Phishing continues to be one of the most popular and effective methods of social engineering, which is basically the act of tricking victims into divulging information or taking action. In 2019, the Cyber Security Agency of Singapore (CSA) detected 47,500 phishing URLs with a Singapore link, an increase of about 200% from 2018. This is in line with global observations, which saw 2019 record the highest level of phishing attacks since 2016. As at the year 2020, it was reported that 75% of cyberattacks start with an email, and in this year itself, it has been reported that phishing attempts rose 600% since end of Feb 2020. But what is phishing?
Phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details, by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by email spoofing, instant messaging, and text messaging, phishing often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site.
Users are lured by communications purporting to be from trusted parties such as social web sites, auction sites, banks, colleagues/executives, online payment processors or IT administrators. The word is created as a homophone and a sensational spelling of fishing, influenced by phreaking.
There are various types of phishing, with specific names given to each of them, as follows:-
Types of Phishing
· Spear phishing – Phishing attempts directed at specific individuals or companies is known as spear phishing. In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success.
· Whaling – The term whaling refers to spear phishing attacks directed specifically at senior executives and other high-profile targets. In these cases, the content will be crafted to target an upper manager and the person’s role in the company.
· Catphishing and catfishing – Catphishing (spelled with a “ph”) is a type of online deception that involves getting to know someone closely in order to gain access to information or resources. Catfishing (spelled with an “f”), a similar but distinct concept, involves a person creating a social network presence as a sock puppet or fictional person in order to finagle someone into a (usually) romantic relationship.
· Clone phishing – Clone phishing is a type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email.
· Voice phishing – Voice phishing or vishing is a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward.
· SMS phishing – SMS phishing or smishing uses cell phone text messages to deliver the bait to induce people to divulge their personal information.
The following are various techniques employed by perpetrators to conduct phishing attacks:-
· Link manipulation – Make a link in an email appear to belong to the spoofed organization.
· Filter evasion – Using images instead of text to make it harder for anti-phishing filters to detect the text commonly used in phishing emails.
· Covert redirect – Making links appear legitimate, but actually redirect a victim to an attacker’s website.
· Social engineering – luring users to click on unexpected content for a variety of technical and social reasons
· Tabnabbing – take advantage of tabbed browsing, with multiple open tabs and silently redirect the user to the affected site
The following are what we can do as end-users to protect ourselves and thereby mitigate the threat of phishing:
- Be cautious when handling emails sent from external sources.
- They are marked with the following in the message body:
- Check sender name against its email address
- Do not reply to the sender or forward to other recipients if you find an email suspicious
- Do not open or click on any embedded button/attachment/URL(s)if the email received looks suspicious
- Report any suspicious emails by clicking on the “Report Phishing” button in Microsoft Outlook :
Visit these links for more information: