What are Phishing Attacks?
Phishing is a widely used technique of snatching confidential information like username, password, and credit card credentials by misleading the victim mainly through email. According to a recent analysis, since the beginning of 2020, Google has recorded 2.02 million phishing websites.
Besides, phishing is commonly implemented as part of a wider attack to obtain a foothold in business or governmental networks, such as an advanced persistent threat (APT) event.
It is more recognized as a type of social engineering in which an attacker sends a phony message in the hopes of duping a human victim into divulging personal information. In the mid-1990s, cybercriminals used the America Online (AOL) service to spread the first phishing attacks, stealing passwords and credit card information.
How Does Phishing Happen?
The most typical sort of phishing involves an attacker addressing their target through email, pretending as a genuine firm, and attempting to obtain personal or login information from them. The emails frequently focus on instilling fear or, paradoxically, a sense of security loss.
This is general psychology for everyone, and hackers take advantage of this psychological behavior with trust factors in phishing attacks.
It happens when a hacker poses as a trustworthy entity and convinces a victim to follow the instruction in the email or text message.
The recipient is subsequently duped into clicking a malicious link, resulting in malware installation, system freeze, or the disclosure of sensitive information.
What are the Types of Phishing?
The aim of phishing attacks is the same though it has many types and ways of making someone victimized. Some common types of phishing attacks are given below.
1. Phishing Email
Phishing emails look like emails from a trusted source telling the story that misleads the victim to click on a targeted link or download the attachment. Most of the phishing emails say that they've noticed an unusual login attempt, but the fact is someone is looking behind you to fall into the trap.
Another standard phishing email says that there is an error processing your payment or creating an account. You may have already encountered these sorts of emails before. Actually, this is none other than an attempt to snatch your information.
However, some phishing emails say to confirm personal identity, avail government funds, and discount coupons.
2. Link Manipulation
Link manipulation is another type of phishing attack involving a malicious link that looks like a link from trusted sources. Initially, the link is similar to a renowned company or website, but you'll land on a different page made by the attackers.
Link manipulation mostly happens using referral links of many websites. For example, Facebook uses
l.php?u= extension to redirect external links when you click any outgoing link on Facebook. To be more exact, if you see a link like
https://google.com in Facebook and click on it, Facebook will redirect your request to
https://facebook.com/l.php?u=https://google.com', and it will be processed through the
Phishing attackers use this kind of URL to make you outsmart and put their phishing website link after the redirect parameter. Users see that the URL is from the website they use regularly, but initially, attackers manipulate the link with their phishing page.
Attackers redirect phishing URLs via popular and trustworthy websites. Take
https://phisingdomainexample.com as a phishing page example. In this case, attackers convince the victim to click on the link like
https://facebook.com/l.php?u=https://phisingdomainexample.com and follow the instructions. The phishing page could ask for sharing username, password, credit card information, and much other confidential information.
When the URL starts with a popular and regularly used website URL, most of the victim falls in the trap and sacrifices information to the attacker.
3. Spear Phishing
Spear phishing is a kind of personalized phishing attack targeting a specific person, business, or organization. Multiple layers of phishing attacks are used to penetrate the person or business.
The attacker first identifies the specific people who work for the company as a target. These people are typically in charge of the company information or the infrastructure.
Then the attacker collects information about the person or a group. They usually gather basic information like friends, family, colleagues, social media activities, and other general information.
Using this information, the attacker creates a target profile to analyze and understand the behavior or the target.
After that, the attacker tries to communicate digitally, mainly through email. Generally, the attackers pretend to be the senior colleague and instruct to do certain activities like changing passwords, providing company confidential information, and what the attacker needs.
Sending malicious attachments is another common way of spear phishing. The attacker sends the email that makes sense of urgency among the victim. Following curiosity or fear, the user downloads the attachment and falls into the trap.
4. Fake Websites
Fake websites are another way of organizing a phishing attack. First, the attacker registers a domain name similar to a popular domain.
Generally, the fake domain involves character manipulation that looks identical but different in a closer observation. It creates a kind of illusion in the user's eye. For example, attackers use-
n next to each other (rm) look like the alphabet
0 instead of
o, and vice versa.
