Home > Free Essays > Tech & Engineering > Computer Security > Security System. Social Engineering – Phishing

Security System. Social Engineering – Phishing Research Paper

Exclusively available on IvyPanda Available only on IvyPanda
Updated: Jul 28th, 2022

Introduction

Social engineering refers to the collection of techniques that are used to influence people towards performing certain actions or divulging other people’s confidential information. One aspect of social engineering is phishing, which involves the attempt to obtain personal and sensitive information such as usernames, passwords, and credit card details, through unlawful and deceitful means, by camouflaging oneself as a reliable entity in electronic communication. Usually, it’s carried through instant messaging, email, and even phone contacts, (Ollmann, G. 2006).

The most common targets of phishing include online banks which regulate the transfer of money via the internet, e-bay which involves the buying and selling of goods via the internet with the means of credit card transactions and Paypal which is also an online company concerning the transfer of funds involving credit card details and other confidential details of clients. Phishing is usually performed through emails or instant messaging services. (Tan, Koon. Phishing and Spamming via IM (SPIM)) by directing the consumers to reveal information at a website. In this way, Phishing is an example of social engineering technique that is effectively employed to fool users convincingly. To deal with the increasing number of phishing occurrences there should be additional cyber laws, user training, and public awareness programs to guide and inform the internet users about the technical manner in which phishing is usually carried out.

Phishing techniques

Phishing may be performed using several ways including website forgery, link manipulation, filter evasion, and phone phishing. (Ponnurangam, K. 2006).

Website forgery

Websites are effectively forged by the criminals by altering the address bar using javascript commands which can be easily accomplished by placing the picture of a legitimate URL over the address bar, or alternately closing the original address bar and opening a new one with the legitimate URL (Mutton, Paul. ‘Fraud Watch International’). Once the victim visits the website, the invader may use the flaws of the website’s scripts against the prey.

He can attack the victim using the ‘cross-site scripting’ which is on the whole very tricky, for the reason that they direct the user to ‘sign in’ at the web page of their bank or service, where the appearance of everything including the web address or the security certificate seems accurate. The craftiness of the invader lies in creating a link to the website to successfully carry out and accomplish such an attack, which is very complex and cannot be easily recognized (Krebs, Brian Flaws ‘Financial Sites Aid Scammers’).

There are anti-phishing systems that can scrutinize websites for phishing-related text but even phishers have devised newer ways to avoid even these. They use websites that are ‘flash based’, looking like real websites but hides the text in multimedia objects (Miller, Rich, ‘Phishing Attacks Continue to Grow in Sophistication’).

Manipulation of links

This method involves the designing of various types of technological tricks to create a link or connection in an email which appears to the victim as belonging to the spoofed or sketched organization. This can be easily accomplished by the phishers by employing the use of wrongly spelled URLs or alternately using subdomains. An additional method of doing this is by linking an anchor text that seems valid when in reality the link would straightaway enter the site of the phisher. A more traditional method of cheating is by the use of links which include the character ‘@’, which was formerly put to use for the inclusion of a username or even a password (Berners-Lee, Tim. IETF Network Working Group).

For instance, the link could easily mislead a casual surfer to suppose that the link would open the page of the yahoo website which is actually ‘www.yahoo.com’, but in reality will direct the browser to the page, ‘members.mail.net’, which has the potential to open even if the username is not provided.

Filter evasion

Even though the filtering techniques devised to block phishing are now improved, the spammers send more messages without any extra costs being levied on them as the major cost of the emails is borne by the recipient and rather than the sender. By doing so, even if some fraction of their messages are being blocked, they recompense by sending that many more messages. Another way the spammers can evade filtrations is by using various techniques to avoid spam detection approaches such as having a massive set of emails that have been constantly refreshed or by misspelling to use confusing words or even by the creation of exclusive copies in each campaign.

Phone Phishing

This is a very simple method used for phishing because it does not necessitate the existence of a website and can be easily achieved over the phone. And it is very difficult to find the source of the attack. This method is generally used before hacking to establish the background of the attack by acquiring the required information over the phone. The hacker usually presents the self as the support of the company or the administrator.

It is therefore essential to think before answering since the answers can reveal more than is required. The attack could also be in the form of a simple message from a bank instructing them to dial a phone number to clarify certain problems regarding their bank accounts (Gonsalves, Antone, ‘Phishers Snare Victims With VoIP’), and subsequently asking them to enter their account numbers followed by the pin codes, consequently achieving the desired results. The calls are even answered by fake persons claiming to be the staff or personnel of a reputed company. (‘Identity thieves take advantage of VoIP’, Silicon.com)

How phishing works and how we can prevent/protect ourselves from it

Several stratagems can be employed to combat phishing attempts by criminals. The best way is to train and educate people to identify and deal with such attempts when noticed, which can be done by creating awareness programs by the websites and agencies on the internet. (Ponnurangam Kumaraguru, 2006) Initiatives should be taken by the web users and internet surfers themselves by the conscious modification of their regular browsing practices. In the event of being contacted about requiring the verification of an account or for any other purpose, it would be wise to first confirm the legitimacy and source of the company from which the email has originated.

