as online banks, online retailers, and credit card companies to defraud users’ personal information. As a result, victims often disclose their personal information such as credit card numbers, bank card accounts, and ID numbers.
- Do not click on unknown links or open emails from strangers.
- Reinforce security for servers or terminal computers, install anti-virus software, and upgrade the virus library and operating system (such as Windows and application service software) with patches regularly.