1 instead of
l, and vice versa.
Alternatively, fake websites that might be used for sending emails seem to be a legitimate source.
5. Content Injection
Content injection is also known as content spoofing. The attacker injects custom commands or text in other web applications by an injection vulnerability.
Mainly there are two types of content injection, and they are-
- HTML injection: happens when an application is vulnerable and takes input values from the users. The attacker inputs its own phishing HTML code through HTML injection and misguides the victim to follow the injected URL.
- Text Injection: is similar to HTML injection. Attackers use texts instead of HTML code that instruct the victim and lead to data compromisation.
6. Session Hijacking
Session hijacking may defer from phishing attacks; still, it can be used in phishing. In this attack, the attacker takes over the user's session token that starts when the user login to a web application.
Session hijacking is also known as cookie hijacking or cookie side-jacking. Most of the session hijacking happens with banking application login and other financial accounts.
For example, when you log into your banking application, a session automatically generates using your browser information and cookie. If an attacker could manage to steal your session, s/he might be able to access your bank account.
7. Mobile Phishing
Mobile phishing has extended beyond emails only. Instead, it is using SMS, MMS, social media applications to victimize the people. Mobile phishing attacks are technically simple, but the number of victims is enormous.
Consider, you've just received a message from an unknown source that says one of your friends is in danger and clicks on the link to see their current situation.
When you know your friend is in danger. The possibility of clicking the link is high if you are not aware of phishing.
The Man-In-The-Middle attacks usually work with three people. The victim, the person the victim wants to communicate with, and thirdly the man-in-the-middle. Man-in-the-middle is the attacker who is organizing the attack.
Let's say you've received an email from your bank to recover your password or to confirm your personal information. Now, you've clicked on the link, and it applies to your original bank website and asks for login.
In this case, the man-in-the-middle sends the email and makes sure that it seems to be legitimate. But when you are logging in with your password, you are not logging in to your bank; instead, you are sending your information over the attack.
9. Voice Phishing (Vishing)
Voice phishing or vishing has emerged as a new threat to the users. It is basically a fraudulent phone call that misleads the people giving money or sensitive information.
Vishing usually includes a criminal claiming to represent a reputable organization, corporation, or government agency. You may be asked to purchase an extended warranty, be offered a "free" vacation, be informed that your computer is contaminated and that anti-virus software is required, or be urged to donate to charity.
What are Real-World Examples of Phishing Email Attacks?
Every day, nearly three billion spoofing messages are sent, according to research by email security provider Valimail.
Phishing has evolved into one of the most dangerous threats in today's cybersecurity landscape. Although public awareness of the problem has grown as a result of data from various sources, including the Verizon Data Breach Report, there is a danger that consumers may get jaded due to the constant barrage of news about the newest phishing attempts.
1. Compromised Credit Card
Some websites, particularly those that include pornography, try to entice you by offering "free" content. They then require you to input your credit card number in order to verify that you are above the age of 18. Customers who have done so have had funds deducted from their accounts without their knowledge.
So, what do criminals do with credit card information that has been stolen? Because the information is valuable, many people sell it to others. They may buy everything from real luxury things and technology to online commodities like video game credits and commercial services if they utilize it for themselves.
Gift cards are a well-liked option. They're essentially anonymous, requiring no name or other personal information to redeem, and maybe spent in stores and online in the same way cash can. Fraudsters may try to buy products with gift cards or flip the cards and sell them for a profit online.
Most recently, the Internal Revenue Service (IRS) issued a warning to US tax preparers on February 10, 2021, about a phishing scam aiming to steal the tax preparer's identity.
2. Transfer Funds
The Government of Canada announced on August 15, 2020, that its GCKey, a crucial single sign-on (SSO) system, had been the target of credential stuffing assaults intended at diverting COVID-19 relief money.
Not only the incident mentioned above but also thousands of transfer funds phishing events happen daily. The attacker first gets access to a banking account and then steals money transferring funds to their account.
To make this transaction traceless, attackers use to play arranged gambles in casinos and then transfer the money to their account.
