Résumé
Phishing, or phishing in French, is a malicious practice in which attackers pose as trustworthy entities in order to trick individuals into revealing sensitive information.
Stay vigilant against phishing by spotting common signs like suspicious URLs and urgent requests for personal information.
Learn about different phishing techniques, from common email scams to sophisticated spear phishing, to strengthen cybersecurity defenses.
Introduction
Phishing is a nefarious tactic in which malicious actors pose as trusted sources to trick people into sharing sensitive data. In this article, we will explain to you what phishing is, how it works and what steps you can take to avoid falling prey to such scams.
How phishing works
Phishing primarily relies on social engineering, a method by which attackers manipulate individuals into divulging confidential information. Attackers collect personal information from public sources (like social media) to create emails that appear authentic. Victims often receive malicious messages appearing to come from familiar contacts or reputable organizations.
The most common form of phishing occurs through emails containing malicious links or attachments. By clicking on these links, you risk installing malware on your device or being redirected to fake websites designed to steal your personal and financial information.
Although poorly written phishing emails are easier to spot, cybercriminals use advanced tools like chatbots and AI voice generators to improve the authenticity of their attacks. This makes it difficult for users to distinguish between genuine and fraudulent communications.
Recognize phishing attempts
Identifying phishing emails can be tricky, but there are some signs you can watch for.
Most common signs
Be careful if the message contains suspicious URLs, uses public email addresses, provokes fear or urgency, asks for personal information, or has spelling and grammar mistakes. In most cases, you should be able to hover your mouse over the links to check the URLs without actually clicking on them.
Digital Payment Scams
Phishing scammers often impersonate trusted online payment services like PayPal, Venmo, or Wise. Users receive fraudulent emails urging them to verify their login details. It is essential to remain vigilant and report any suspicious activity.
Financial-related phishing scams
Scammers pose as banks or financial institutions, citing security vulnerabilities to obtain personal information. Common tactics include deceptive emails about money transfers or direct deposit scams targeting new employees. Scammers may also claim that a security update is urgent.
Work-Related Phishing Scams
These personalized scams involve attackers posing as executives, CEOs or CFOs, requesting bank transfers or fake purchases. Voice phishing using AI voice generators over the phone is another method used by scammers.
How to prevent phishing attacks
To prevent phishing attacks, it is important to use several security measures. Avoid clicking on links directly. Instead, go to the company's official website or communication channels to check if the information you received is legitimate. Consider using security tools such as antivirus software, firewalls, and spam filters.
Organizations should also use email authentication standards to verify incoming emails. Common examples of email authentication methods include DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance).
For individuals, it is essential to inform their family and friends of the risks of phishing. For businesses, it is essential to educate their employees on phishing techniques and provide periodic awareness training to reduce risks.
If you need additional help and information, look for government initiatives like OnGuardOnline.gov and organizations like the Anti-Phishing Working Group Inc. These initiatives provide more detailed resources and guidance for spotting, avoiding, and reporting phishing attacks.
Types de phishing
Phishing techniques are evolving and cybercriminals are using different methods. The different types of phishing are generally classified based on the target and attack vector. Let's take a closer look at this.
Phishing by cloning
An attacker will use a previously sent legitimate email and copy its contents into a similar email containing a link to a malicious site. The attacker can also pretend that this is an updated link or a new link, indicating that the previous one was incorrect or expired.
Spear phishing (harponnage)
This type of attack is focused on a person or an institution. A spear phishing attack is more sophisticated than other types of phishing because it is targeted. This means that the attacker first collects information about the victim (e.g. names of friends or family members) and uses this data to lure the victim to a malicious website file.
Pharming (domain hijacking)
An attacker will poison a DNS record which, in practice, will redirect visitors from a legitimate website to a fraudulent site that the attacker previously created. This is the most dangerous attack because DNS records are not under the user's control, making the user powerless to defend themselves.
