Essay on Phishing
Number of words: 3453
Abstract.
The world is increasingly becoming reliant on technology and most of financial transactions and other business operations are conducted online. Cybercriminals are also becoming more sophisticated, improving on their targets, implications and their attack techniques in different security systems. Social engineering continues to lead and remains the cheapest form of cyber attack with phishing being among the easiest form of entry. Phishing is a serious online fraud, costing businesses, online users, government and other organizations severe information and financial loses. Hence, there is a dire need to develop effective detection and mitigation strategies to curb the effects of the attack. The paper identifies various phishing detection and mitigation approaches in the era of electronic and mobile businesses.
Phishing.
Overview.
The levels of cybercrimes have increased exponentially and is consistent with the growth of technology. Successful cyberattacks can cause major harm to businesses and individuals. Cyber-attacks can impact the business’s bottom line in addition to business’ standing and customer trust. As technology advances, so do the cybercrimes that are committed. The effect of cyberattacks can either be financial, reputational or legal, all of which negatively impacts business operations, productivity and profitability. Cyber-attacks gain unauthorized access to a computer, computing system or business computer network with intent to cause damage or for malicious gain. Cyber attacks aim to disable, disrupt, destroy or control computer systems or modify, block, delete and manipulate or steal the data held in the compromised systems. Cyber attacks are detrimental and can be initiated from anywhere by either an individual or group through various attack techniques.
Phishing is among the most prevalent type of cyber-attack and have depicted record growth in the recent years. Phishing is a cyber threat that applies a disguised email as an attack tool. Phishing attack tricks the victims to disclose information that should be confidential (Gupta et al., 2018). Phishing email makes the email recipient into believing that the message is from a genuine source and carries fundamental information that the recipient should read. Phishing occurs when the victim opens the links and replies to the fraudulent email. Some of phishing email request include, clicking an attachment, enabling macros in word document, updating a password, a social media connection request and using a new free wi-fi hot spot (Gupta et al., 2018). They are several types of phishing attacks i.e., phishing email, spear phishing, link manipulation, fake websites, CEO fraud, content injection, session hijacking, malware, among others.
According to statistics phishing was responsible for 90% of data breaches in 2020 and 76% of businesses reported that they were culprits of phishing attack in the same year (Drury& Meyer, 2020). Hence, phishing is an attack that every business should be ready to deal with. When phishing occurs, it can lead to loss of money, loss of intellectual property, damage to reputation and business disruptions. Hence, it is essential to understand how phishing occurs and how to mitigate the threat, more so in the digital era. Among the current phishing attacks is the Apple Smishing in 2020, Google and Facebook invoice scam in 2015, spear Fishing at Ubiquiti Networks Inc., among others.
For the hackers phishing attacks are easier to conduct more so with the phishing kit that allows cyber criminals even with minimal technical skills to execute a phishing attack (Das et al., 2019). The kit consists of phishing website resources and tools that only requires to be installed on server and send out emails to the potential victims. However, phishing has detrimental effects to the business and can cause total damage to the brand. To protect against phishing attacks businesses, need to raise awareness of how phishing happens. Raising phishing awareness is important for business because staff with low awareness are more likely to give into the hacker’s snare. When employees are equipped with information of how easy they can be tricked by what resembles a valid email, they are more likely to closely and cautiously review email details before they rush to respond, clicking an embedded link or download an attachment (Buber et al., 2017). Businesses are highly susceptible to phishing attacks and are usually caught off guard. Increasing phishing awareness by educating employees on how to thoroughly examine suspicious email senders, how to examine and respond to emergency messages, and how to identify fake links that mimics real links. This way the businesses are able to alleviate the multiple problems associated with phishing attacks and increase the business efficiency. However, although businesses can invest in creating awareness of phishing attacks sometimes the fake emails are hard to detect and business end up falling into the attacker’s trap. Hence, it is essential to develop effective detection and mitigation strategies of various phishing attacks at the ground level. Hence, the research paper seeks to describe various phishing detection and mitigation strategies in the current digital era.
Purpose of Research.
Currently, businesses keep a lot of sensitive information in the cloud and the business computer systems and this has made them recurring targets of phishing activities. Attackers regularly send out emails containing a link to follow and attachments to the users. Some emails appear so convincing as the scammer may even provide options to decline the request. Others will bait the users with the idea of updating the system and whenever they give in, they end up being duped out business login credentials and the attackers gain access to the business confidential data, documents and other information kept in the system (Drury& Meyer, 2020). Due to the advancement in technology the hackers have turned to other sophisticated attack strategies making it extremely challenging to identify malicious emails and other phishing attacks.
