“恭喜(Congratulations)!你赢得了 n 百万美元(Dollars)。将您的银行详细信息发送给我们。” 如果您在Internet上,您可能会在收件箱或垃圾邮箱中看到此类电子邮件。此类电子邮件被称为网络钓鱼:一种网络犯罪,其中犯罪分子使用计算机技术从可能是个人或公司企业的受害者那里窃取数据。此网络钓鱼备忘单(Phishing cheat sheet)旨在为您提供有关此网络犯罪的最大知识,以免您成为犯罪的受害者。我们还讨论了网络钓鱼的类型(types of Phishing)。
什么是网络钓鱼?
网络钓鱼是一种网络犯罪,犯罪分子利用虚假电子邮件和短信引诱受害者,意图窃取受害者的数据。主要是通过大量电子邮件活动来完成的。他们使用临时电子邮件ID(IDs)和临时服务器,因此当局很难抓住他们。他们有一个通用模板,可以发送给成千上万的收件人,以便至少可以欺骗一些人。了解如何识别网络钓鱼攻击(how to identify phishing attacks)。
为什么称为网络钓鱼?
你知道钓鱼。在现实生活中的钓鱼中,渔夫设置了一个诱饵,这样当鱼钩到鱼竿上时他就可以钓到鱼。在互联网上(Internet),他们也使用具有说服力且看起来真实的信息形式的诱饵。由于犯罪分子使用诱饵,因此称为网络钓鱼。它代表密码钓鱼,现在称为网络钓鱼。
诱饵可以是金钱承诺或任何可以迫使任何最终用户点击诱饵的商品。有时,诱饵是不同的(例如,威胁或紧迫性),并要求采取行动,例如单击链接说您必须重新授权您在Amazon、Apple或PayPal的帐户。
phishing如何发音?
发音为 PH-ISHING。'PH' 就像钓鱼一样(F)。
网络钓鱼有多普遍?
网络钓鱼攻击比恶意软件更常见。也就是说,与使用电子邮件、虚假网站或真实网站上的虚假广告传播恶意软件的人相比,越来越多的网络犯罪分子从事网络钓鱼。
如今,网络钓鱼工具包在网上出售,因此几乎任何对网络有所了解的人都可以购买它们并将其用于非法任务。这些网络钓鱼工具包提供了从克隆网站到编写引人注目的电子邮件或文本的所有功能。
网络钓鱼的类型
网络钓鱼有多种类型。一些流行的是:
- (General)询问您个人详细信息的一般常规电子邮件是最常用的网络钓鱼形式
- 鱼叉式网络钓鱼
- 捕鲸骗局
- Smishing(短信网络钓鱼)和网络钓鱼
- QRishing 诈骗
- 制表符
1] 一般网络钓鱼
在其最基本的网络钓鱼形式中,您会在要求您单击链接时遇到警告您某些事情的电子邮件和文本。在某些情况下,他们会要求您打开他们发送给您的电子邮件中的附件。
在电子邮件主题行中,网络犯罪分子引诱您打开电子邮件或文本。有时,主题行是您的一个在线帐户需要更新并且听起来很紧急。
在电子邮件或文本的正文中,有一些令人信服的信息是虚假但可信的,然后以号召性用语结束:要求您单击他们在网络钓鱼电子邮件或文本中提供的链接。短信(Text)更危险,因为它们使用缩短的URL(URLs),当您在手机上阅读它们时,如果不单击它们就无法检查其目的地或完整链接。任何地方都可能有任何应用程序可以帮助检查完整的URL,但我还不知道。
2]鱼叉式网络钓鱼
指以企业员工为目标的有针对性的网络钓鱼。网络犯罪分子获取他们的工作场所ID(IDs),并将虚假的网络钓鱼电子邮件发送到这些地址。它看起来像是来自公司阶梯上的某个人的电子邮件,让他们有足够的时间回复他们……从而帮助网络犯罪分子闯入公司的网络。在此处阅读有关鱼叉式网络钓鱼( spear phishing)的所有信息。该链接还包含一些鱼叉式网络钓鱼的示例。
3] 捕鲸
