Know your phishing
Google has just put a lid on a phishing scheme that drew victims claiming to be the search giant’s Docs platform. The victims received a mail saying a contact had shared a Google Doc, and when they opened the link, they were taken to a Google Docs page where a service called ‘Google Docs’ requested access to their email login.
Google has said in a statement that it was contained in an hour, and “While contact information was accessed and used by the campaign, our investigations show that no other data was exposed.”
So what is phishing? Have you ever got an SOS message from a friend or a mail from your bank questioning how secure your credit card is? If you chose to ignore them, then you most probably escaped a phishing attempt.
Oxford dictionary defines phishing as the fraudulent practice of sending emails claiming to be from reputable companies to induce individuals to reveal personal information, such as passwords or credit card numbers. Phishers are cyber criminals who siphon off vital confidential information, usually financial, from ‘susceptible’ people and misuse it.
The word is derived from ‘fishing’. While in fishing, you would use a worm as bait to catch fish, phishers give certain details as bait. It can be anything such as a Scandinavian philanthropist ready to part with his wealth, or an African princess expecting you to be her prince charming.
Often, these emails appear legitimate. A closer look and a little common sense would help you identify them.
And it is not always through email. There is vishing (voice phishing) and smishing (SMS phishing) too. You may be contacted by a person impersonating a call-centre employee or you may be asked to follow a series of actions as instructed by VoIP. Or an SMS from ‘Coca Cola Foundation’ might announce that you have won a million in the lottery.
In any case, your personal and financial details will be the target.
There is more…
Spear phishing is an email that appears to be from an individual or a business familiar to you. Spear phishers thrive on familiarity.
A fraudster may send a mail claiming he is from the RBI. The thing to remember here is that the sender’s email id might be something like rbi.com, but any government entity’s domain name would be ‘gov.in’ or ‘.org’ and not ‘.com’.
These emails can be more personal. It may address you as how your friends do. How do phishers find that out? From your social media profiles, of course.
Like how whaling is catching a ‘big fish’, so is it is in cyber crime. Whaling is spear phishing targeted at an important person, such as a CEO or a senior-level employee in a firm. Would such a person fall prey? Unfortunately, yes.
In early 2016, the payroll department of social app Snapchat received a mail purportedly from the CEO asking for the payroll details of past and current employees. The details were quickly shared, only to be revealed later that Snapchat’s CEO never asked for any such details! In a lengthy blog post, Snapchat apologised to its employees and assured them that the servers were not breached.
“Our hope is that we never have to write a blog post like this again,” said the post.
Imagine this. You get a mail from Facebook (at least that what it looks like) saying your account is compromised and you should click the link to update your credentials. You click the link, it takes you to a page that looks just like Facebook. If you have given your personal details without checking the url, you have just been ‘pharmed.”
Just like farming where you plant seeds, in pharming you are conned to ‘voluntarily’ plant your details. The fraudster modifies the DNS entry to create a fake website and lures users to key in personal details. A malware or spyware detector is unlikely to catch pharming because it is carried out by poisoning the DNS at the host level while your PC remains safe.
Also spelt as tab napping, it is similar to pharming, but here the CSS of the real website is copied. The inactive or dormant tab in your browser is the target. The fake website will have the same icon and description as the real one. The user, without verifying the url, spills out security details such as password.