However, developing various detection and mitigation strategies will help in curbing phishing activities and their impacts. Prevention of phishing attacks will help in minimizing business data leaks that could result in identity theft that would cost the business dearly. Besides, curbing phishing activities will promote cybersecurity and increase the customers trust in the company. Moreover, the information from this research can be implemented by software developers in generating effective phishing detection and prevention software. Thus, I believe the findings of this research paper will be beneficial to the end user, researchers, app developers, financial institutions among other business communities.
Literature Review.
Phishing is not a new concept and have been in existence for long and does not seem to slowdown any time soon. However, the ancient phishing varies greatly from the current, hence researchers have given considerable attention to develop effective detection techniques and prevention strategies. Hence various scholars have conducted various literatures on the subject as depicted in this literature review. According to Alzuwaini & Yassin (2021) phishing is among he most harmful attacks caused to illegally accessed authorized accounts. The finances, business and other financial institutions are the prime targets of the attack for the confidential and critical information they hold. Phishing targets user’s confidential data such as passwords, social security number, credit card numbers, login credentials, among other information which can grant access to personal data and systems. Detecting and curbing phishing attacks is challenging for it mostly depends on the personal knowledge and identification of malicious links and attachments. To counter the efforts of cybercriminals Alzuwaini & Yassin (2021) proposes a verification model to prevent phishing attacks. The scheme has three major units i.e., the setup unit, registration unit and the verification phase. The three phases are entrusted with managing the exchange of information between the main components which includes the user, authentication server and the community server in a secure manner and is developed in accordance to Schnorr digital signature, HMAC, Levenshtein distance. The Schnorr digital signature have been incorporated in the scheme to enhance ElGamal digital signature by reducing the signature size. The HMAC is a hash function used in authenticating the shared messages between genuine parties. The hash is derived from running various cryptographic functions and is a secure function, efficient and easy to use. On the other hand, Levenshtein Distance (LD) depicts the distance between two messages. The scheme is effective is preventing social engineering and phishing attacks. The model does this by production of a verification code. For instance, the user wants to communicate with authorized community server such s bank on his/her computer and includes confidential data like user credential card details. The community server interacts with the user through the web pages and the community server redirects the user’s requests to an authentication server for validating his request and the community’s Domain Name System (DNS). Then the authentication server develops and sends the encrypted verification code to the user. Then the user examines the validity of an authentication server via the verification code thus completing the request. Also, the scheme generates secure index file (SIF) which contains valid URLs of authorized bodies to mitigate phishing and other social engineering attacks. The technique has been proven to be effective since it is difficult for attacker to mimic the verified community behavior because the attacker does not know the shared key.
Ahmad (2021) in his article depicts that one cannot control anything is not aware of. Hence, Ahmad (2021) starts by introducing various techniques of detecting phishing websites by training machine learning classifier on HTML code. The HTML code is tokenized by byte pair encoding (BPE). Term frequency inverse document frequency weights are applied to BPE tokens which is then coached using the random forest classifier. The author goes a mile ahead and describes the structuring of an API (Application Programming Interface) to provide phishing detection services. The main objective of the API services is to enable users and businesses with an easy integration of an automated phishing detection system. The systems usually target domain names and URLs and does not support for spam detection or filtration. Also, the author demonstrates the capability of the current security governing the registration of domain names in blocking homograph registrations.
Additionally, Ahmad (2021) portrays that intelligent anti-phishing techniques based on ML and DM approaches are effective phishing mitigation strategies since the techniques are appropriate for deriving knowledge from website features that help in reducing the severity of the attack. Developing an effective intelligent anti-phishing technique involves the development of predictive system to pre-process the set of features and make the appropriate selection. The efficacy of the predictive can be assessed using various computational intelligence tactics including information gain, correlation analysis, chi-square among others. Upon choosing the appropriate features combination a predictive system can be developed. Most of the ML and DM algorithms uses either of these classification methods i.e., decision trees (ID3, C4.5 and successors) probabilistic models, rule-based classification, neural networks, sport vector machines, among others. However, the study concluded that rule-based classification systems are the most effective anti-phishing tools for they can predict targets in multiple domains and are based on human knowledge that beginners can easily fathom and implement when required.
