A

Seminar Report
On
PHISHING
Submitted in partial fulfillment of the requirement
For the award of the

Master Degree
In
Computer Application

Under the supervision of: Submitted by:

Dr. Sasmita Kumari Padhy Sayed Daud Aziz

Head of department MCA 3rd Semester
Dept. of CA ROLL NO. 1706151020
&
Binita Paul
MCA 3rd Semester
ROLL NO. 1706151021

Department of Computer Application

VEER SURENDRA SAI UNIVERSITY OF TECHNOLOGY
(Formerly, University College of Engineering, Burla)
Burla, Sambalpur, Odisha
1|Page
 Department of Computer Application
VEER SURENDRA SAI UNIVERSITY OF
TECHNOLOGY
(Formerly, University College of Engineering, Burla)
Burla, Sambalpur, Odisha

CERTIFICATE

This is to certify that Sayed Daud Aziz & Binita Paul

Student of Master in Computer Applications (MCA) 3rd semester

bearing Roll No. 1706151020 & 1706151021 has submitted his Seminar

entitled “PHISHING” towards partial fulfillment of the requirement

for the award of the degree Masters in Computer Applications (MCA)

during the session 2018-19under my guidance.

Guide

2|Page
 Department of Computer Application
VEER SURENDRA SAI UNIVERSITY OF
TECHNOLOGY
(Formerly, University College of Engineering, Burla)
Burla, Sambalpur, Odisha

CERTIFICATE OF COMPLETION

This is to certify that Sayed Daud Aziz & Binita Paul student of

Master in Computer Application (MCA) 3rd semester bearing Roll No.

1706151020 & 1706151021 has presented and have successfully

completed their Seminar entitled “PHISHING” in presence of the

undersigned dignitaries.

Head of department External

3|Page
 ACKNOWLEDGEMENT
I wish to express my heartfelt thanks to my seminar guide
Dr. Sasmita Kumari Padhy for her valuable suggestions along with
keen interest & co-operation. I am greatly indebted for her
constructive & helpful guidance from time to time during the
progress of the seminar without which the seminar would not
have completed.
I also wish to thank other faculties who helped me directly or
indirectly to complete this seminar.
Finally, I express my sincere gratitude and thanks to the
department fraternizes, for their technical and non-technical help,
encouragement and suggestions from time to time basis, towards
me during the tenure of this seminar. At last I offer gratitude to
my parents for their constant support and friends for heartily
help and interaction.

Sayed Daud Aziz

&
Binita Paul

4|Page
 ABSTRACT
Phishing is a type of security attack that attempts to trick or coerce targets into
divulging sensitive/valuable information. Sometimes referred to as a “phishing
scam,” attackers target users’ login credentials, financial information (such as
credit cards or bank accounts), company data, and anything that could potentially
be of value. And while some phishing attacks are fairly easy to spot, others can
be more difficult to identify. Victims are both users and organizations .The Single
Most Important Part of Dealing with a Phishing Attack is preparing for the Attack
Before it Actually Happens. Phishing attacks come in all shapes and sizes. Well,
pretty much all the same shape, but certainly different sizes. At its most basic
definition, the term phishing attack often refers to a broad attack aimed at a large
number of users or “targets” (Victims are both users and organizations). This can
be thought of as a “quantity over quality” approach, requiring minimal preparation by
the attacker, with the expectation that at least a few of the targets will fall victim to it.
Phishing attacks typically engage the user with a message intended to solicit a
specific response (usually a mouse click) via an emotion or desire. Attackers have
innovated on phishing attacks over the years, coming up with variations that require
more up-front effort by the attacker but result in either a higher rate of victims or a
higher value “payout” per victim (or both!). Attackers continue to seek out new and
creative ways to target unsuspecting computer users. Attackers use a number of
mechanisms to phish their targets, including email, social media, instant messaging,
texting, and infected websites—some attacks are even carried out using old school
phone calls. Regardless of the delivery mechanism, phishing attacks utilize certain
techniques to execute. The breadth of phishing attacks and attack methods out there
may sound scary, but with proper training around what a phishing attack is, how it
works, and how it can harm users and their organizations, you can help ensure
you’re as prepared as possible to recognize the threat and mitigate it accordingly.