Whaling (executive spear phishing)
A form of spear phishing attack that targets wealthy and important people, such as CEOs and government officials.
Lâusurpation dâe-mail
Phishing emails typically spoof communications from legitimate companies or people. Phishing emails can present unwitting victims with links to malicious sites, where attackers collect login credentials and personal information using cleverly disguised login pages. The pages may contain Trojans, keyloggers and other malicious scripts that steal personal information.
Website Redirects
Website redirects direct users to different URLs than the user intended to visit. Actors who exploit the vulnerabilities can insert redirects and install malware on users' computers.
Typosquattage
Typosquatting directs traffic to counterfeit websites that use foreign language spellings, common misspellings, or subtle top-level domain variations. Phishing scammers use domains to imitate legitimate website interfaces, taking advantage of users who mistype or read the URL.
Fake paid ads
Paid ads are another tactic used for phishing. These (fake) ads use domains that the attackers have typosquatted and paid for to appear in search results. The site may even appear among the first search results on Google.
Attack by water point
In a watering hole attack, scammers analyze users and determine which websites they visit frequently. They scan these sites for vulnerabilities and attempt to inject malicious scripts designed to target users the next time they visit that website.
Identity theft and fake competitions
This concerns the identity theft of influential personalities on social networks. Phishing scammers may pose as key company executives and advertise contests or engage in other deceptive practices. Victims of this deception can even be targeted individually through social engineering processes aimed at finding gullible users. Actors can hack verified accounts and change usernames to impersonate a real-life character while maintaining verified status.
Recently, scammers have heavily targeted platforms like Discord, X, and Telegram for the same purpose: spoofing chats, impersonating individuals, and imitating legitimate services.
Malicious applications
Phishing scammers may also use malicious apps that monitor your behavior or steal sensitive information. Applications may present themselves as price trackers, wallets, and other cryptocurrency-related tools (which have a user base predisposed to trading and owning cryptocurrency).
SMS et phishing vocal
A form of message phishing, usually via SMS or voicemail, that encourages users to share personal information.
Phishing vs. Pharming
Although some consider pharming (domain hijacking) to be a type of phishing attack, the former relies on a different mechanism. The main difference between phishing and pharming is that phishing requires the victim to make a mistake. In contrast, domain hijacking only requires the victim to attempt to access a legitimate website whose DNS record has been compromised by the attacker.
Phishing in the blockchain and crypto space
Although blockchain technology offers enhanced data security due to its decentralized nature, its users must remain vigilant against social engineering and phishing attempts. Cybercriminals often attempt to exploit human vulnerabilities to gain access to private keys or login credentials. In most cases, scams are based on human error.
Scammers may also attempt to trick users into revealing their recovery phrases or transferring funds to fake addresses. It is important to exercise caution and follow good safety practices.
Conclusion
In conclusion, it is essential to understand phishing and stay up to date with evolving techniques to protect personal and financial information. By combining robust security measures, education and awareness, individuals and organizations can strengthen themselves against the ever-present threat of phishing in our interconnected digital world. Stay SAFU!
For more information
Five Tips for Securing Your Cryptocurrency Holdings
5 Ways to Improve Your Binance Account Security
How to Stay Safe in Peer-to-Peer (P2P) Trading?
Disclaimer and Risk Warning: This content is presented to you âas isâ for general information and educational purposes only, without representation or warranty of any kind. It should not be construed as financial, legal, or professional advice, or as a means of recommending the purchase of any specific product or service. You should seek advice from appropriate professionals before making any decisions. Where the article was written by a third-party contributor, please note that the opinions in the article do not necessarily reflect those of Binance Academy. Please read our full disclaimer here to find out more. Prices of digital assets can be volatile. The value of your investment may go down as well as up and you may not get back the amount you invested. You are solely responsible for your investment decisions and Binance Academy is not responsible for any losses you may incur. This content should not be construed as financial, legal, or professional advice. For more information, please refer to our Terms of Use and Risk Warning.
