Phishing is a term, often used to describe a fraud which involves capturing personal information of users to perform unauthorized transactions or operations. Phishing can also be associated with the term fishy and I think that is how it has been originated.
In a real sense, it is achieved over call, email or hosting a website which is a replica copy of the genuine site. Attacker send a mail which looks very similar to actual mail of the sender with a link embedded which redirect the user to site for stealing user information
The phishing attack is not limited to Banking sector; however, it has been penetrated to other verticals like Government and Retails. A study shows around 10,000 users face phishing attacks daily in India, 65 percentage of attacks categorized under Government sector. A typical distribution of the attacks would represent as-
- Phishing: 51.2 %
- Virus, Trojan, worm, logic bomb: 7.7 %
- Policy violation: 7.4 %
- Malicious website: 6.3 %
- Equipment theft/loss: 6.2 %
- Suspicious network activity: 3.3 %
- Social Engineering: 2.4 %
- Attempted access: 0.8 %
- Others: 5.8 %
It’s becoming a nightmare to detect phishing at a global level; however, a user careful attention can reveal its integrity. Banks and regulatory bodies like Reserve Bank of India (RBI), Income Tax (I.T) Dept. are publicizing awareness on phishing. Phishers now send emails resembling Yahoo / Rediff mail, shopping sites or regulatory bodies, like RBI / I.T. dept., asking for confidential data.
In the case of Government vertical, let's consider a scenario where an attacker sends an email trying to lure a user to fill required detail to get a tax refund. The Email address is masked and resembles the actual email address of Government.
The attacker creates a Fraud site which looks similar to the genuine site except it doesn't have a certificate attached to it. The user is redirected to fraud site to capture sensitive and confidential information. The unsuspecting user enters their login information.
A legitimate financial institution will never ask for details of your account via an e-mail. A corollary to this rule is that never e-mail financial information over the Internet.
No comments:
Post a Comment