Submitted By
Guidance By NAME-Sayed Daud Aziz
Dr. Sasmita Kumari Padhy REGN NO-1706151020
Head of Department MCA 3 rd SEM

Dept. of C.A. NAME-Binita Paul

REGN NO-1706151021
MCA 3 rd SEM

5|Page
CONTENTS

1. Introduction
2. Background of phishing
3. Types of phishing
3.1 Spear phishing
3.2 Clone phishing
3.3 Whaling
4. Phishing Attacks
4.1 Link manipulation
4.2 Website forgery
4.3 Vishing (voice phishing)
4.4 Smishing (sms phishing)
4.5 Email technique
5. Preventions
6. Anti-phishing
7. Effects of phishing
8. Conclusion
9. References

6|Page
 Chapter 1: INTRODUCTION

Phishing is the fraudulent attempt to obtain sensitive information such As

usernames, passwords and credit card details by disguising as a trustworthy entity in
an electronic communication.
Typically carried out by email spoofing or instant messaging, it often directs users to
enter personal information at a fake
website, the look and feel of which are identical to the legitimate site. Phishing is an
example of social engineering techniques being used to deceive users. Users are
often lured by communications purporting to be from trusted parties such as social
web sites, auction sites, banks, online payment processors or IT administrators. The
annual worldwide impact of phishing could be as high as US$5 billion. Attempts to
deal with phishing incidents include legislation, user training, public awareness, and
technical security measures - because phishing attacks also
often exploit weaknesses in current web security. The word itself is a neologism
created as a homophone of fishing, due to the
similarity of using a bait in an attempt to catch a victim

7|Page
 Chapter 2: BACKGROUND
1980s
A phishing technique was described in detail in a paper and presentation delivered to
the 1987 International HP Users Group, Interex.

1990s
The term 'phishing' is said to have been coined by the well-known spammer and
hacker in the mid-90s, Khan C Smith. The first recorded mention of the term is
found in the hacking tool AOHell (according to its creator), which included a
function for attempting to steal the passwords or financial details of America
Online users.

Early AOL phishing

Phishing on AOL was closely associated with the warez community that exchanged
unlicensed software and the black hat hacking scene that perpetrated credit card
fraud and other online crimes. AOL enforcement would detect words used in
AOL chat rooms to suspend the accounts individuals involved in counterfeiting
software and trading stolen accounts. The term was used because '<><' is the single
most common tag of HTML that was found in all chat transcripts naturally, and
as such could not be detected or filtered by AOL staff. The symbol <>< was replaced
for any wording that referred to stolen credit cards, accounts, or illegal
activity. Since the symbol looked like a fish, and due to the popularity of phreaking
it was adapted as 'Phishing'. AOHell, released in early 1995, was a program
designed to hack AOL users by allowing the attacker to pose as an AOL staff
member, and send an instant message to a potential victim, asking him to reveal his
password. In order to lure the victim into giving up sensitive information, the
message might include imperatives such as "verify your account" or "confirm billing
information". Once the victim had revealed the password, the attacker could access
and use the victim's account for fraudulent purposes. Both phishing and warezing on
AOL generally required custom-written programs, such as AOHell. Phishing
became so prevalent on AOL that they added a line on all instant messages
stating: "no one working at AOL will ask for your password or billing information". A
user using both an AIM account and an AOL account from an ISP simultaneously
could phish AOL members with relative impunity as internet AIM accounts could
be used by non-AOL internet members and could not be actioned (i.e., reported to
AOL TOS department for disciplinary action). In late 1995, AOL crackers
resorted to phishing for legitimate accounts after AOL brought in measures in
late 1995 to prevent using fake, algorithmically generated credit card
numbers to open accounts. Eventually, AOL's policy enforcement forced copyright
infringement off AOL servers, and AOL promptly deactivate accounts involved in
phishing, often before the victims could respond. The shutting down of the warez
scene on AOL caused most phishers t0 leave the service.