捕鲸(Whaling)与鱼叉式网络钓鱼类似。捕鲸(Whaling)和鱼叉(Spear)式网络钓鱼之间的唯一区别是鱼叉式网络钓鱼可以针对任何员工,而捕鲸则用于针对某些特权员工。方法是一样的。网络犯罪分子获取受害者的官方电子邮件ID(IDs)和电话号码,并向他们发送一封引人注目的电子邮件或文本,其中涉及一些可能会打开公司内部网(corporate intranet)以提供后门访问权限的行动呼吁。阅读有关捕鲸网络钓鱼攻击(Whaling phishing attacks)的更多信息。
4] Smishing和Vishing
当网络犯罪分子使用短信服务 ( SMS ) 来获取受害者的个人详细信息时,它被称为短信(SMS)网络钓鱼或简称 Smishing。阅读有关Smishing 和 Vishing 的详细信息。
5] QRishing 诈骗
二维码并不新鲜。当信息应该保持简短和保密时,二维码是最好的实施方式。您可能已经在不同的支付网关、银行广告或只是在WhatsApp Web上看到 QR 码。这些代码以正方形的形式包含信息,黑色散布在它上面。由于不知道 QR 码提供的所有信息,因此最好始终远离未知的代码来源。也就是说,如果您在电子邮件或文本中收到来自您不认识的实体的二维码,请不要扫描它们。阅读有关智能手机上的 QRishing 诈骗的更多信息。
6]选项卡
一旦您访问另一个标签, Tabnabbing会将您正在访问的合法页面更改为欺诈页面。比方说:
- 您导航到一个真正的网站。
- 您打开另一个选项卡并浏览另一个站点。
- 过了一会儿,您回到第一个选项卡。
- 您会收到新的登录详细信息,可能是您的Gmail帐户。
- 您再次登录,没想到页面(包括网站图标)实际上在您背后发生了变化!
这就是Tabnabbing,也称为Tabjacking。
还有一些其他类型的网络钓鱼现在使用得不多。我没有在这篇文章中命名它们。用于网络钓鱼的方法不断为犯罪添加新技术。如果有兴趣,请了解不同类型的网络犯罪。
识别网络钓鱼电子邮件和文本
虽然网络犯罪分子采取一切措施诱骗您点击他们的非法链接,以便他们窃取您的数据,但仍有一些提示会发出电子邮件是假的信息。
在大多数情况下,网络钓鱼者使用您熟悉的名称。它可以是任何已建立的银行或任何其他公司的名称,例如Amazon、Apple、eBay 等。查找电子邮件 ID。
网络钓鱼犯罪分子不使用像Hotmail、Outlook和Gmail等流行的电子邮件托管服务提供商的永久电子邮件。他们使用临时电子邮件服务器,因此来自未知来源的任何内容都是可疑的。在某些情况下,网络犯罪分子会尝试使用企业名称来欺骗电子邮件 ID——例如,[email protected]该电子邮件ID(IDs)包含Amazon的名称,但如果您仔细观察,它不是来自Amazon的服务器,而是来自一些假电子邮件.com 服务器。
因此,如果来自 http://axisbank.com 的邮件来自显示[email protected]的电子邮件 ID ,您需要谨慎行事。另外,寻找拼写错误。在Axis Bank示例中,如果电子邮件 ID 来自 axsbank.com,则它是网络钓鱼电子邮件。
PhishTank将帮助您验证或报告网络钓鱼网站
网络钓鱼的注意事项
上一节讨论了识别网络钓鱼电子邮件和文本。所有预防措施的基础是需要检查电子邮件的来源,而不是简单地单击电子邮件中的链接。不要将您的密码和安全问题透露给任何人。查看发送电子邮件的电子邮件 ID。
如果是朋友发来的短信,你知道,你可能想确认他或她是否真的发了。你可以打电话给他,问他是否发送了带有链接的消息。
切勿单击来自您不知道的来源的电子邮件中的链接。即使对于看起来是真实的电子邮件,假设来自亚马逊(Amazon),也不要点击链接(do not click on the lin)。相反,打开浏览器并输入Amazon的URL。从那里,您可以检查是否确实需要向实体发送任何详细信息。
一些链接进来说您必须验证您的注册。查看您最近是否注册了任何服务。如果您不记得,请忘记电子邮件链接。
如果我点击了钓鱼链接怎么办?
