Diff: Phishing
Comparing revision #1 (2023-06-12 16:11:24) with revision #2 (2026-06-22 07:34:31).
| Old | New |
|---|---|
'''Phishing''' is a form of social engineering in which criminals use emails, text messages, phone calls, social media messages, or websites to trick people into revealing information, opening malicious files, sending money, or visiting fraudulent websites. |
|
Phishing refers to the deceptive practice of attempting to acquire sensitive information, such as usernames, passwords, credit card details, or other personal and financial information, by posing as a trustworthy entity in electronic communication. Phishing attacks typically occur through email, instant messaging, or fraudulent websites designed to trick recipients into divulging their confidential information. This wiki page provides an overview of phishing, its techniques, and the actions individuals can take to protect themselves from scammers. |
|
The National Cyber Security Centre describes phishing as scam emails, text messages or phone calls used to trick victims, often by making them visit a website that steals bank details or other personal information, or downloads malicious software. |
|
== Techniques Used by Scammers == |
|
Scammers employ various techniques to carry out phishing attacks and deceive their targets. Some common techniques used in phishing include: |
|
== Common Channels == |
|
Phishing can arrive through: |
|
=== 1. Email Spoofing === |
|
Email spoofing involves forging the sender's email address to make it appear as if the email is sent from a legitimate source, such as a reputable company or organization. Scammers often mimic the branding, logos, and formatting of well-known entities to trick recipients into believing the email is genuine. |
|
* Email. |
|
* Text message. |
|
* Phone call. |
|
* Messaging apps. |
|
* Social media. |
|
* Fake adverts. |
|
* QR codes. |
|
* Fake login pages. |
|
* Compromised websites. |
|
=== 2. Social Engineering === |
|
Social engineering techniques exploit human psychology to manipulate individuals into revealing sensitive information. Scammers may craft compelling narratives, urgent requests, or create a sense of fear or curiosity to persuade recipients to click on malicious links, open infected attachments, or provide personal details. |
|
Text-message phishing is often called smishing. Voice-call phishing is often called vishing. |
|
=== 3. Fake Websites === |
|
Scammers create fraudulent websites that closely resemble legitimate websites of banks, e-commerce platforms, or popular services. These websites are designed to trick users into entering their login credentials or financial information, which is then harvested by the scammers. |
|
== Impersonation == |
|
Phishing usually depends on impersonation. Criminals may pretend to be a bank, courier, government department, police force, employer, cloud service, streaming provider, parcel company, dating platform, or cryptocurrency exchange. |
|
=== 4. Smishing and Vishing === |
|
Smishing (SMS phishing) and vishing (voice phishing) are variants of phishing that occur through text messages or phone calls, respectively. Scammers send fraudulent text messages or make phone calls, posing as legitimate organizations, to trick recipients into providing sensitive information over the phone or by clicking on links sent via text message. |
|
The message often creates urgency. It may claim that an account will be closed, a parcel is waiting, a payment has failed, tax is due, a refund is available, or suspicious activity has been detected. |
|
== Impact and Countermeasures == |
|
Phishing attacks can have severe consequences, including financial loss, identity theft, and compromised personal and corporate data. To protect against phishing scams, individuals can take the following countermeasures: |
|
== Links and Attachments == |
|
A phishing link may lead to a fake login page, payment page, malware download, or form asking for personal details. Attachments may contain malicious documents, scripts, or links to further pages. |
|
=== 1. Awareness and Education === |
|
Raising awareness about phishing techniques and common scam tactics is crucial. Individuals should learn how to identify phishing emails, suspicious websites, and suspicious requests for personal information. Training programs and educational resources can help individuals recognize and avoid falling victim to phishing attacks. |
|
The visible link text may not match the real destination. Criminals also use lookalike domain names, shortened links, compromised legitimate sites, and spoofed sender names. |
|
=== 2. Secure Communication Channels === |
|
Using secure communication channels, such as encrypted email and secure messaging platforms, can help mitigate the risk of information interception and tampering by scammers. |
|
== Reporting in the UK == |
|
Suspicious emails can be forwarded to the National Cyber Security Centre's Suspicious Email Reporting Service at report@phishing.gov.uk. Suspicious text messages can usually be forwarded to 7726, the free spam-reporting service used by mobile providers. |
|
=== 3. Suspicion and Vigilance === |
|
Maintaining a healthy level of suspicion when interacting with emails, messages, or websites is essential. Scrutinize email senders, check for grammatical errors or inconsistencies, and avoid clicking on links or downloading attachments from suspicious or unsolicited sources. |
|
If money has been lost, account access has been stolen, or a person has been hacked, GOV.UK directs people in England and Wales to Report Fraud. In Scotland, reports should be made to Police Scotland. |
|
=== 4. Two-Factor Authentication === |
|
Enabling two-factor authentication (2FA) adds an extra layer of security to online accounts. By requiring an additional verification step, such as a unique code sent to a trusted device, 2FA helps protect accounts even if login credentials are compromised. |
|
== Practical Examples == |
|
=== Fake Bank Login === |
|
An email claims that a bank account will be suspended unless the user logs in. The link opens a copied bank page controlled by criminals. |
|
=== 5. Reporting Phishing Attacks === |
|
Individuals should report phishing attacks to the appropriate authorities, such as the organization being impersonated, their internet service provider, or local law enforcement agencies. Reporting such incidents helps authorities take action against scammers and raise awareness within the community. |
|
=== Parcel Fee Scam === |
|
A text message says a parcel is waiting and asks for a small delivery fee. The payment page collects card details. |
|
== See Also == |
|
=== Business Invoice Attack === |
|
An attacker sends an email pretending to be a supplier and changes bank details on an invoice. This overlaps with business email compromise. |
|
== Prevention == |
|
Useful habits include checking the sender and domain carefully, avoiding links in unexpected messages, using bookmarks or typed addresses for important services, enabling multi-factor authentication, keeping software updated, and reporting suspicious messages. |
|
== See Also == |
|
* [[Spam]] |
|
* [[Technical Support Scam]] |
|
* [[Scamming Techniques]] |
* [[Scamming Techniques]] |
* [[Cybersecurity]] |
|
* [[Online Privacy]] |
|
* [[Advance Fee Fraud]] |
|
== References == |
|
* [https://www.ncsc.gov.uk/collection/phishing-scams National Cyber Security Centre: Phishing scams] |
|
* [https://www.ncsc.gov.uk/collection/phishing-scams/report-scam-email National Cyber Security Centre: Report a scam email] |
|
* [https://www.gov.uk/report-suspicious-emails-websites-phishing GOV.UK: Avoid and report internet scams and phishing] |
|
* [https://www.askthe.police.uk/faq/?id=ea404fa3-420e-f011-998a-6045bdcf9c56 Ask the Police: suspicious, phishing or scam email advice] |
|
* [https://www.reportfraud.police.uk/ Report Fraud] |
|
[[Category:Fraud]] |
|
[[Category:Cyber security]] |