8|Page
2000s

2001
The first known direct attempt against a payment system affected E-gold in June
2001, which was followed up by a "post-9/11 id check" shortly after the September 11
attacks on the World Trade Center.
2003
The first known phishing attack against a retail bank was reported by The Banker in
September 2003.
2004
It is estimated that between May 2004 and May 2005, approximately 1.2 million
computer users in the United States suffered losses caused by phishing, totaling
approximately US$929 million. United States businesses lose an estimated US$2
billion per year as their clients become victims. Phishing is recognized as a fully
organized part of the black market. Specializations emerged on a global scale that
provided phishing software for payment (thereby outsourcing risk), which were
assembled and implemented into phishing campaigns by organized gangs.
2005
In the United Kingdom losses from web banking fraud—mostly from phishing—
almost doubled to GB£23.2m in 2005, from GB£12.2m in 2004, while 1 in 20
computer users claimed to have lost out to phishing in 2005.
2006
Almost half of phishing thefts in 2006 were committed by groups
operating through the Russian Business Network based in St. Petersburg. Banks
dispute with customers over phishing losses. The stance adopted by the UK banking
body APACS is that "customers must also take sensible precautions ... so that they
are not vulnerable to the criminal." Similarly, when the first spate of phishing attacks
hit the Irish Republic's banking sector in September 2006, the Bank of Ireland initially
refused to cover losses suffered by its customers, although losses to the tune of
€113,000 were made good. Phishers are targeting the customers of banks and online
payment services. Emails, supposedly from the Internal Revenue Service, have been
used to glean sensitive data from U.S.
taxpayers. While the first such examples were sent indiscriminately in the expectation
that some would be received by customers of a given bank or service, recent
research has shown that phishers may in principle be able to determine which banks
potential victims use, and target bogus emails accordingly. Social networking sites
are a prime target of phishing, since the personal details in such sites can be
used in identity theft; in late 2006 a computer worm took over pages on Myspace and
altered links to direct surfers to websites designed to steal login details. Experiments
show a success rate of over 70% for phishing attacks on social networks.

2007
3.6 million Adults lost US$3.2 billion in the 12 months ending in August
2007. Microsoft claims these estimates are grossly exaggerated and puts the annual
phishing loss in the US at US$60 million. Attackers who broke into TD
Ameritrade's database and took 6.3 million email addresses (though they were not
able to obtain social security numbers, account numbers, names, addresses, dates of

9|Page
birth, phone numbers and trading activity) also wanted the account usernames and
passwords, so they launched a follow-up spear phishing attack.

2008
The Rapid Share file sharing site has been targeted by phishing to obtain a premium
account, which removes speed caps on downloads, auto removal of uploads, waits
on downloads, and cool down times between uploads. Cryptocurrencies such as Bit
coin facilitate the sale of malicious software, making transactions secure and
anonymous.
2009
In January 2009, a phishing attack resulted in unauthorized wire transfers of US$1.9
million through Experi-Metal's online banking accounts.
In the 3rd Quarter of 2009, the AntiPhishing Working Group reported receiving
115,370 phishing email reports from consumers with US and China hosting more
than 25% of the phishing pages each.