立即关闭浏览器。如果无法关闭浏览器,请不要触摸或输入任何信息,例如某些智能手机的默认浏览器。手动关闭此类浏览器的每个选项卡。请记住在使用(Remember)BitDefender或Malwarebytes运行扫描之前不要登录任何应用程序。您也可以使用一些付费应用程序。
计算机也是如此。如果您单击一个链接,则会启动浏览器,并且会出现某种重复的网站。不要点击或触摸浏览器上的任何位置。只需(Just)单击关闭浏览器按钮或使用Windows 任务管理器(Windows Task Manager)将其关闭。在使用计算机上的其他应用程序之前运行反恶意软件扫描。
阅读(Read):在哪里报告在线诈骗、垃圾邮件和网络钓鱼网站?
如果我在此网络钓鱼备忘单中遗漏了任何内容,请发表评论并告诉我们。(Please comment and let us know if I left out anything in this phishing cheat sheet.)
Types of Phishing - Cheat Sheet and Things you need to know
“Congratulations! You have won n million Dollars. Send us your bank details.” If you are on Internet, you might have seen such emails in your inbox or junk mailbox. Such emails are called phishing: a cyber-crime wherein criminals use computer technology to steal data from victims that can be indivіduals or corporate buѕiness houses. This Phishing cheat sheet is an attempt to provide you with max knowledge about this cyber-crime so that you don’t become a victim of the crime. We also discuss the types of Phishing.
What is phishing?
Phishing is a cybercrime where criminals lure victims, with an intention to steal victim’s data, using fake emails and text messages. Mainly, it is done by mass email campaigns. They use temporary email IDs and temporary servers, so it becomes hard for authorities to nab them. They have a general template that is sent to hundreds of thousands of recipients so that at least a few can be tricked. Learn how to identify phishing attacks.
Why is it called phishing?
You know about fishing. In real life fishing, the fisherman sets a bait so that he can catch fish when the latter are hooked to the fishing rod. On the Internet too, they use bait in the form of a message that can be convincing and appears genuine. Since the criminals use a bait, it is called phishing. It stands for password fishing which is now referred to as phishing.
The bait could be a promise of money or any goods that could compel any end-user to click on the bait. Sometimes, the bait is different (for example, threat or urgency) and calls for action like clicking links saying you have to re-authorize your account at Amazon, Apple, or PayPal.
How to pronounce phishing?
It is pronounced as PH-ISHING. ‘PH’as in Fishing.
How common is phishing?
Phishing attacks are more common than malware. This is to say that more and more cybercriminals are engaged in phishing compared to those who spread malware using emails, fake websites, or fake advertisements on genuine websites.
These days, phishing kits are sold online so practically anyone with some knowledge of networks can buy them and use them for illegal tasks. These phishing kits provide everything from cloning a website to compiling a compelling email or text.
Types of phishing
There are many types of phishing. Some of the popular ones are:
- General regular emails asking you your personal details are the most used form of phishing
- Spear phishing
- Whaling scams
- Smishing (SMS phishing) and Vishing
- QRishing scams
- Tabnabbing
1] General Phishing
In its most basic form of phishing, you encounter emails and texts cautioning you about something while asking you to click a link. In some cases, they ask you to open the attachment in the email they sent to you.
In the email subject line, the cybercriminals lure you into opening the email or text. Sometimes, the subject line is that one of your online accounts needs updating and sounds urgent.
In the body of the email or text, there is some compelling information that is fake but believable and then ends with a call to action: asking you to click on the link they provide in the phishing email or text. Text messages are more dangerous because they use shortened URLs whose destination or full link can’t be checked without clicking on them when you read them on the phone. There may be any app anywhere that may help with checking out the full URL but there’s none I am aware of yet.
2] Spear phishing
Refers to targeted phishing where the targets are employees of business houses. The cybercriminals get their workplace IDs and send the fake phishing emails to those addresses. It appears as an email from someone top on the corporate ladder, creating enough hurry to reply to them… thereby helping the cybercriminals with breaking into the network of the business house. Read all about spear phishing here. The link also contains some examples of spear phishing.
