Phishing is a way of fraudulently acquiring sensitive

information using social engineering and technical

subterfuge.

It tries to trick users with official-looking messages

Credit card
Bank account
eBay
PayPal

Some phishing e-mails also contain malicious or

unwanted software that can track your activities or
slow your computer.
 India lost around $53 million (about Rs 328 crore)
due to phishing scams with the country facing over
3,750 attacks in July-September last year

4th Largest target of phishing attacks in the world

7% of global phishing attacks are targeted in India

US tops the rank with 27% of phishing attacks

RSA identified 46,119 phishing attacks in

September globally with a 36 per cent increase as
compared with August (33,861)
 Three components

Mail sender: sends large volume of fraudulent

emails
Collector: collect sensitive information from users
Casher: use the collected sensitive information to
en-cash
 Creating Fake URLs and send it
Misspelled URLs
www.sbibank.statebank.com
www.micosoft.com
www.mircosoft.com
Creating anchor text
<a href = "anchor text" > Link Text </a>
Link Text
Fake SSL lock
Simply show it so that users feel secure
Getting valid certificates to illegal sites
Certifying agency not being alert
Sometimes users overlook security certificate warnings
URL Manipulation using JavaScript
"Verify your account."Businesses should not
ask you to send passwords, login names,
Social Security numbers, or other personal
information through e-mail. If you receive an
e-mail from anyone asking you to update your
credit card information, do not respond: this is
a phishing scam.

If you don't respond within 48 hours,

your account will be closed."These
messages convey a sense of urgency so that
you'll respond immediately without thinking
"Dear Valued Customer."Phishing e-mail
messages are usually sent out in bulk and
often do not contain your first or last name.

"Click the link below to gain access to your

account."HTML-formatted messages can contain
links or forms that you can fill out just as you'd fill
out a form on a Web site. The links that you are
urged to click may contain all or part of a real
company's name and are usually "masked,"
meaning that the link you see does not take you to
that address but somewhere different, usually a
phony Web site.
Spear phishing
Clone phishing
Phone phishing
Whaling
 Spear phishing is a targeted form of phishing in
which fraudulent emails target specific organizations
in an effort to gain access to confidential information.

Spear phishing focuses on specific individuals or

employees within an organization and social media
accounts such as Twitter, Facebook, and LinkedIn to
specifically customize accurate and compelling
emails.

These emails contain infected attachments and links.

Once the link is opened, it executes malware that
leads the target to a specific website. The attackers
can then establish their networks and move forward
with the targeted attack.
 A type of phishing attack whereby a legitimate, and
previously delivered, email containing an attachment or
link has had its content and recipient address(es) taken
and used to create an almost identical or cloned email.

The attachment or Link within the email is replaced with a

malicious version and then sent from an email address
spoofed to appear to come from the original sender. It
may claim to be a re-send of the original or an updated
version to the original.

This technique could be used to pivot (indirectly) from a

previously infected machine and gain a foothold on
another machine, by exploiting the social trust associated
with the inferred connection due to both parties receiving
the original email.
 Phone phishing is the criminal practice of
using social engineering over the telephone
system to gain access to private personal and
financial information from the public for the
purpose of financial reward.
It is sometimes referred to as 'vishing a word that
is a combination of "voice" and phishing.
Voice phishing is typically used to steal credit card
numbers or other information used in identity
theft schemes from individuals.
 Whaling is a type of fraud that targets high-
profile end users such as C-level corporate
executives, politicians and celebrities.
The term whaling is a play-on-words because an
important person may also be referred to as a "big
fish." In gambling, for examples, whales describe
high-stakes rollers who are given special VIP
treatment.
Due to their focused nature, whaling attacks are
often harder to detect than standard phishing
attacks.
 Banks and their customers lose crores of rupees
every year
They hire professional security agencies who
constantly monitor the web for phishing sites
Regularly alert the users to be alert and not to fall
fray
Use best state of the art security software and
hardware
White list and blacklist of phishing sites
 Misleading e-mails
No check of source address
Vulnerability in browsers
No strong authentication at websites of
banks and financial institutions
Limited use of digital signatures
Non-availability of secure desktop tools
Lack of user awareness
Vulnerability in applications
 No single technology will completely stop
phishing.
However, a combination of good
organization and practice, proper
application of current technologies, and
improvements in security technology has
the potential to drastically reduce the
prevalence of phishing and the losses
suffered from it.