3. Account Deactivation
When the attacker gains access to any of your accounts, they can do anything they want with that. It could be a social media account, banking account, or any business account.
In many cases, the attacker sends a phishing email saying that the account will be deactivated for any reason. If the user believes that it has come from a legitimate source, s/he will click on the phishing link.
Now the attacker will get access to the user account that is just compromised. And later, anything is possible until you notice and recover your account. The attacker might steal your information or even could deactivate the account.
4. Social Media Request
Social media is considered an ideal place for phishing attackers. In such media, users share their information that gives an idea of their behavior and activities. Attackers analyze the target and penetrate through social engineering.
Someone is trying to become your friend or just sent a message. Be careful in making friends, and don't allow any suspicious person to become your friend. Moreover, make sure that the source is legitimate before clicking any link.
What are Red Flags of Phishing?
Phishing emails are getting difficult to understand day by day. Attackers using new ways to penetrate the victim. Though many cybersecurity products ensure phishing protection, it is still not used by a majority of people.
If you are aware of some indicators known as red flags, you will be able to recognize phishing emails and avoid being a victim of a phishing attack.
Figure 1. What are Red Flags of Phishing
Email Red Flags Target 1: Unfamiliar sending addresses
Checking the senders' address and identity is always a good practice and advised by many technology experts. Most of the phishing attacks make progress because of not verifying the sending address.
Suppose you've received an email that says to change your Gmail password. First, check the sender's address and make sure that it has come from a legitimate source.
If you find the sending address unfamiliar, don't do any action according to the email instruction.
Email Red Flags Target 2: Errors in the Sending Address
Notice carefully if there is an error in the sending address while checking the address. Make sure that the address is valid and the email didn't come from the attacker.
If you find anything irrelevant or any error, ignore the message and mark it as spam.
Email Red Flags Target 3: Urgency Verbiage
You may get an email that triggers your urgency to do a particular action. Don't do anything before you're convinced of the reason and transparency of the source.
Triggering your urgency is a common phishing tactic used by attackers. They will send you an email or text message if there is an urgent issue, such as the illness of one of your friends or family members.
Don't believe what they are saying. Check and double-check the fact which is mentioned in the phishing email.
Email Red Flags Target 4: Bogus/Mismatched URL Links
Attackers registrar domain names similar to a popular and trustworthy website to begin a phishing attack. As mentioned earlier, they manipulate the domain name, changing some characters that create an illusion to eyes and mind.
If you receive any suspicious email, check the source first and then check the action link to see any mismatch to the original. For example,
https://g00gle.com is very similar to the original
Email Red Flags Target 5: Unfamiliar Sender IP Addresses
Don't forget to check the sender's IP address if you find anything suspicious in the email. When you have the IP address, you can easily find the sender's location and verify the source of the email.
Checking for unfamiliar IP addresses could save you from falling under a phishing attack.
Email Red Flags Target 6: Requests to Submit Login Info
Most of the phishing emails request to submit login information following the phishing link. Never share your login information in such a way. Moreover, companies don't send emails asking for login with email to any unauthorized URL.
Suppose any email or social media message requests to submit login information. Don't do that. Make sure that you are submitting any of your information to a legitimate source.
Email Red Flags Target 7: Obsolete Web Pages
Obsolete web pages are another source of generating phishing attacks. In pace with web development technology, many web and browser security components can identify phishing websites. Most of the websites are obsolete web pages, and the information on the page is no longer valid.
Don't forget to validate the information before you take any action with the web page.
Email Red Flags Target 8: Lack of Security Certificates (Like SSL)
Security certificates are essential for websites, but phishing websites generally don't have security certificates. Avoid websites without security certificates.
Security certificates like SSL are essential to identify phishing attacks and protect your data through various encryption methods.
Email Red Flags Target 9: Page Redirection
As mentioned earlier, attackers redirect pages from the trustworthy website and victimize the user. Always check the destination of the redirect page and take action wisely.
Suppose you find any unusual page redirection that is following a phishing link. Don't click on that and never share anything on that redirected page.
What Are Phishing Protection Methods?