2010s

10 | P a g e
2011
In March 2011, Internal RSA staff phished successfully, leading to the master keys
for all RSA Secure ID security tokens being stolen, then subsequently used To Break
into US defense suppliers. Chinese phishing campaign targeted Gmail accounts of
highly ranked officials of the United States and South Korean governments and
militaries, as well as Chinese political activists. The Chinese government denied
accusations of taking part in cyber-attacks from within its borders, but there is
evidence that the People’s Liberation Army has assisted in the coding of cyber-attack
software.
2012
According to Ghosh, there were"445,004 attacks in 2012 as compared to 258,461 in
2011 and 187,203 in 2010”, showing that phishing has been increasingly threatening
individuals.
2013
In August 2013, advertising service out brain suffered a spear phishing
attack and SEA placed redirects into the websites of The Washington Post, Time,
and CNN.
In October 2013, emails purporting to be from American Express were sent to an
unknown number of recipients. A simple DNS change could have been made to
thwart this spoofed email, but American Express failed to make any changes. In
November 2013, 110 million
customer and credit card records were stolen from Target customers through a
phished subcontractor account. CEO and IT security staff subsequently fired. By
December 2013, Cryptolocker ransom ware infected 250,000 personal computers by
first targeting businesses using a Zip archive attachment that claimed to be a
customer complaint, and later
targeting general public using a link in an email regarding a problem clearing a check.
The ransomware scrambles and locks files on the computer and requests the owner
make a payment in exchange for the key to unlock and decrypt the files. According to
Dell Secure Works, 0.4% or more of those infected likely agreed to the ransom
demand.
2014
In January 2014, the Seculert Research Lab identified a new targeted attack that
used Extreme RAT. This attack used spear phishing emails to target Israeli
organizations and deploy the piece of advanced malware. To date, 15 machines
have been compromised including ones belonging to the Civil Administration of
Judea and Samaria. According to 3rd Microsoft Computing Safer Index Report
released in February 2014, the annual worldwide impact of phishing could be as high
as $5 billion. In August 2014, iCloud leaks of celebrity photos – during the
Investigation, it was found that Collins phished by sending e-mails to the victims that
looked like they came from Apple or Google, warning the victims that their accounts
might be compromised and asking for their account details. The victims would enter
their password, and Collins gained access to their accounts, downloading e-mails
and iCloud backups. In September 2014, personal and credit card data of
100+million shoppers of all 2200 Home Depot stores posted for sale on hacking web
sites. In November 2014, phishing attacks on ICANN. Notably, administrative access

11 | P a g e
to the Centralized Zone Data System was gained, allowing the attacker to get zone
files, and data about users in the system, such as their real names, contact
Information, and salted hashes of their passwords. Access was also gained to
ICANN's public Governmental Advisory Committee wiki, blog, and who is information
portal.
2015
Charles H. Eccleston plead guilty to one count of attempted "unauthorized access
and intentional damage to a protected computer" in the attempted Spear-Phishing
Cyber Attack on January 15, 2015 when he attempted to infect computers of 80
Department of Energyemployees.Eliot Higgins and other journalists associated with
Belling cat, a group researching the shoot down of Malaysia Airlines Flight 17 over
Ukraine, were targeted by numerous spear phishing emails. The messages were
fake Gmail security notices with Bit.ly and TinyCC shortened URLs. According to
Threat Connect, some of the phishing emails had originated from servers that Fancy
Bear had used in previous attacks elsewhere. Belling cat is best known for having
accused Russia of being culpable for the shoot down of MH17, and is frequently
derided in the Russian media. In August 2015, Cozy Bear was linked to a spear-
phishing cyber-attack against the Pentagon email system causing the shutdown of
the entire Joint Staff unclassified email system and Internet access during the
investigation. In August 2015, Fancy Bear used a zero-day exploit of Java, spoofing
the Electronic Frontier Foundation and launching attacks on the White House and
NATO. The hackers used a spear phishing attack, directing emails to the false URL
electronicfrontierfoundation.org.
2016
Fancy Bear carried out spear phishing attacks on email addresses associated with
the Democratic National Committee in the first quarter of 2016. On April 15, which in
Russia was a holiday in honor of the military’s electronic warfare services, the
hackers seemed to become inactive for the day. Another sophisticated hacking group
attributed to the Russian
Federation, nicknamed Cozy Bear, was also present in the DNC's servers at the
same time. However the two groups each appeared to be unaware of the other, as
each independently stole the same passwords and otherwise duplicated their efforts.
Cozy Bear appears to be a different agency, one more interested in traditional long-
term espionage. The Wichita Eagle reported "KU employees fall victim to phishing
scam, lose paychecks" Fancy Bear is suspected to be behind a spear phishing attack
in August 2016 on members of the Bundestag and multiple political parties such as
Linken-factionleader Sahra Wagenknecht, Junge Union and the CDU of Saarland.
Authorities fear that sensitive information could be gathered by hackers to later
manipulate the public ahead of elections such as Germany's next federal election
due in September2017.In August 2016, the World AntiDoping Agency reported the
receipt of phishing emails sent to users of its database claiming to be official WADA
communications requesting their login details. After reviewing the two domains
provided by WADA, it was found that the websites' registration and hosting
information were consistent with the Russian hacking group Fancy Bear. According
to WADA, some of the data the hackers released had been forged. Within hours of
the 2016 U.S. election results, Russian hackers sent emails containing dirty zip files
from spoofed Harvard University email addresses. Russians used techniques similar
to phishing to publish fake news targeted at ordinary American voters.

