What is Phishing?
Along with the development of time and technology, there are currently many cybercrime cases that occur, one of which is Phishing. Phishing is a method of cybercrime where the target is contacted via email, phone or text message by someone posing as a legitimate organization to lure individuals into providing sensitive data such as personally identifiable information, credit card and banking details, and passwords. The email will usually contain a link to a fake page that looks exactly like a real website to trap the individual.
The information is then used to access important accounts and can result in identity theft and financial loss. The first phishing lawsuit was filed in 2004 against a California teenager who created a clone of the "America Online" website. With this fake website, he was able to obtain sensitive information from users and access credit card details to withdraw money from their bank accounts.
Types of Phishing
Phishing is divided into several types and techniques that are continuously carried out by cyber criminals, the types are :
1. Spear Phising
Spear phishing is the act of sending an email to a specific target claiming to be a trusted sender. The content of the email usually contains a link that redirects the recipient to a fake website full of malware. These attempts are targeted at stealing sensitive information such as account credentials or financial information from specific victims. While often intended to steal data for malicious purposes, cyber criminals may also intend to install malware on the targeted user's computer. This is the most successful form of obtaining confidential information on the internet, accounting for 91% of attacks.
2. Deceptive Phising
Deceptive Phishing is the most common type of phishing scam. This scam occurs when a known source or a company you know emails you to compromise information. Usually, these emails ask you:
- Verify account information
- Re-enter information, such as login or password
- Ask you to change your password
- Make payment
Once this information is entered, the hacker eventually gets the information and can access your account and then use the sensitive information to steal payment card information, sell your personal information or utilize your sensitive information for profit.
There are 2 ways that the perpetrator can carry out this phishing action, the first way is that the perpetrator claims or poses as a representative of an official agency/company and asks the victim to provide certain information. The second way, the perpetrator inserts a malicious site in the link that the victim clicks.
3. Smishing
Smishing is a type of phishing that involves text messages. Most of the time, this form of phishing involves text messages in SMS or phone numbers. Smishing is especially scary because sometimes people tend to trust text messages more than emails. Most people are aware of the security risks involved with clicking on links in emails. But it's a different matter if it's through a text message.
Usually, criminals use methods or tricks to get victims to click on the link provided, call the number listed, or reply to the message with the information the perpetrator needs. An example that often exists in Indonesia is winning a lottery or prize from a large company and acting on behalf of themselves as part of the company.
Apart from this, there are actually many other modes. Therefore, be careful and don't trust easily.
4. Whale Phising
Whale phishing is a term used to describe phishing attacks specifically aimed at wealthy, powerful, or prominent individuals. Due to their status, if such a user falls victim to a phishing attack, he or she can be considered a big pish or a whale. Whale phishing perpetrators use the same tactics as spear phishing.
How Phishing Works
Basic phishing attacks try to trick users into entering personal details or other confidential information, and email is the most common method of carrying out these attacks. An estimated 3.7 billion people send around 269 billion emails every day. Researchers at Symantec state that nearly one out of every 2,000 of these emails is a phishing email, which means about 135 million phishing attacks are attempted every day.
Most people don't have the time to carefully analyze every message that comes into their inbox and this is what phishers exploit using several means. Common phishing campaign techniques include offering prizes won in fake competitions such as lotteries or contests by retailers offering 'winning vouchers'.
In this example, to 'win' the prize, the victims are asked to enter their details such as name, date of birth, address and bank details to claim. Similar techniques are also used in other scams where the perpetrator claims to be from a bank wanting to verify non-existent purchase details or sometimes even worse the perpetrator will claim to be from a technology security company and they need access to the information to keep their customers safe.
Another more sophisticated scam is aimed at business users. Here the perpetrator may pose as someone from within the same organization or one of its suppliers and will ask you to download an attachment that they claim contains information about a contract or deal.
In many cases the file will drop malicious software into the system and will harvest personal data. But in many cases they are also used to spread ransomware.
Phishing Characteristics
1. Poor Spelling or Grammar
Official messages from any large organization are unlikely to contain poor spelling or grammar.
2. Short URL in Email
Many instances of phishing attacks will invite victims to click through to an official-looking URL. However, if the user takes a second to check the link, then it can be discovered that it is not a legitimate URL. The perpetrator hopes that the victim will not check the link at all and simply click through. In other cases, the perpetrator will take slight variations on a legitimate web address and hope the user doesn't notice.
3. Incorrect Sender Address
Official companies will usually use an official email address that comes from the domain name of their website. Make sure first that the email has a website that can be accessed and is the company's official website.
4. Relatively Lifelike Website Appearance
One of the characteristics of a phishing website is that it looks relatively similar to the real thing. If there are some things that do not match or feel different from usual, you must first make sure that it is a legitimate website.
5. Website Address Mistyped
Although the perpetrator can create a website that is similar to the original website, the domain will not be able to imitate it. Because 1 official domain can only be used for 1 website. So to trick the victim, the perpetrator uses a domain that is slightly similar to the original website, for example www.klikbca.com made a fake web with the domain www.klikkbca.com. So before logging in make sure the website address is correct.
6. No HTTPS website
To provide security to its users, usually large or credible sites use SSL for their websites. You can see in the address bar to find out whether the website uses HTTPS (SSL) or not. Most phishing sites do not have an SSL Certificate.
7. Login Frequently Fails
If you have used the correct username and password but still can't log in, you need to be suspicious that you might be on a phishing site. If you have already filled in your data there, immediately go to the original website and change your password.
How to Avoid Phishing
- Checking accounts regularly
- Create a bookmark for the login page
- Do not click on anything in SMS messages
- Do not click on links in suspicious email messages
- Make sure the spelling of the website URL is official and has SSL (HTTPS)
- Change passwords regularly
- Be vigilant when receiving messages from unknown people
- Install internet security software and keep your antivirus up to date.
- Be wary of rewarded emails or text messages