As per Qabajeh et al., 2018 phishing is among the costly cyber attacks that ruins business fortunes mercilessly. Hence, business need to be at forefront to mitigate its occurrence at any cost. Among the techniques of minimizing the effect of phishing on businesses and other online users is to develop an anti-phishing community to track and monitor the current phishing activities and provide the information to various app developers and businesses. Users’ experiences are practical and are based on real encounters with various kinds of phishing activities. Efforts by online users leads to new proactive online communities and data sources which can be implemented by developers and business to create a safer internet free from phishing attacks. For instance, the Monitoring and Takedown (MaT) technique allows the businesses and individuals who recognizes phishing activity to report through public anti-phishing communities such as APWG, PhishTank, Millersmiles, among others. Such anti-phishing communities allows users to report phishing content and also warn other organizations.
Additionally, Qabajeh et al., 2018 illustrates that phishing can be mitigated using non-intelligent anti-phishing solutions. Legislations in various countries such as US, UK and Canada have passed legislative bills with harsh penalties for incriminated phishers. The legislator’s efforts are expected to minimize phishing activities which have become more severe causing businesses to suffer substantial losses. This is achieved by scaring away the potential attackers and instilling disciplining to the criminals. However, although the method deems promising, it is difficult to get the suspects due to the short lifespan of the phishing websites which is usually two days.
Qabajeh et al., 2018 further demonstrates that phishing can be mitigated using computerized anti-phishing techniques using anti-spam software tools to block suspicious emails, consequently reducing false positives and increase the genuine emails for the users to be confident of their mailbox’s filter results without necessarily going through the entire mail folder. Among the computerized techniques is the blacklist, a database -oriented approach based on utilizing a predetermined list consisting of domain names, URLs for websites that have bee verified to be harmful. Businesses and users can create blacklists which can either be domain or internet protocol based. When the website is about to be browsed the browser first checks the URL in the blacklist and if it is found in the blacklist the relevant measures are taken to notify the user of the harmful website’s URL. Some of the publicly available blacklists include ATLAS, the BLADE, DGA list, CYMRU Bogon list, among others.
Baykara & Gürel (2018) illustrates various phishing detection techniques and proposes various prevention strategies to save business from dangers attributed to phishing attacks. The researchers depict that businesses and individuals fall for phishing due to five prime reasons. Among them is the failure of the businesses to understand URLs and their application, redirection or hidden URLs, failure to not know legit URLs, accidentally clicking on malicious links and failure to identify the URLs to be trusted. Phishing can be detected by blacklists which are lists of previously identified phishing URLs. Blacklist have relatively lower false positive rates as compared to machine learning detection techniques and do not offer protection against zero-hour phishing attacks. Also, phishing can be detected using machine learning techniques through web page detection which entails classification of problems and models development of models using various machine learning algorithms.
Baadel & Lu (2019) in their work discusses the various intelligent anti-phishing approaches which utilizes ML in the prediction of the target within the datasets. The prediction is automated and uses a classifier, a classification model. The research expounds on various classification approaches and among them is the Support Vector Machine (SVM) and Fuzzy Logic (FL). SVM classification technique examines the difference between a website’s identity, its HTTP activities and structural aspects. Using this metric phishing activities can easily be identified since malicious websites are not correlated. On the other hand, FL is used in classifying emails into legit and phishy using the Domain Identity and URL indicators.
Apandi et al., 2020 depicts that there are two core anti-phishing solutions i.e., phishing prevention and phishing detection. Phishing can be prevented by equipping employees with the required skills to identify phishing activities or installing anti-phishing software. The study classifies the automatic software detection methods into two i.e., public phishing detection and academic phishing detection. The automatic phishing detection techniques deploys both the heuristic and blacklist grounded technique. The heuristic function assesses the content of the website. The public phishing detection toolbars identifies and blocks the phishing website and issues alerts to the user whenever they visit a phishing website. On the other hand, academic phishing detection identifies and classifies websites as either legitimate or phishing. This technique applies the artificial, intelligence concept which uses supervised learning classification algorithms.
Practical Application.
