There are many dangerous threats lurking in cyberspace today, from software vulnerabilities and exploits, to viruses and botnets. Among these threats are phishing attacks, an electronic communication scam that attempts to secure highly personal information such as credit card info, user names and passwords by assuming the identity of a trustworthy entity. The trustworthy entity can be anything from a friend, whose e-mail account has been compromised, to large legitimate corporations such as banks and online retailers such as Amazon and eBay. A typical phisher's tackle box usually consists of bait, a hook and sometimes a phishing kit.
Laying the bait
To lure victims into disclosing sensitive information, phishers exploit the human mind through the art of social engineering. They do this by baiting individuals using electronic messages that contain popular and/or relevant material. The bait may be laid through e-mails, social networking and instant or mobile text messages.
For example, a phisher may spoof an e-mail from the victim's bank claiming their account needs to be updated. These e-mails can look VERY realistic and official, up to and including the bank's logo and a URL that looks like it's pointing to a legitimate URL. Or, the phish could come from a social networking site where the body of the message asks the victim to view updated photos or a 'funny video' after logging in with their username and password. Online gaming accounts are also frequently targeted through gaming forum invite messages.
Identifying the bait
Most phishing messages arrive unsolicited. Always be aware of such messages, especially if an action or response is required on your part - no matter how urgent it seems to be. Whenever possible, attempt to identify the sender. If the source of a questionable message is coming from someone you know, send a message back asking a specific question. For any confidential material that is e-mail bound, PGP encryption and digital signing is recommended to confirm the identity of both parties.
After supplying the bait, the attacker needs to hook information from the victim. In the simplest way, this is done purely through e-mail - asking the user to respond to the e-mail with the requested information, or call a given number. The latter case is known as 'Vishing' (see below for a definition). Scams such as advance fee fraud (aka the 419 Nigerian scam) follow this response methodology.
Usually, the hook is provided in the form of a link (URL). Links are commonly spoofed. Their text will seem to link to the proper site (http://www.validbank.com) but in reality the link goes to a completely different site. Typo-squatting is also popular: attackers will slightly change the link to seem legitimate on first glance (e.g, http://www.val1dbank.com).
Sign up for MIS Asia eNewsletters.