Phishing attacks are those attacks whereby false or fraudulent communication is sent to different users of internet through e-mails/corrupted links for collecting sensitive data or information of users. Hackers use the personal information for their own interests and benefits i.e. for stealing money which makes this hard to detect their original source or the person who has done this vicious attack.

It includes stealing information of credit cards and other bank details; this attack often occurs through malicious e-mails or links. In this way, the attackers can provide financial loss to the user whose credit card details has been stolen and also the attackers can commit the crime of identity theft after drawing the necessary personal data from the user not only the individuals but big organizations also can be targeted.

Hackers create mirror sites which look exactly like the original sites and innocent victims fall into the trap of the hackers or attackers. In the recent years, attacks through phishing have increased on a large scale as this is a very easy way to get into anyone's personal data and information. Phishing is the new way of stealing personal data and wreaking one's personal life. Attackers betray people by playing with their innocent minds and manipulating their thoughts.

The attackers try to lure victims into their traps by creating a sense of urgency in front of them that they cannot avoid. Attackers try to scare innocent people as they sent e-mails like their bank accounts will shut down if they do not give their personal details to retrieve their account.

Not only this, but attackers also take advantage by outraging the emotions of the people as sometimes they spread fake news which can trigger the emotions or feelings of some people and when those people click on that fake news articles link in order to read it, hackers or attackers get access to the sensitive personal data or information of the users.

Why This Attack Has Become So Common?

With the advancement of technology, we have seen an increase in cyber abuse or increase which means the improper use of internet and phishing has become one of the most common platforms for the phishers or hackers to execute their criminal activities. In the year 2020, Phishing is the most common attack performed by the cyber criminals.

Internet crime complaints centre of FBI recorded over twice or many incidents of phishing than any other type of cybercrime. An increase of about 72% to 86% has also been observed in Phishing attacks from 2017 to 2020 among businesses.

Unawareness among the masses and the people is another reason why phishing attacks are getting as common as people with lack of knowledge or education opens the links sent to them by the hackers without checking their authorization. In this way, A virus in any of the user's electronic gadgets gets installed within the range of user's reach, it can be a laptop, mobile, tablet, or even Wi-Fi routers can be route for phishing.

Also, Fraudsters often take advantage of the lack of knowledge regarding bank policies and procedures which are made for the customers particularly in the account maintenance. And when these hackers or phishers get access to details of a person's bank account leading to unforeseen transactions from a person's account, that could happen due to phishing. These transactions are either a large one-time amount or are conducted in multiple times of smaller amounts.

Few Examples of Phishing Attacks:

• A spammed email from Xyz. Ltd. Co. has been sent to the employees belonging to top level management of this company.
• The spammed e-mail states that urgency of changing the passwords of the employees' accounts has erupted and further states that an unauthorized login has been observed in the employee's accounts.
• The employees are further directed in the E-mails to go to the Xyz. Ltd. Co. renewal, a false link which looks, the same like the original link of the company for changing the password of their accounts. Employee believing the link to be authentic enters their new and old passwords. And the phishers or hackers who was continuously watching the activities of the employee gets the original password through which he can have the full access of secured sites of the company and the attackers can watch all the day to day activities of the company and can also execute his malicious activities of stealing the personal or sensitive data or information of employee and that of the company.

Techniques Used in Phishing Attacks

• Link Manipulation
  Under this technique, hackers generate a forge link which looks exactly like the original link of any legitimate site and unaware people believing that fake link to be true opens the link and in this way hackers or attackers get access to all the personal data of those people.
  
  For example- www.myntraa.com is the fake link and www.myntra.com is the original link and it can be clearly seen that both the links do not have much difference. Hackers often do some misspelling in the original links and creates a fake link which looks so identical that it is hard to point out any difference between them.
   
• Filters Evasion
  Phishers have developed a unique way known as filters evasion which is a method through which coming into the radar of spam filters can be avoided. The task of the spam filters is to detect the text generally used in phishing mails and automatically take those spam emails out of the inbox that's why phishers use images in place of texts because of which it is difficult for the spam filters to identify the texts used in phishing e-mails and remove them.
   
