Phishing is a type of cyber-attack, a series of actions in which attackers with malicious motives pose as reputable businesses in order to trick people and collect sensitive information such as their credit card details, usernames, or passwords. Because phishing involves psychological manipulation and relies on human error (rather than hardware or software vulnerabilities), it is recognized as a social engineering attack.
Typically, phishing attacks use fraudulent emails to lure users into entering sensitive information into fraudulent websites. These emails will often let users log on to a fake website that closely resembles the original one by asking them to reset their password or confirm their credit card information. The main types of phishing are copycat phishing, spear-phishing and domain spoofing.
Phishing attacks also exist in the cryptocurrency ecosystem, where malicious actors attempt to steal bitcoin or other digital currencies from users. For example, an attacker is able to spoof a website and change the wallet address to his/her own, thereby making users think they are performing a legitimate paid service when, in fact, the attacker is stealing their property.
What types of phishing are there?
Phishing is often divided into a number of different types depending on the target and attack vector, some common examples are as follows:
- Duplicate phishing: After an attacker has used a legitimate email that has been sent out to duplicate a similar email containing a link to a malicious website, the attacker can claim that it is an updated or brand new link and that the old one has expired.
- Spear phishing: This type concentrates on attacking a single person or organization – usually a well-known one. Spear attacks are more complex than other phishing types because they require a disguised identity. The attacker first collects information about the victim (e.g. the name of a friend or family member) and then constructs a message based on this data, which is used primarily to direct the victim to a malicious website or to download a malicious file.
- Domain spoofing: The attacker corrupts DNS records to direct visitors from legitimate sites to fraudulent sites that the attacker has laid out in advance. This is the most dangerous type and is impossible for users to prevent as DNS records are out of their control.
- Whale phishing: A type of spear phishing that targets the rich and important – such as CEOs and government officials.
- Email spoofing: Emails used for phishing typically spoof communications with legitimate companies or people. Such emails provide unsuspecting victims with links to malicious websites, which, when clicked, allow attackers to collect login information and PII by using cleverly disguised login pages that may contain Trojan horses, keyloggers and other malicious scripts that steal personal information.
- Website bounces: Website bounces lead users to URLs that are different from the original URLs. attackers who exploit website vulnerabilities can plant bounces (functions) and install malware on users’ computers.
- Registration of lookalike domains: Phishing with the registration of lookalike domains directs traffic to fake websites that use foreign languages, have common spelling errors, or use slightly altered top-level domains. Phishers use domains to mimic the interface of legitimate websites, thereby tricking users who mistype or misread the URL.
- “Puddling”: In a puddling attack, phishers first analyze users and identify websites they frequently visit, then scan these sites for vulnerabilities and plant malicious scripts designed to target the next visit if possible.
- Impersonation and freebies: Impersonating influential people on social media is another trick in phishing. Phishers will pose as key leaders of companies and target their audience to promote freebies or other scams. Phishers can even use social engineering to find gullible users and thus target victims of the scam individually. The “actors” can decrypt the login details of authenticated users and change the username to impersonate a real person while maintaining a good authentication status. Victims are more likely to interact with seemingly influential people and provide PII, creating an opportunity for phishers to exploit their information. Recently, phishers have focused on platforms like Slack, Discord, and Telegram for the same purpose, using chat scams, impersonating people, and disguising legitimate services to conduct phishing attacks.
- Advertising: Paid advertising is another tactic used in phishing. These fake ads use “registered similar domains” and are paid to be pushed to search results. These sites may even become popular search results for legitimate companies or services. They are often used as a means of phishing for sensitive information, which may include the login details of your trading account.
- Malicious applications: Phishers may also use malicious applications as a vehicle to plant malware to monitor users’ behavior or steal sensitive information. They may disguise Apps as price tracking software, wallets, and other tools related to cryptocurrencies (there is already a user base that tends to trade and hold cryptocurrencies).
- SMS and Voice Phishing: SMS phishing, a form of phishing based on text messages, and voice phishing, a form of phishing based on voice or phone equivalents, are other ways attackers attempt to obtain personal information.
Phishing and Domain Spoofing
Although some people view domain spoofing as a phishing attack, it relies on a different mechanism. The main difference between phishing and domain spoofing is that in a phishing attack, the victim must do the wrong thing themselves, whereas domain spoofing only requires the victim to attempt to access a legitimate website whose DNS records were successfully attacked by the attacker.
- Stay alert: The best defense against phishing is to judge and review incoming emails. Are you supposed to receive an email from the sender about this subject? Do you suspect that the person is asking you for information that is not relevant to his business? If any of these doubts exist, try to contact the sender by other means.
- Check the content: You can enter parts of the content (or the sender’s email address) into a search engine to check if there is a record of a phishing attack using this method.
- Try other methods: If you think you have received a legitimate request to confirm account information for a familiar business, try performing this action in a different way and do not click on the link in the email.
- Check the URL: Move your mouse over the link without clicking on it and check that the link starts with HTTPS and not HTTP, but note that just checking the beginning does not guarantee that the site is reliable and double-check the URL for spelling errors, special characters and other unusual features.
- Don’t share your private key: Never give out your Bitcoin wallet’s private key and be vigilant in determining whether any cryptocurrency products and sellers you are giving are legitimate. The difference in processing crypto compared to credit cards is that if you never receive the goods or services agreed upon, then the government will not dispute the charge. This is why you must be especially careful when dealing with cryptocurrency transactions.
Phishing is one of the most widespread and common cyber-attack techniques. While email filtering software from mainstream services can be effective in filtering out fake messages while leaving genuine ones, care needs to be taken to maintain a good last line of defense. Be alert to any attempts to obtain sensitive or private information from you and, if possible, confirm the message through the sender and the channel through which the request is legitimate. Avoid clicking on links in emails about security incidents and go to that page on your own terms, and also be aware that the HTTPS at the beginning of the URL is correct. Finally, be particularly careful with cryptocurrency transactions as there is no way to reverse them in the event that the merchant holds out until the transaction is completed. Always keep your private keys and passwords private and do not trust any information lightly.
BitWell is committed to building a fair and transparent global digital asset trading platform, providing investors with secure, convenient and intelligent blockchain derivatives trading services.
Telegram English: https://t.me/Bitwell_English
Telegram Chinese: https://t.me/Bitwell_Chinese