Phishing, which is witnessing a rise in the wake of increased mobile phone usage, is avoidable if users exercise a certain degree of caution
Information and technology have many benefits, but there are some dangers associated with it as well. One of those is phishing. Under phishing, by creating a fake website of a well-known company — the nature of which is like the original website — tempting mails are sent. The mail generally contains offers and the user is asked to click on a hyperlink to avail the same. Nowadays, with increased mobile usage, hackers are sending offer messages via SMS or WhatsApp instead of emails, which contain malware-embedded hyperlinks.
Malware damages the software and steals the financial information of the user — including debit or credit card details, password, OTP, CVV, mobile number, home and office address, bank account number, date of birth etc. Hackers can also send fake emails from the user's email account to others without his/her knowledge. This could lead to serious consequences. For example, if the target user happens to be a person working for the security of the country, sensitive information can come at risk. Anyone's reputation can also be tarnished by fake e-mails.
Phishing emails during the pandemic
How dangerous phishing emails could be, was revealed during the Corona period when the act of spreading rumours was on the rise. Vietnam-based security firm Vin CSS has reported an increase in the number of phishing emails related to Coronavirus. During the pandemic in countries like China, Mongolia, North Korea etc., many phishing emails came about Corona.
Types of phishing
Phishing attacks are largely carried out through email and SMS, but the prevalence of phishing has increased in the changing environment. Spear phishing, clone phishing, whaling phishing, link manipulation, fake websites, fraud with the help of social engineering, etc. are the major types of phishing. Spear phishing involves sending tempted mails, so that the user can greedily share their financial information. Through clone phishing, hackers try to dupe people by asking for debit or credit card numbers, bank account numbers, passwords, CVV and OTP by creating duplicate email IDs, sometimes posing as bank employees or sometimes as employees of credit card companies. Under whaling phishing, the email is drafted in such a way that it appears to have been sent by a higher official of the user's company and assuming the mail is correct, the user provides the requested information to the hacker. Through link manipulation, the hacker sends a link to the corresponding URL of the bank to the user through mail or SMS. By clicking on the link, the page of the fake website opens. As soon as the user clicks on the "Submit" button after providing the required information, an error message appears on the page and the money is debited from the bank account or credit card account. The senders of emails under social engineering fraud claim to be employees, vendors etc. of a reputed organisation. They deceive users by taking them into confidence.
Phishing through mobile phones
Due to the increasing trend of mobile phones, phishing attacks are now being carried out more through SMS and WhatsApp than email, as it is easier to send malware hyperlinks through these newer modes. Therefore, SMS are being sent daily to the users regarding offers of various branded phones, laptops, electronic accessories, personal loans at affordable rates etc.
Preventing mobile hacking
As soon as the user feels that his or her mobile has been hacked, he or she should immediately turn off the mobile phone. Due to the connectivity break, the user can avoid hacking. If the mobile user is new, then he or she should first turn off the phone and take out the SIM. Then, it should be turned on again only after 10 seconds.
Perils of unknown apps
Mobile apps with malware are the easiest way for hackers to hack someone's mobile. Since such apps are shared as 'certified' apps on social media platforms and in WhatsApp group chats, people land in trouble by installing those on their mobile phones. According to technology experts, such apps work on screen sharing. Because of this, the hacker immediately takes control of the mobile phone and easily obtains the financial credentials of the user. Not only this, with the help of such apps, the hacker can also pay a sum using internet banking and other payment apps like BHIM, Google-pay, Phone-pay, Paytm.
Users can understand the danger of phishing if they carefully read the text of the email or SMS or carefully look at the company logo. The text of hyperlinks forwarded on phishing emails, SMS or WhatsApp is misspelled. They tend to contain grammatical errors, and other errors that are easily identifiable. Phishing hackers create similar logos of companies, which is quite different from the original. The company's URL is also misspelled.
The bank or credit card company never asks for customer's account details over email or SMS or phone. If the user feels that he or she has shared his or her personal information in any wrong place or has clicked on a malware hyperlink, then he or she should not share any further information. To prevent misuse of the account, check the account statement immediately, if there is no unwanted withdrawal from the account, then temporarily stop the withdrawal from the bank account. Similarly, users should check the account of the credit card. The card should be temporarily blocked if there is no unwanted withdrawal from the account.
It is not difficult to avoid suspicious hyperlinks being forwarded through phishing mail or SMS or WhatsApp. All one needs is to be careful and alert. However, the rate of financial literacy in India is very low. Still, if people know how to mail and operate mobiles, they can be alert and careful to avoid online fraud. In this case, caution is the only defence. Therefore, users beware of suspicious pop-ups during browsing sessions, avoid saving card information on websites or mobiles, or public laptops or desktops, immediately delete attachments which come from unknown numbers or email IDs, ignore messages asking for online lottery, gaming, or free downloads, log-on to the website by typing the correct URL in the user's address bar. Share User ID and Password on the authorised login page only. The URL of the login page must begin with 'https:// and not 'http://. 'S' means safe. Encryption is used in web pages with s. On the right-hand side of the browser and towards the VeriSign certificate, the user should also see the lock symbol. If users follow these steps, then they can also avoid phishing and other methods of online fraud.
Views expressed are personal