Phishing attacks are those attacks whereby false or fraudulent communication is
sent to different users of internet through e-mails/corrupted links for
collecting sensitive data or information of users. Hackers use the personal
information for their own interests and benefits i.e. for stealing money which
makes this hard to detect their original source or the person who has done this
It includes stealing information of credit cards and other bank
details; this attack often occurs through malicious e-mails or links. In this
way, the attackers can provide financial loss to the user whose credit card
details has been stolen and also the attackers can commit the crime of identity
theft after drawing the necessary personal data from the user not only the
individuals but big organizations also can be targeted.
Hackers create mirror sites which look exactly like the original sites and
innocent victims fall into the trap of the hackers or attackers. In the recent
years, attacks through phishing have increased on a large scale as this is a
very easy way to get into anyone's personal data and information. Phishing is
the new way of stealing personal data and wreaking one's personal life.
Attackers betray people by playing with their innocent minds and manipulating
The attackers try to lure victims into their traps by creating a
sense of urgency in front of them that they cannot avoid. Attackers try to scare
innocent people as they sent e-mails like their bank accounts will shut down if
they do not give their personal details to retrieve their account.
this, but attackers also take advantage by outraging the emotions of the people
as sometimes they spread fake news which can trigger the emotions or feelings of
some people and when those people click on that fake news articles link in order
to read it, hackers or attackers get access to the sensitive personal data or
information of the users.
Why This Attack Has Become So Common?
With the advancement of technology, we have seen an increase in cyber abuse or
increase which means the improper use of internet and phishing has become one of
the most common platforms for the phishers or hackers to execute their criminal
activities. In the year 2020, Phishing is the most common attack performed by
the cyber criminals.
Internet crime complaints centre of FBI recorded over twice
or many incidents of phishing than any other type of cybercrime. An increase of
about 72% to 86% has also been observed in Phishing attacks from 2017 to 2020
Unawareness among the masses and the people is another reason why phishing
attacks are getting as common as people with lack of knowledge or education
opens the links sent to them by the hackers without checking their
authorization. In this way, A virus in any of the user's electronic gadgets gets
installed within the range of user's reach, it can be a laptop, mobile, tablet,
or even Wi-Fi routers can be route for phishing.
Also, Fraudsters often take advantage of the lack of knowledge regarding bank
policies and procedures which are made for the customers particularly in the
account maintenance. And when these hackers or phishers get access to details of
a person's bank account leading to unforeseen transactions from a person's
account, that could happen due to phishing. These transactions are either a
large one-time amount or are conducted in multiple times of smaller amounts.
Few Examples of Phishing Attacks:
- A spammed email from Xyz. Ltd. Co. has been sent to the employees
belonging to top level management of this company.
- The spammed e-mail states that urgency of changing the passwords of the
employees' accounts has erupted and further states that an unauthorized
login has been observed in the employee's accounts.
- The employees are further directed in the E-mails to go to the Xyz. Ltd.
Co. renewal, a false link which looks, the same like the original link of
the company for changing the password of their accounts. Employee believing
the link to be authentic enters their new and old passwords. And the phishers or hackers
who was continuously watching the activities of the employee gets the original
password through which he can have the full access of secured sites of the
company and the attackers can watch all the day to day activities of the company
and can also execute his malicious activities of stealing the personal or
sensitive data or information of employee and that of the company.
Techniques Used in Phishing Attacks
- Link Manipulation
Under this technique, hackers generate a forge link which looks exactly like the
original link of any legitimate site and unaware people believing that fake link
to be true opens the link and in this way hackers or attackers get access to all
the personal data of those people.
For example- www.myntraa.com is the fake link and www.myntra.com is the original
link and it can be clearly seen that both the links do not have much difference.
