Phishing

How to be Safe from Phishing?

As per the definition from Britannica phishing, act of sending e-mail that purports to be from a reputable source, such as the recipient’s bank or credit card provider, and that seeks to acquire personal or financial information. As Infopercept we conduct multiple types of Phishing Campaigns where our work is to emulate a real attacker and try to get the information from End User to help improve an organizations security and make people aware on how to be safer online and offline.

Different Types of Phishing Attacks conducted by us:

• Phishing

• Vishing

• Angler Phishing

• Whaling

All the above mentioned are different ways of Social Engineering and its end goal is to same to extract information from end user which you are not authorized to get. Let’s understand all of them one by one.

Phishing

• This is the most common form of Phishing where Email is shared in mass to most or all of the End users of Organizations and we tend to create a Hurry or sense of Urgency so a user clicks on the Email without thinking twice. A sense of Urgency is created so a user doesn’t get to look at all the red flags in the email. Whenever we do Red Team Engagements, we take it a step further by adding hyperlink where we capture users’ credentials or attach a malicious file where upon execution gives us a reverse shell (Control of Machine).

(Sample Phishing Email)

Vishing

• This is type of Social Engineering where we tend be someone trustworthy and try to gain information from the victims. Attackers use this technique to take OTPs, get credentials, etc. As part of Red Team Engagements, we usually use it to gain more insight about what their infrastructure is like, we usually ask for information like what OS version they are using, what software are they using, we occasionally also try to get their IP if the victim is working in IT field.

Angler Phishing

• This is new kind of attack where we send victims where we tend to be a corporation where we say that you have won a giveaway and as part of it, we need some details to redeem that information. Usually, people get excited upon seeing these kinds of messages and usually forget to check for the sender’s authenticity. These kinds of tests are usually performed by us in Red Team Engagements when we are unable to deliver the payloads via email.

(Sample Angler Phishing Message)

Whaling

• Whaling is attack whereas name suggests we try to catch the top executives in Phishing, it is sort of targeted attack so the bulk mailing of Phishing doesn’t mark our Emails as spam and almost all of the organizations allow the top management/executives to send mails outside of domain which is not the case for most of the users. Through whaling we try to capture credentials or we deliver them a malicious file which upon execution gives us complete control over their machine.

(Sample Whaling Email)

How to be safe from the above-mentioned attacks

• Check for spelling mistakes in Domain name and email

• Hover over the hyperlinks to make sure that the mail is redirecting to authentic site

• Never download files from unknown sender

• Always be cautions when downloading files like exe, zip, rar, dll, sh, etc.

• Always check with sender for authenticity

• If you get a call, try to make sure that the person talking is what they are claiming to be

• Check that mail doesn’t have a generic greeting

• Always use MFA

• Keep your System up to date

• Verify sites security

• Be wary of Pop Ups

• Never give out your credentials on any website aside from Main website (Even if you get a login link in email, always keep a practice to instead login using the main website)