Now the question comes, how to be protected from a phishing attack? If you know the way of recognizing a phishing attack, you will remain safe from the attack. Some of the phishing protection methods are given below.
1. Know about the phishing techniques
When you are informed about the phishing technique, you can avoid the attack. It's important to know the latest techniques that the attackers follow not only for your personal safety but also to educate more people that may help identify phishing attacks.
2. Don't click any link unwisely
Remember, phishing attacks require your action to become a victim. So, you have the option to avoid it if you take your decision wisely.
Verify the source of the link before clicking and sharing information on it.
3. Use anti-phishing tools
Anti-phishing tools are the ultimate solution for all types of users. Security products like Zenarmor could protect your device from accessing phishing websites. Usually, firewalls like Zenarmor have a large database of phishing pages and anti-phishing technology that detects phishing pages instantly and warns you.
Web browsers can identify phishing web pages, but there are ways of bypassing browser plugin security that attackers use. Although, it can locate the majority of the pages.
4. Check the security of your accounts regularly
Security checkups of your online accounts can save you from becoming a victim of phishing attacks. You can use two-factor authentication if it is available.
Moreover, security checkups are mandatory for being safe from phishing attacks and protecting your information from being compromised by other cyber attacks.
Using a strong password with character variation is always expected.
What are the Methods of Protection from Phishing with pfSense?
pfSense® software is a FreeBSD-based firewall software distribution that allows protection from phishing attacks. It actually blocks the unnecessary traffic on your System to give you better security as well as an improvised performance.
To get phishing protection, pfSense® software provides a package named
pfBlockerNG that allows the dynamic blocking of URLs from blocklists and geographical locations.
pfBlockerNG, go to
Package Manager >
Available Packages from the pfSense® software admin option and search for pfBlockerNG.
A setup wizard will be available for the first-time installation to configure and set up your phishing protection. For more information about the pfBlockerNG, please refer to pfBlockerNG Guide written by Sunny Valley Networks.
What are the Methods of Protection from Phishing with OPNsense?
OPNsense is another FreeBSD-based firewall that gives phishing protection. OPNsense protects phishing and optical content filtering using OpenDNS.
Configuring a static IP would be enough to enable phishing protection in OPNsense. Moreover, you need to enable the service if it is disabled.
Register with OpenDNS using a username and password for extra options and go to the Networks Dashboard menu from the OpenDNS interface. You can manage your networks from the available options.
Another option for blocking Phishing Attacks on OPNsense is to use
Zenarmor plugin. With the help of Advanced Security options on
Zenarmor you can protect your infrastructure from phishing attacks. You can block known phishing servers just by one click.
Figure 2. Zenarmor: Essential Security Control Settings for Protection from Phishing Attacks.
How do Spear Phishing Attacks Differ from Standard Phishing Attacks?
Differences between spear-phishing attacks and standard phishing attacks are as follows.
1. Target group
Both spear and standard phishing attacks aim to steal sensitive information from the user. The ultimate difference between these two types is the target group. Typical phishing attacks are intended for a large number of people; instead, spear-phishing attacks target a specific person or a comparatively small group.
2. Attack personalization
Standard phishing is an exploratory attempt to steal sensitive and confidential information from a wide range of people without personalizing the target.
On the other hand, spear-phishing attacks are personalized and focused on the behavior and activity of the target.
3. Scope of attack
Standard phishing attacks are initiated by cybercriminals or professional hackers to steal information. It is not targeted at any group of people.
For instance, spear-phishing attacks are business-oriented and spread malicious codes through phishing processes.
Phishing Attacks are Part of What Percentage of Cyber Attacks?
From a Federal Bureau of Investigation report, Cybercriminals cost companies and people a total of $3.5 billion in 2018, up 23% from the previous year. Phishing was the most prevalent type of cybercrime, with 114,702 victims.
Furthermore, the Verizon Data Breach Investigations Report (DBIR) 2019 says, phishing is involved in approximately one-third of all cybersecurity breaches. (For cyber-espionage assaults, the figure rises to 78 percent, according to the study.) Many of these phishing scams are still sent by email. Secure email gateways are a vital part of a perimeter defensive strategy.