Phishing attacks continue to play a dominant role in the digital threat landscape. According to the 2020 Data Breach Investigations Report (DBRI) it was recorded that phishing is the second topmost cyber- attack in security issues and the prime threat action in data breaches (Drury& Meyer, 2020). As technology advances the capability of fraudster continue to increase and there are no signs of slowing down either. Google 2020 reports depicted that phishing activities rose by 350% in a span of two months. Thus, businesses should understand that phishing is here to stay and the only way to evade its implications is to deploy the relevant mitigation strategies as depicted in the review of the literatures. Alzuwaini & Yassin (2021) advocates for the creation of awareness among the online users, business and their employees. Organizations can implement this information to conduct employee security awareness training sessions and discourage them and other users from publishing confidential information on social platforms (Sankhwar & Pandey, 2017). Besides, businesses can use the information to educate their employees on how to identify phishing email attacks at a glance. Most of the phishing incidences have been reported to be facilitated by workers especially the short-term workers who either do not or undergo inadequate cybersecurity training.
Additionally, the literature review discusses various phishing solutions which Qabajeh et al., 2018 have broadly categorized as anti-phishing community techniques, non-intelligent anti-phishing techniques and computerized anti-phishing techniques. This information can be implemented by internet users, banks, financial institutions and other businesses to develop and implement the above discussed prevention methodologies to enhance cybersecurity in their businesses. Business can implement some of the discussed prevention tactics such as spam filters, two factor authentication and browser add-ons and extensions to recognized and discard emails from suspicious sources.
Moreover, the information can be implemented by security software developers in designing software free from phishing activities (Lam & Kettani, 2019). Among the cheapest strategies of curbing phishing schemes is installation of the appropriate internet security software on the systems. To develop this software the engineers, need to have the relevant information on the phishing attacks s provided in this research to ensure that the software developed provides several layers of protection.
Conclusion.
Phishing prevention has become fundamental as business becomes digital and the scammers turn towards phishing attacks to steal important business data and personal information. Thus, it is imperative for businesses to conduct security awareness training on regular basis in addition to installation of various anti-phishing software to automatically detect and nullify phishing threats. However, using the findings from this research businesses will be able to swiftly spot most of the frequent types of phishing threats. However, this is not an indication that using the research results that businesses will be able to identify all the phishing activities for it is constantly evolving as technology advances. Hence, future studies should be conducted to depict the new forms and techniques adopted by the cybercriminals to facilitate phishing and their solutions.
References.
Ahmad, H. (2021). Automatic Fake Domain Checker To Detect & Prevent Phishing Attacks (Master’s thesis).
Alzuwaini, M. H., & Yassin, A. A. (2021). An Efficient Mechanism to Prevent the Phishing Attacks. Iraqi Journal for Electrical & Electronic Engineering, 17(1).
Apandi, S. H., Sallim, J., & Sidek, R. M. (2020, February). Types of anti-phishing solutions for phishing attack. In IOP Conference Series: Materials Science and Engineering (Vol. 769, No. 1, p. 012072). IOP Publishing.
Baadel, S., & Lu, J. (2019). Data Analytics: intelligent anti-phishing techniques based on Machine Learning. Journal of Information & Knowledge Management, 18(01), 1950005.
Baykara, M., & Gürel, Z. Z. (2018, March). Detection of phishing attacks. In 2018 6th International Symposium on Digital Forensic and Security (ISDFS) (pp. 1-5). IEEE.
Buber, E., Demir, Ö., & Sahingoz, O. K. (2017, September). Feature selections for the machine learning based detection of phishing websites. In 2017 international artificial intelligence and data processing symposium (IDAP) (pp. 1-5). IEEE.
Das, R., Hossain, M., Islam, S., & Siddiki, A. (2019). Learning a deep neural network for predicting phishing website (Doctoral dissertation, Brac University).
Drury, V., & Meyer, U. (2020, September). No Phishing With the Wrong Bait: Reducing the Phishing Risk by Address Separation. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (pp. 646-652). IEEE.
Gupta, B. B., Arachchilage, N. A., & Psannis, K. E. (2018). Defending against phishing attacks: taxonomy of methods, current issues and future directions. Telecommunication Systems, 67(2), 247-267.
Lam, T., & Kettani, H. (2019, April). PhAttApp: a phishing attack detection application. In Proceedings of the 2019 3rd International Conference on Information System and Data Mining (pp. 154-158).
Qabajeh, I., Thabtah, F., & Chiclana, F. (2018). A recent review of conventional vs. automated cybersecurity anti-phishing techniques. Computer Science Review, 29, 44-55.
Sankhwar, S., & Pandey, D. (2017). Defending Against Phishing: Case Studies. International Journal of Advanced Research in Computer Science, 8(5).