In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. A phishing technique was described in detail in 1987, and the first recorded use of the term "phishing" was made in 1996. The term is a variant of fishing, probably influenced by phreaking, and alludes to baits used to "catch" financial information and passwords.
Common Phishing techniques:
1.Link manipulation
2.Filter evasion
3.Website forgery
4.Phone phishing
Phishing examples
In an example PayPal phish, spelling mistakes in the e-mail and the presence of an IP address in the link (visible in the tooltip under the yellow box) are both clues that this is a phishing attempt. Another giveaway is the lack of a personal greeting, although the presence of personal details would not be a guarantee of legitimacy. A legitimate Paypal communication will always greet the user with his or her real name, not just with a generic greeting like, "Dear Accountholder." Other signs that the message is a fraud are misspellings of simple words, bad grammar and the threat of consequences such as account suspension if the recipient fails to comply with the message's requests. Note that many phishing emails will include, as a real email from PayPal would, large warnings about never giving out your password in case of a phishing attack. Warning users of the possibility of phishing attacks, as well as providing links to sites explaining how to avoid or spot such attacks, are part of what makes the phishing email so deceptive. In this example, the phishing email warns the user that emails from PayPal will never ask for sensitive information. True to its word, it instead invites the user to follow a link to "Verify" their account; this will take them to a further phishing website, engineered to look like PayPal's website, and will there ask for their sensitive information.
Another example,
An example of a phishing e-mail, disguised as an official e-mail from a (fictional) bank. The sender is attempting to trick the recipient into revealing secure information by "confirming" it at the phisher's website. Note the misspelling of the words receiveddiscrepancy. Such mistakes are common in most phishing emails and . Remember not to use any of the links that your phishing email has provided.
Prevention Methods
There are several different techniques to combat phishing, including legislation and technology created specifically to protect against phishing.
One strategy for combating phishing is to train people to recognize phishing attempts, and to deal with them. Education can be effective, especially where training provides direct feedback.One newer phishing tactic, which uses phishing e-mails targeted at a specific company, known as spear phishing, has been harnessed to train individuals at various locations.
People can take steps to avoid phishing attempts by slightly modifying their browsing habits. When contacted about an account needing to be "verified" (or any other topic used by phishers), it is a sensible precaution to contact the company from which the e-mail apparently originates to check that the e-mail is legitimate. Alternatively, the address that the individual knows is the company's genuine website can be typed into the address bar of the browser, rather than trusting any hyperlinks in the suspected phishing message.
The Anti-Phishing Working Group, an industry and law enforcement association, has suggested that conventional phishing techniques could become obsolete in the future as people are increasingly aware of the social engineering techniques used by phishers.They predict that pharming and other uses of malware will become more common tools for stealing information.
Teng Yann Guan 0701652
No comments:
Post a Comment