• Social Engineering
  Under this technique, phishers manipulate the thought process of the users which makes them to click on the link without even realizing that it has not come from a legitimate source. For example- sometimes, Hackers send e-mails stating that the bank account of the user will shut down if he/she does not take necessary action right away. Then, user clicks on the link thinking the matter to be urgent and when the user clicks on the link, he unknowingly gives all his personal information to the attackers or phishers because hackers design those links in a manner that they look exactly like the original website of the institution.

Types of Phishing Attacks

• E-mail Phishing
  E-mails are the most commonly used method by the attackers for stealing the sensitive data from users. Under this type of phishing attack, attackers send malicious e-mails to the people/users at large. They do not target any specific person or organization. The content provided in these emails is mainly about bank services or streaming services etc. And users believing those emails to be real and authentic enter all their credentials. These attackers use their credentials to steal money from them.
   
• Spear Phishing
  Under this type of phishing attack, the malicious e-mail targeted to a specific individual only. When the attacker wants to target a particular person then it becomes easy for the attacker to gather his personal information before attacking on him. And this personal information of the user is used in the email to make it more authentic which increases the success rate of the attack. Mainly executives or those persons who work in the financial departments are the common targets of these attackers as they can get sensitive information of the organizations from them. A recent study conducted in the year 2019 disclosed that accountancy and audit firms are the frequent targets in the spear phishing attacks as the employees' working in these firms have access to important financial data which could be very valuable for these attackers.
   
• Voice Phishing or Vishing
  Under this type of phishing attack, attackers dial phone numbers of users at large and then they will play recordings once the call has been received by the user. These recordings usually make fake claims regarding a fraudulent activity on the user's bank account or credit cards and these hackers are so clever that they use such technique which will show the real numbers of the bank to the user leaving no chance for the victims to be suspicious about anything. And then, the recordings of the phone call will direct the victim to call a number which is connected to the attacker to resolve their issue. The attackers will then collect the necessary sensitive data from the victim and uses this personal information of the victim for conducting the malicious activities.
   
• Page Hijacking
  In this type of attack, hackers corrupt an authentic webpage or website and direct the users who come on the webpage or website to a false malicious website created by the hacker or attacker himself. And when the victim visits that malicious website, he unknowingly gives all his sensitive details to the attacker.
   
• Clone Phishing
  In this type of phishing attack, formerly delivered e-mail which contained an attachment or link already having the required data is used for creating a cloned e-mail. A hacker usually replaces the attachment or link with a malicious e-mail and then hacker sends that malicious e-mail from an email address which appears to have come from the original sender, the e-mail stating to be a resend of original one.
   

Safeguards Against Phishing Attacks

• Training Programs for Users
  Many organizations use this anti-phishing method to make its users aware about identifying the phishing attacks. In this method, users are taught to be alert in case they observe something suspicious in their devices and they are also taught to keep a check on their browsing activities. Some institutions have their own way of responding to their customers.
  
  For example: Some companies address their customers through a unique ID which they have provided to them and if someday, any customer or user receives an email from the company in a different way thus, it might be possible that it is a phishing attack. And if that happens, customers or the client should reach out to the company immediately regarding this issue and also make them aware about the attack. In this way, if the user has been trained very well, so he can not only save himself but he can also save the entire company from the malicious or bad intentions of the attacker or phishers or hackers.
   
• Filtering out Phishing E-mails
  Technology has developed a lot now-a-days and because of this so many useful methods are available to the users of internet to protect themselves from being attacked by any hacker or phisher. In this method, spam filters are there which spontaneously detect or identify the spammed links or emails and does not let these spammed links or emails to enter into the user's inbox and thus, preventing the user from the risk arising out from being attacked.
   
• Keep Track of Spammed E-mails
  Usually, companies having sensitive data are on the targets of the hackers. So, companies like them hire institutions who after their services for monitoring the spam e-mail or malware viruses in the company's system. These institutions keep a track of all the spam emails which can hamper the working of the company's software system. So, these institutions firstly identify the spam e-mails and links and then take them out from the system of the company or organization so that no harm can be done or no stealing of sensitive information of the company can happen.
   
