Phishing Attacks�

…what we all want to avoid

​

www.ChumrumDigital.com

​

CONTENT

2

1- What is Phishing Attack?

3

1- What is Phishing Attack?

4

Phishing vs Fishing

Photo credit to the owner

1- What is Phishing Attack?

It starts with some kind of communication - an email, social media, a tweet, a chat message, or an SMS - that is designed to look like it comes from a trusted source.

5

Phishing attack is essentially an online scam.

Phishing attack’s common objectives

6

1- What is Phishing Attack?

• Stealing credentials such as username and password (with fake websites)
• Obtaining sensitive or confidential information
• Fraud
• Installing malicious software / ransomware
• Disinformation

7

1- What is Phishing Attack?

Phishing - Stages of Attack

• Selecting a target
• Collecting information about the target
• Launching the attack
• Following-up with those who fell for the attack
• This can take the form of ransomware being activated, files being stolen, identity theft… etc

8

Sign of Phishing - Common Methods Used

• Rumors (“See what your co-workers said about you!”...)
• Shame (“I have pictures of you doing something horrible...”)
• Hot Topics (“The latest news on…”)
• Emotions (Hate / Sadness / Love / Longing / Nostalgia…)
• Needs / Wants for non-financial things (Residency / Immigration, Conference attendance…)
• Supposed Identity Theft (“Click here to secure your bank information…”)
• Proximity (“I know that you live in xyz city, so do I! Help me out!”)
• Character (“I know that you work on human rights like me…”)
• Greed (“You’ve won TONS of money!”)
• Religious holidays (“Look at this card for [Holiday-Name] that your colleagues made!”)
• Knowledge / Process Insecurity (“YOU DIDN’T PROPERLY SETUP AUTHENTICATION!”)
• Reputation (“You have a message from the United Nations!”)
• No HTTPS and Forged Links (http://accounts.googl.e.me)

1- What is Phishing Attack?

9

Payload

​

• Perform an action
• Download attachment with a virus
• Click a link to a phishing website
• Click a link to a malicious website

Actual attack

Message

• Highly customized
• Convincing
• Using emotions

1- What is Phishing Attack?

Delivery

​

• E-mail (Link, Attachment, Image)
• Social media (Facebook, Twitter…)
• Messengers (Facebook, WhatsApp, Telegram…)
• Voice call, SMS
• USB Sticks…

2- Risks

10

Personal Risks

11

2- Risks

At Work Risks

12

2- Risks

3- Types of Phishing and How to Identify

13

3- Types of Phishing and How to Identify

The most common form of phishing, this type of attack uses tactics like phony hyperlinks to lure email recipients into sharing their personal information.

14

E-mail Phishing

15

Hover over the link

3- Types of Phishing and How to Identify

E-mail Phishing Example – Fake Facebook

1

2

3

16

3- Types of Phishing and How to Identify

E-mail

Phishing

Example

- Fake PayPal

1

2

3

4

3- Types of Phishing and How to Identify

17

It is a phone scam. Scammers carrying out such attacks often pose as employees from government agencies or bank, etc.

Vishing attacks

18

3- Types of Phishing and How to Identify

Vishing Example

Photo credit to the owner

3- Types of Phishing and How to Identify

19

It involves SMS messages (texts). Attacker may impersonate someone you know to ask for money or personal information.

​

Increasingly often they pose as WhatsApp, Facebook or another social media to ask you for the verification code that you receive via the platform.

SMiShing attacks

20

3- Types of Phishing and How to Identify

SMiShing Example – SMS with fake website

21

3- Types of Phishing and How to Identify

SMiShing Example - Facebook

1

2

3

22

SMiShing Phishing Example

- Fake Facebook

3- Types of Phishing and How to Identify

2

3

1

23

3- Types of Phishing and How to Identify

DO NOT SCREENSHOT

SMiShing Example

- OTP Code Telegram

1

2

24

3- Types of Phishing and How to Identify

SMiShing Example - Fake Website

1

2

3

4

5

3- Types of Phishing and How to Identify

25

Spear phishing is attack that target a specific person through email, social media, SMS, or chat messages that look convincingly like they come from someone the target knows – like a colleague or friend.

Spear phishing

26

Spear Phishing Example

3- Types of Phishing and How to Identify

1

2

3

4

3- Types of Phishing and How to Identify

27

Whaling attacks are spear phishing attacks that target the “big fish”, such as heads of organizations and owners or chief editors of media organizations

Whaling attacks

28

Whaling Phishing Example

3- Types of Phishing and How to Identify

4- How to Prevent Phishing Attack

29

Think before you click!

30

31

4- How to Prevent Phishing Attack

1. Continue learning
2. Do not post / reveal personal information on social media
3. Do not provide your personal information via link attached in emails / messages
4. Do not believe in words of comfort, lure or fall for reward offering trick
5. Check the link carefully before clicking by hovering over the link with the mouse
6. Make sure the sender's email address is legitimate
7. If you don’t know that sender, DO NOT click the link
8. Delete the suspicious message
9. If you receive an email asking to provide confidential information or change your password, try verifying it with the relevant source first
10. Do not install unnecessary software and update the software regularly
11. Update apps on smartphone regularly
12. Update OS both on computer and smartphone regularly
13. Never share your password with others
14. Enable the two-factor authentication
15. NEVER give away your 6 digit OTP code to anyone

​

Best Practices:

• Verify Sender’s email address & Reply to Address
• Is it sense of Urgency?
• On any email client: You can examine hypertext links
• Use https://unshorten.it/ to reveal the short URL to a real URL
• Use https://www.virustotal.com/ to check the URL or attached files

​

​

32

4- How to Prevent Phishing Attack

Before you click:

33

5- What to do if you realize you’re been phished

If you have clicked on a phishing link and entered your login details or credit card information into a fake website:

1. Do not panic.
2. Change your password.
3. Cancel your credit card and notify your bank.
4. Check to see if attacker hasn’t entered a strange email, phone number, or secondary email address.
5. Check other accounts linked to your email if attacker has not tried to reset the password.
6. Change password for all accounts if you use the same password.
7. Let your contacts know you have been phished.
8. Tell your Org’s IT person about this phished.
9. If you’ve been logged out of the account, reach out to the platform.

​

​

34

5- What to do if you realize you’re been phished

You got phished and downloaded a virus - what do you do now?�

1. Do not panic.
2. Disconnect the device from the internet.
3. Check to see if you still can access to the device, or are you locked out (by ransomware).
4. If possible, contact a digital security expert (Your Org’s IT person, or a trusted local IT specialist).
5. Run antivirus scanner if you still can access your device.
6. If you no longer have access to your device, ask your IT person to wipe your device and restore your latest backup.
7. Tell your contacts and colleagues that you have been phished.

35

5- What to do if you realize you’re been phished

36

Thank You!

Website

chumrumdigital.com

Facebook

chumrumdigital

E-mail

meet@chumrumdigital.com

Telegram

https://t.me/chumrumdigital

Instagram

chumrum_digital

Q&A

37