The Windows Club

TheWindowsClub covers authentic Windows 11, Windows 10 tips, tutorials, how-to's, features, freeware. Created by Anand Khanse, MVP.

Types of Phishing – Cheat Sheet and Things you need to know

Download Windows Speedup Tool to fix errors and make PC run faster

“Congratulations! You have won n million Dollars. Send us your bank details.” If you are on Internet, you might have seen such emails in your inbox or junk mailbox. Such emails are called phishing: a cyber-crime wherein criminals use computer technology to steal data from victims that can be individuals or corporate business houses. This Phishing cheat sheet is an attempt to provide you with maximum knowledge about this cybercrime so that you don’t become a victim of the crime. We also discuss the types of Phishing.

Types of Phishing

What is phishing?

Phishing is a cybercrime in which criminals lure victims using fake emails and text messages to steal their data. It is mainly done through mass email campaigns. The criminals use temporary email IDs and servers, making it hard for authorities to nab them. They have a general template sent to hundreds of thousands of recipients so that at least a few can be tricked. Learn how to identify phishing attacks.

Why is it called phishing?

You know about fishing. In real life fishing, the fisherman sets a bait so that he can catch fish when they are hooked to the fishing rod. On the Internet, too, they use bait in the form of a message that can be convincing and appear genuine. Since the criminals use bait, it is called phishing. It stands for password fishing, which is now referred to as phishing.

The bait could be a promise of money or goods that would compel an end-user to click on it. Sometimes, the bait is different (for example, a threat or urgency) and calls for action, like clicking links saying you have to re-authorize your account at Amazon, Apple, or PayPal.

How to pronounce phishing?

It is pronounced as PH-ISHING. ‘PH’as in Fishing.

How common is phishing?

Phishing attacks are more common than malware. This means that more cybercriminals are engaged in phishing than those who spread malware using emails, fake websites, or fake advertisements on genuine websites.

These days, phishing kits are sold online, so practically anyone with some knowledge of networks can buy them and use them for illegal purposes. These phishing kits provide everything from cloning a website to compiling a compelling email or text.

Types of phishing

There are many types of phishing. Some of the popular ones are:

  1. General regular emails asking you your personal details are the most used form of phishing
  2. Spear phishing
  3. Whaling scams
  4. Smishing (SMS phishing) and Vishing
  5. QRishing scams
  6. Tabnabbing

1] General Phishing

In its most basic form of phishing, you encounter emails and texts cautioning you about something while asking you to click a link. Sometimes, they ask you to open the attachment in the email they sent you.

Cybercriminals lure you into opening an email or text by using the subject line. Sometimes, the subject line states that one of your online accounts needs updating and sounds urgent.

In the body of the email or text, some compelling information is fake but believable and then ends with a call to action: asking you to click on the link they provide in the phishing email or text. Text messages are more dangerous because they use shortened URLs whose destination or full link can’t be checked without clicking on them when you read them on the phone. There may be any app anywhere that may help with checking out the full URL, but I am aware of none yet.

2] Spear phishing

Spear phishing refers to targeted phishing in which the targets are business house employees. The cybercriminals get their workplace IDs and send fake phishing emails to those addresses. The emails appear as an email from someone at the top of the corporate ladder, creating enough urgency to reply to them… thereby helping the cybercriminals break into the business house’s network. Read all about spear phishing here. The link also contains some examples of spear phishing.

3] Whaling

Whaling is similar to spear phishing. The only difference between Whaling and Spear phishing is that spear-phishing can target any employee, while whaling is used to target certain privileged employees. The method is the same. The cybercriminals get the official email IDs and phone numbers of the victims and send them a compelling email or text that involves some call for action that might open the corporate intranet to give the back-door access. Read more about Whaling phishing attacks.

4] Smishing and Vishing

When cybercriminals use short messaging service (SMS) to fish out personal details of victims, it is known as SMS phishing or Smishing for short. Read about Smishing and Vishing details.

5] QRishing scams

QR codes are not new. When information is supposed to be kept short and secret, QR codes are the best to implement. You may have seen QR codes on different payment gateways, bank adverts, or simply on WhatsApp Web. These codes contain information in the form of a square with black scattered all over it. Since it is not known what all information a QR code provides, it is always best to stay away from unknown sources of the codes. That is to say that if you receive a QR code in an email or text from an entity that you do not know, don’t scan them. Read more about QRishing scams on smartphones.

6] Tabnabbing

Tabnabbing changes a legitimate page you were visiting, to a fraudulent page, once you visit another tab. Let’s say:

  1. You navigate to a genuine website.
  2. You open another tab and browse the other site.
  3. After a while, you come back to the first tab.
  4. You are greeted with fresh login details, maybe to your Gmail account.
  5. You login again, not suspecting that the page, including the favicon, has actually changed behind your back!

This is Tabnabbing, also called Tabjacking.

Some other types of phishing are not used much nowadays. I have not named them in this post. The methods used for phishing continue to add new techniques to the crime. Know the different types of cybercrimes if interested.

Identifying phishing emails and texts

While cybercriminals take all measures to trick you into clicking their illegal links so that they can steal your data, a few pointers indicate that the email is fake.

In most cases, the phishing guys use a name that is familiar to you. It can be the name of any established bank or corporate house, such as Amazon, Apple, eBay, etc. Look for the email ID.

Phishing criminals do not use permanent email like Hotmail, Outlook, and Gmail, etc. popular email hosting providers. They use temporary email servers, so anything from an unknown source is suspicious. In some cases, the cybercriminals try to spoof email IDs by using a business name—for example, [email protected]. The email ID contains the name of Amazon, but if you look closer, it is not from Amazon’s servers but some fakeemail.com server.

So, if a mail from http://axisbank.com comes from an email ID that says [email protected], you must exercise caution. Also, look for spelling errors. In the Axis Bank example, if the email ID comes from axsbank.com, it is a phishing email.

PhishTank will help you verify or report Phishing websites

Precautions for phishing

The above section discussed identifying phishing emails and texts. The base of all precautions is the need to check the origin of an email instead of simply clicking on the links in it. Do not give out your passwords and security questions to anyone. Look at the email ID from which the email was sent.

If it is a text from a friend, you know, you might want to confirm if he or she had sent it really. You could call and ask if he sent a message with a link.

Never click on links in emails from sources you do not know. Even for emails that appear genuine, suppose from Amazon, do not click on the link. Instead, open a browser and type out the URL of Amazon. From there, you can check if you actually need to send any details to the entity.

Some links come in saying you have to verify your sign-up. Check to see if you signed up for any services recently. If you cannot remember, forget the email link.

What if I clicked on a phishing link?

Close the browser immediately. Do not touch or enter any information if you can’t close the browser, like in some smartphones’ default browsers. Manually close each tab of such browsers. Remember not to log in to any of your apps until you run a scan using BitDefender or Malwarebytes. There are some paid apps, too, that you can use.

The same goes for computers. If you click a link, the browser will be launched, and some sort of duplicate website will appear. Don’t tap or touch anywhere on the browser. Just click on the close browser button or use the Windows Task Manager to close it. Run an antimalware scan before using other applications on the computer.

Read: Where to report Online Scams, Spam and Phishing websites?

Please comment and let us know if I left out anything in this phishing cheat sheet.

ArunKumar@TWC

Arun Kumar has been a Microsoft MVP (2010-12). He is obsessed with technology, especially the Internet. He deals with the multimedia content needs of training and corporate houses.