Hackers often do some misspelling in the original links and creates a fake link
which looks so identical that it is hard to point out any difference between
- Filters Evasion
Phishers have developed a unique way known as filters evasion which is a method
through which coming into the radar of spam filters can be avoided. The task of
the spam filters is to detect the text generally used in phishing mails and
automatically take those spam emails out of the inbox that's why phishers use
images in place of texts because of which it is difficult for the spam filters
to identify the texts used in phishing e-mails and remove them.
- Social Engineering
Under this technique, phishers manipulate the thought process of the users which
makes them to click on the link without even realizing that it has not come from
a legitimate source. For example- sometimes, Hackers send e-mails stating that
the bank account of the user will shut down if he/she does not take necessary
action right away. Then, user clicks on the link thinking the matter to be
urgent and when the user clicks on the link, he unknowingly gives all his
personal information to the attackers or phishers because hackers design those
links in a manner that they look exactly like the original website of the
Types of Phishing Attacks
- E-mail Phishing
E-mails are the most commonly used method by the attackers for stealing the
sensitive data from users. Under this type of phishing attack, attackers send
malicious e-mails to the people/users at large. They do not target any
specific person or organization. The content provided in these emails is
mainly about bank services or streaming services etc. And users believing
those emails to be real and authentic enter all their credentials. These
attackers use their credentials to steal money from them.
- Spear Phishing
Under this type of phishing attack, the malicious e-mail targeted to a specific
individual only. When the attacker wants to target a particular person then it
becomes easy for the attacker to gather his personal information before
attacking on him. And this personal information of the user is used in the email
to make it more authentic which increases the success rate of the attack. Mainly
executives or those persons who work in the financial departments are the common
targets of these attackers as they can get sensitive information of the
organizations from them. A recent study conducted in the year 2019 disclosed
that accountancy and audit firms are the frequent targets in the spear phishing
attacks as the employees' working in these firms have access to important
financial data which could be very valuable for these attackers.
- Voice Phishing or Vishing
Under this type of phishing attack, attackers dial phone numbers of users at
large and then they will play recordings once the call has been received by the
user. These recordings usually make fake claims regarding a fraudulent activity
on the user's bank account or credit cards and these hackers are so clever that
they use such technique which will show the real numbers of the bank to the user
leaving no chance for the victims to be suspicious about anything. And then, the
recordings of the phone call will direct the victim to call a number which is
connected to the attacker to resolve their issue. The attackers will then
collect the necessary sensitive data from the victim and uses this personal
information of the victim for conducting the malicious activities.
- Page Hijacking
In this type of attack, hackers corrupt an authentic webpage or website and
direct the users who come on the webpage or website to a false malicious website
created by the hacker or attacker himself. And when the victim visits that
malicious website, he unknowingly gives all his sensitive details to the
- Clone Phishing
In this type of phishing attack, formerly delivered e-mail which contained an
attachment or link already having the required data is used for creating a
cloned e-mail. A hacker usually replaces the attachment or link with a malicious
e-mail and then hacker sends that malicious e-mail from an email address which
appears to have come from the original sender, the e-mail stating to be a resend
of original one.
Safeguards Against Phishing Attacks
- Training Programs for Users
Many organizations use this anti-phishing method to make its users aware about
identifying the phishing attacks. In this method, users are taught to be alert
in case they observe something suspicious in their devices and they are also
taught to keep a check on their browsing activities. Some institutions have
their own way of responding to their customers.
For example: Some companies address their customers through a unique ID which
they have provided to them and if someday, any customer or user receives an
email from the company in a different way thus, it might be possible that it is
a phishing attack. And if that happens, customers or the client should reach out
to the company immediately regarding this issue and also make them aware about
the attack. In this way, if the user has been trained very well, so he can not
only save himself but he can also save the entire company from the malicious or
bad intentions of the attacker or phishers or hackers.
- Filtering out Phishing E-mails
Technology has developed a lot now-a-days and because of this so many useful
methods are available to the users of internet to protect themselves from being
attacked by any hacker or phisher. In this method, spam filters are there which
spontaneously detect or identify the spammed links or emails and does not let
these spammed links or emails to enter into the user's inbox and thus,
preventing the user from the risk arising out from being attacked.