In all cases, the use of hyperlinks must be avoided and regular practice of typing the genuine website address of the company into the address bar of the browser must be adopted (Hex View, Anti-Phishing Tips You Should Not Follow).

Web-users and regular web surfers must be active at all times to notice any difference in the emails that they receive from companies as almost all company email messages to their respective customers comprise some piece of information that is seldom readily available to the phishers. For example, Paypal always addresses its customers by their usernames in the emails that it sends to them. So if a customer gets an email generated in a common fashion such as “Dear Paypal customer”, the recipient of the email must instantly realize that it is an attempt of phishing (Protect Yourself from Fraudulent Emails, PayPal).

Internet browsers and surfers must be regularly alerted and warned about deceptive websites by technical internet companies. The use of spam filters can also additionally aid in reducing the number of phishing emails that are likely to reach the inboxes of the victims. In case of recognition of a phishing attempt, they report the incident to the volunteer and/or industry groups (Schneier, Bruce 2006. PhishTank. Schneier on Security).

The damages of phishing are plenty and can result not only in the loss of access to personal emails but also in a monetary rip-off. The simplicity with which information such as credit card numbers or security PINs can be retrieved from individuals via the internet or email makes phishing a rather simple activity to make big money, making cyber theft a rather easy way to commit a crime. It has been estimated that phishing has been the cause of loss to approximately 1.2 million computer users in the United States of America alone between May 2004 and 2005, resulting in losses of nearly $929 million and for every 20 users, 1 has claimed to have been misled by phishing (The Phishing Guide: Understanding and Preventing Phishing Attacks – TechnicalInfo.net).

Conclusion

In the previous few years, there has been a considerable emergence of technology to prevent spam and phishing attempts by these spammers. A considerable amount of mailboxes are nowadays well protected from spam messages causing the spammers to use alternative frantic measures to maintain prosperity in the emerging world of emails. New technology is more focused on the identification and the validation of the email senders making it exceedingly complicated for the spammers to now conceal themselves who now face a continuous risk reprisal.

Since the process is getting more and more difficult, very many have given up these notorious activities as the profit margins are on a decline owing to the growing awareness among the users regarding such occurrences. However, one must at all times be at guard and remain alert to any abnormal phishing activities which can take place with anyone anytime anywhere.

References

Aaron Emigh, Radix Partners Anti-Phishing Technology, Report in conjunction with the United States Secret Service San Francisco Electonic Crimes Task Force, 2004.

Berners-Lee, Tim 2006 ‘IETF Network Working Group’ Email Address Harvesting: How Spammers Reap What You Know, FTC Consumer Alert.

Gonsalves, Antone 2006 ‘Phishers Snare Victims With VoIP’.

Hex View, 2006 ‘Anti-Phishing Tips You Should Not Follow’ ‘Identity thieves take advantage of VoIP.

Krebs, Brian Flaws 2004 ‘Financial Sites Aid Scammers’.

Matthew Prince, Project Honeypot, The Third Spam Conference, MIT Jan 2005.

Michael Pastore, Phishing is Up and It Has Consumers Down, Inside ID, 2004.

Miller, Rich, 2007 ‘Phishing Attacks Continue to Grow in Sophistication’.

Mutton, Paul, 2006 ‘Fraud Watch International’.

Ollmann, G. 2006 ‘The Phishing Guide: Understanding and Preventing Phishing Attacks’.

Tan, Koon. Phishing and Spamming via IM (SPIM).

Ponnurangam, K. 2006 ‘Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System’.

‘Protect Yourself from Fraudulent Emails’, PayPal 2006.

Schneier, Bruce 2006, ‘PhishTank – Schneier on Security’ ‘The Phishing Guide: Understanding and Preventing Phishing Attacks’ TechnicalInfo.net.

This research paper on Security System. Social Engineering – Phishing was written and submitted by your fellow student. You are free to use it for research and reference purposes in order to write your own paper; however, you must cite it accordingly.
Removal Request
If you are the copyright owner of this paper and no longer wish to have your work published on IvyPanda.
Request the removal

Need a custom Research Paper sample written from scratch by
professional specifically for you?

801 certified writers online

Cite This paper
Select a referencing style:

Reference

IvyPanda. (2022, July 28). Security System. Social Engineering - Phishing. https://ivypanda.com/essays/security-system-social-engineering-phishing/

Reference

IvyPanda. (2022, July 28). Security System. Social Engineering - Phishing. Retrieved from https://ivypanda.com/essays/security-system-social-engineering-phishing/

Work Cited

"Security System. Social Engineering - Phishing." IvyPanda, 28 July 2022, ivypanda.com/essays/security-system-social-engineering-phishing/.

1. IvyPanda. "Security System. Social Engineering - Phishing." July 28, 2022. https://ivypanda.com/essays/security-system-social-engineering-phishing/.


Bibliography


IvyPanda. "Security System. Social Engineering - Phishing." July 28, 2022. https://ivypanda.com/essays/security-system-social-engineering-phishing/.

References

IvyPanda. 2022. "Security System. Social Engineering - Phishing." July 28, 2022. https://ivypanda.com/essays/security-system-social-engineering-phishing/.

References

IvyPanda. (2022) 'Security System. Social Engineering - Phishing'. 28 July.

Powered by CiteTotal, reference maker
More related papers