Introduction
Social engineering refers to the collection of techniques that are used to influence people towards performing certain actions or divulging other people’s confidential information. Phishing is defined as the attempt to fraudulently and criminally gain private names such as passwords, credit card details, and usernames with the offender standing out in electronic communication as a trustworthy entity. The common targets include PayPal, eBay, and online banks. Usually, it’s carried through instant messaging, email, and even phone contacts, Ollmann, G. (2006).
Examples of phishing techniques
These include website forgery, link manipulation, filter evasion, and phone phishing, Ponnurangam, K. (2006).
Website forgery
In some of these scams, a website’s address bar is altered using JavaScript commands. This could be done by either opening up a new address bar using the legitimate URL after having closed the original one, or by having a legitimate URL picture on the address bar. Cross-site scripting is also applied by the attacker within a trusted website’s own scripts. The website’s link is usually crafted in such a manner that the user is directed to sign in at their service’s own web page or at their bank where security certificates and web addresses appear correct. PayPal was a victim of this in the year 2006. Phishers have now begun to make use of Flash-based websites that hide text within a multimedia object but still appear as the real website. Ponnurangam, K. (2006).
Manipulation of links
This kind of deception mostly makes an email link as well as the spoofed website that it ends up leading to appear to be from the spoofed organization. The common tricks used here are like use of subdomains or misspelled URLs. Phishers can also make the anchor text used for a link to appear valid when indeed it leads to the phisher’s site. The use of a link with ‘@’ symbol is one of the old methods of phishing where victims are deceived into opening sites that seem familiar to them because they carry a common link such as //[email protected]. The page opens up in members.com website using www.google.com as the user name.
Despite the username supplied, the website opens normally. Although these URLs are disabled in the Internet Explorer, Opera and Mozilla prefer to show a warning message and the option to continue or cancel the operation.
Filter evasion
In this approach, phishers use images in place of text in order to avoid the anti-phishing filters that commonly detect text applied in phishing.
Phone phishing
Also called vishing (voice phishing). In this kind of fraud, messages that are purported to be coming from a trustworthy organization such as a bank direct the users to call a certain phone number for solutions on their accounts. When the phone number that had been provided to the phisher by a Voice over IP is dialed, users are directed to enter their PIN and account numbers. Vishing may sometimes use fake caller-ID data so as to give the call an appearance like that of a trustworthy organization, Ponnurangam, K. (2006).
Financial losses and denial of access to email and bank accounts are some of the damages caused by phishing fraud. There are both technical as well as social measures that can be taken to avoid phishing. Some of these technical responses include; software that helps users identify legitimate sites, augmenting password logins, monitoring of websites, eliminating phishing mail, and legal responses. Socially, people should be trained to recognize and deal with phishing attempts, Stuart, S. (2007).
Conclusion
United States businesses alone could be losing up to US$2 billion every year as its citizens become victims of phishing. The precautions from banks and other organizations for customers to take serious precautions is one not be avoided. Information security processes of ongoing training, protection, assessment, monitoring and detection, response and repair as well as a review of documented incidences should be enhanced. People can avoid being conned through phishing by modifying or changing their browsing habits. This could be a simple step of verifying the information they have been asked to provide directly from the company.
Reference
Ollmann, G (2006). The Phishing Guide: Understanding and Preventing Phishing Attacks. Technical Info.
Ponnurangam, K., Yong, W., Rhee, A. A., Lorrie, C., Jason, H. and Elizabeth N. (2006.). Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. Technical Report CMU-CyLab-06-017, CyLab, Carnegie Mellon University.
Stuart, S., Rachna, D., Andy, O. and Ian, F. (2007). The Emperor’s New Security Indicators: An evaluation of website authentication and the effect of role playing on usability studies. IEEE Symposium on Security and Privacy.