- Keep Track of Spammed E-mails
Usually, companies having sensitive data are on the targets of the hackers. So,
companies like them hire institutions who after their services for monitoring
the spam e-mail or malware viruses in the company's system. These institutions
keep a track of all the spam emails which can hamper the working of the
company's software system. So, these institutions firstly identify the spam
e-mails and links and then take them out from the system of the company or
organization so that no harm can be done or no stealing of sensitive information
of the company can happen.
- Verifying Transactions
Smart phones can be used as a medium to prevent a phishing attack from
happening. As these devices can be used as way of double checking transactions8.
For example- if you have done a transaction then a message will be received on
your smart phone declaring that a transaction has happened. And if it is done by
an attacker, a user can know after receiving a message on his smart phone and
can get alert. It is a very effective way of double verifying the transaction
activities. Thus, making it hard for the attackers to get any improper advantage
form the victim.
- Two Factor Authentication
For protection of any system from phishing attack, it is necessary to have a
strong security system so that it will be difficult for the attacker to get into
the system under two factor authentications, the user is required to enter two
different and distinct identification to access something. If user wants to have
an access into something, at first, he is required to enter a password and later
any code which is sent on the user's registered mobile number, after entering
both the security code, the user is allowed to access anything.
- Provisions under Law
There are provisions of Information Technology Act, 2000 which added a few new
provisions and give a scope to deal with the phishing activity. The sections
which apply to phishing attacks under the IT Act, 2000 are: - Sec.66, Sec.66A,
Sec. 43, Sec. 66C, Sec.66D, Sec.81.
Under the Indian Penal Code, 1860, Phishing can also be held liable under
Cheating (Sec. 415), Mischief (Sec. 425), Forgery (Sec.464) and Abetment
Important Case Studies Relating to Phishing Attacks
- Facebook and Google
Between the year 2013 and 2015, a phishing attack happened at Facebook and
Google in which they were hoodwinked for about $100 million. These both
companies were using the same vendor named quanta, a company belonged to Taiwan.
The phisher sent sequence of invoices which were absolutely fake and both the
companies paid the attacker by believing that he is the original vendor of the
company. But, after some time, both the companies discovered that they have been
attacked and with the help of US legal system, the attacker was arrested from
Lithuania and because of this, Facebook and Google were able to recover only
$49.7 million among $100 million stolen from them.
- Crelan Bank
A Belgium based bank named Crelan who was a sufferer of business email
compromise scam due to which the company suffered the loss of around $75.8
million. In this type of scam, the attacker targets the high- level executives
in a company and after compromising their accounts, the attacker instructs the
employees working under them to transfer money to the attacker's accounts. In
this case, the bank was able to discover the attack on them during an internal
An Austrian company who was the manufacturer of aerospace parts was attacked
through Business Email compromise scam which cost them a loss of huge sum of
money. The phisher who attacked the company compromised the account of company's
CEO and instructed the employees working in the accounts department of the
company to transfer a sum of. The company held the CEO and CFO responsible for
the attack and institutes a suit against them as they were responsible to take
proper care and should have taken necessary steps for the security controls and
they should have conducted internal supervision for the prevention of the
- Attack on Nidhi Razdan
A very well-known TV anchor, Nidhi Razdan who was also the previous executive
editor of NDTV news channel became the victim of a phishing attack. One day, she
received an email stating that she had been offered a job from 'Harvard
University' as "Associate professor" at its journalism school. She received the
email as a normal prudent would have taken and after taking all the reasonable
care, she accepted the offer after being interviewed through a single
For the continuous period of 9 months, she was befooled by the
attackers and the attackers gave her so many reasons for the delay in joining of
her job position. Meanwhile, she quit her job which she was doing from the past
21 years and when she suspected sometimes. She decided to fly to US to check up
on her new appointment, there she got to know that she had been attacked and the
job appointment was a fake one after contacting the senior management at Harvard