3] Whaling
Whaling is similar to spear phishing. The only difference between Whaling and Spear phishing is that spear-phishing can target any employee, while whaling is used to target certain privileged employees. The method is the same. The cybercriminals get the official email IDs and phone numbers of the victims and send them a compelling email or text that involves some call for action that might open the corporate intranet to give the back-door access. Read more about Whaling phishing attacks.
4] Smishing and Vishing
When cybercriminals use short messaging service (SMS) to fish out personal details of victims, it is known as SMS phishing or Smishing for short. Read about Smishing and Vishing details.
5] QRishing scams
QR codes are not new. When information is supposed to be kept short and secret, QR codes are the best to implement. You may have seen QR codes on different payment gateways, bank adverts, or simply on WhatsApp Web. These codes contain information in the form of a square with black scattered all over it. Since it is not known what all information a QR code provides, it is always best to stay away from unknown sources of the codes. That is to say that if you receive a QR code in an email or text from an entity that you do not know, don’t scan them. Read more about QRishing scams on smartphones.
6] Tabnabbing
Tabnabbing changes a legitimate page you were visiting, to a fraudulent page, once you visit another tab. Let’s say:
- You navigate to a genuine website.
- You open another tab and browse the other site.
- After a while, you come back to the first tab.
- You are greeted with fresh login details, maybe to your Gmail account.
- You login again, not suspecting that the page, including the favicon, has actually changed behind your back!
This is Tabnabbing, also called Tabjacking.
There are some other types of phishing that are not used much nowadays. I have not named them in this post. The methods used for phishing keep on adding new techniques to the crime. Know the different types of cybercrimes if interested.
Identifying phishing emails and texts
While the cybercriminals take all measures to trick you into clicking their illegal links so that they can steal your data, there are a few pointers that give out a message that the email is fake.
In most cases, the phishing guys use a name familiar to you. It can be the name of any established bank or any other corporate house such as Amazon, Apple, eBay, etc. Look for the email ID.
Phishing criminals do not use permanent email like Hotmail, Outlook, and Gmail, etc. popular email hosting providers. They use temporary email servers, so anything from an unknown source is suspicious. In some cases, the cybercriminals try to spoof email IDs by using a business name—for example, [email protected] The email ID contains the name of Amazon, but if you look closer, it is not from Amazon’s servers but some fakeemail.com server.
So, if a mail from http://axisbank.com comes from an email ID that says [email protected], you need to exercise caution. Also, look for spelling errors. In the Axis Bank example, if the email ID comes from axsbank.com, it is a phishing email.
PhishTank will help you verify or report Phishing websites
Precautions for phishing
The above section talked about identifying phishing emails and texts. At the base of all precautions is the need to check the origin of email instead of simply clicking on the links in the email. Do not give out your passwords and security questions to anyone. Look at the email ID from which the email was sent.
If it is a text from a friend, you know, you might want to confirm if he or she had sent it really. You could call him and ask him if he sent a message with a link.
Never click on links in emails from sources you do not know. Even for emails that appear genuine, suppose from Amazon, do not click on the link. Instead, open a browser and type out the URL of Amazon. From there, you can check if you actually need to send any details to the entity.
Some links come in saying you have to verify your sign up. See if you signed up for any service recently. If you cannot remember, forget the email link.
What if I clicked on a phishing link?
Close the browser immediately. Do not touch or enter any information in case of not being able to close the browser, like in some smartphones’ default browser. Manually close each tab of such browsers. Remember not to log in to any of your apps until you run a scan using BitDefender or Malwarebytes. There are some paid apps too that you can use.
The same goes for computers. If you clicked a link, the browser would be launched, and some sort of duplicate website would appear. Don’t tap or touch anywhere on the browser. Just click on the close browser button or use the Windows Task Manager to close the same. Run an antimalware scan before using other applications on the computer.
Read: Where to report Online Scams, Spam and Phishing websites?
Please comment and let us know if I left out anything in this phishing cheat sheet.