• Verifying Transactions
  Smart phones can be used as a medium to prevent a phishing attack from happening. As these devices can be used as way of double checking transactions8. For example- if you have done a transaction then a message will be received on your smart phone declaring that a transaction has happened. And if it is done by an attacker, a user can know after receiving a message on his smart phone and can get alert. It is a very effective way of double verifying the transaction activities. Thus, making it hard for the attackers to get any improper advantage form the victim.
   
• Two Factor Authentication
  For protection of any system from phishing attack, it is necessary to have a strong security system so that it will be difficult for the attacker to get into the system under two factor authentications, the user is required to enter two different and distinct identification to access something. If user wants to have an access into something, at first, he is required to enter a password and later any code which is sent on the user's registered mobile number, after entering both the security code, the user is allowed to access anything.
   
• Provisions under Law
  There are provisions of Information Technology Act, 2000 which added a few new provisions and give a scope to deal with the phishing activity. The sections which apply to phishing attacks under the IT Act, 2000 are: - Sec.66, Sec.66A, Sec. 43, Sec. 66C, Sec.66D, Sec.81.

Under the Indian Penal Code, 1860, Phishing can also be held liable under Cheating (Sec. 415), Mischief (Sec. 425), Forgery (Sec.464) and Abetment (Sec.107).

Important Case Studies Relating to Phishing Attacks

• Facebook and Google
  Between the year 2013 and 2015, a phishing attack happened at Facebook and Google in which they were hoodwinked for about $100 million. These both companies were using the same vendor named quanta, a company belonged to Taiwan. The phisher sent sequence of invoices which were absolutely fake and both the companies paid the attacker by believing that he is the original vendor of the company. But, after some time, both the companies discovered that they have been attacked and with the help of US legal system, the attacker was arrested from Lithuania and because of this, Facebook and Google were able to recover only $49.7 million among $100 million stolen from them.
   
• Crelan Bank
  A Belgium based bank named Crelan who was a sufferer of business email compromise scam due to which the company suffered the loss of around $75.8 million. In this type of scam, the attacker targets the high- level executives in a company and after compromising their accounts, the attacker instructs the employees working under them to transfer money to the attacker's accounts. In this case, the bank was able to discover the attack on them during an internal audit.
   
• FACC
  An Austrian company who was the manufacturer of aerospace parts was attacked through Business Email compromise scam which cost them a loss of huge sum of money. The phisher who attacked the company compromised the account of company's CEO and instructed the employees working in the accounts department of the company to transfer a sum of. The company held the CEO and CFO responsible for the attack and institutes a suit against them as they were responsible to take proper care and should have taken necessary steps for the security controls and they should have conducted internal supervision for the prevention of the attack.
   
• Attack on Nidhi Razdan
  A very well-known TV anchor, Nidhi Razdan who was also the previous executive editor of NDTV news channel became the victim of a phishing attack. One day, she received an email stating that she had been offered a job from 'Harvard University' as "Associate professor" at its journalism school. She received the email as a normal prudent would have taken and after taking all the reasonable care, she accepted the offer after being interviewed through a single web-conferencing.

For the continuous period of 9 months, she was befooled by the attackers and the attackers gave her so many reasons for the delay in joining of her job position. Meanwhile, she quit her job which she was doing from the past 21 years and when she suspected sometimes. She decided to fly to US to check up on her new appointment, there she got to know that she had been attacked and the job appointment was a fake one after contacting the senior management at Harvard University.

References:

• https://www.cisco.com/c/en_in/products/security/email-security/what-is-phishing.html
• https://www.fortinet.com/resources/cyberglossary/types-of-phishing-attacks
• https://www.phishprotection.com/blog/phishing-case-studies-learning-from-the-mistakes-of-others/
• https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-phishing/the-top-5-phishing-scams-of-all-times/
• https://www.kaspersky.co.in/resource-center/preemptive-safety/phishing-prevention-tips
• https://digitalguardian.com/blog/phishing-attack-prevention-how-identify-avoid-phishing-scams
• https://www.tripwire.com/state-of-security/security-awareness/6-common-phishing-attacks-and-how-to-protect-against-them/
• https://www.itgovernance.eu/blog/en/the-5-most-common-types-of-phishing-attack
• https://www.imperva.com/learn/application-security/phishing-attack-scam/