12 | P a g e
2017
In 2017, 76% of organizations experienced phishing attacks. Nearly half of
information security professionals surveyed said that the rate of attacks increased
from 2016. In the first half of 2017 businesses and residents of Qatar were hit with
more than 93,570 phishing events in a three-month span.
A phishing email to Google and Facebook users successfully induced employees into
wiring money – to the extent of US$100 million – to overseas bank accounts under
the control of a hacker. He has since been arrested by the US Department of Justice.
In May 2017, the WannaCry ransom ware attack is suspected of having impacted
more than 230,000 people in 150 countries. In the beginning of June 2017, a
Ukrainian FinTech company, Medoc, was breached, and its systems were injected
with malware called Petya. Through a Microsoft vulnerability, the malware spread
across the globe – impacting hundreds of organizations in Russia, Europe, India and
the United States. By the end of June, a new series of attacks called Not-Petya has
wrought havoc globally, shutting down hundreds of businesses, including Maersk,
WPP, TNT, Mondelez, Cadburys, Russian steel and oil firms Evraz and Rosneft Kiev
airport and Chernobyls monitoring systems.
In August 2017, customers of Amazon faced the Amazon Prime Day phishing attack,
when hackers sent out seemingly legitimate deals to customers of Amazon. When
Amazon’s customers attempted to make purchases using the ‘deals’, the transaction
would not be completed, prompting the retailer’s customers to input data that could
be compromised and stolen. "APWG Phishing Attack Trends Reports". Retrieved
October 20, 2018. There are anti-phishing websites which publish exact messages
that have been

13 | P a g e
 Chapter 3: TYPES OF PHISHING
3.1 SPEAR PHISHING

When attackers try to craft a message to appeal to a specific individual, that's

called spear phishing.
Phishers identify their targets (sometimes using information on sites like LinkedIn)
and use spoofed addresses to send emails that could plausibly look like they're
coming from co-workers.
For instance, the spear phisher might target someone in the finance department and
pretend to be the victim's manager requesting a large bank transfer on short notice.

Example:-

The above example shows that a email from an organization came to you where you
might or might not belong to.
The email claims that your account will be deactivated if you don’t follow a convenient
link. This email might also have some real links to the company they claim to be from.
They probably even include “BEWARE OF SCAMMER” warnings.

14 | P a g e
32. CLONE PHISHING:

Clone phishing is a type of phishing attack whereby a legitimate, and previously

delivered, email containing an attachment or link has had its content and recipient
address(es) taken and used to create an almost identical or cloned email.
The attachment or link within the email is replaced with a malicious version and then
sent from an email address spoofed to appear to come from the original sender. It
may claim to be a resend of the original or an updated version to the original. This
technique could be used to pivot (indirectly) from a previously infected machine and
gain a foothold on another machine, by exploiting the social trust associated with the
inferred connection due to both parties receiving the original email.

EXAMPLE:-

It has become very difficult to tell the difference between a phishing website and a
real website. The fakes are accurate copies and they contain the real website’s URL
as part of their own URL. But if you look carefully, you will see that the phish points to
a different domain. But this is easy to miss when the website looks just like the real
thing. The above screenshot shows an example of a phishing email falsely claiming
to be from a real bank.

15 | P a g e
3.3. WHALING:
It is a form of spear phishing aimed at the very big fish — CEOs or other high-value
targets. Many of these scams target company board members, who are considered
particularly vulnerable: they have a great deal of authority within a company, but
since they aren't full-time employees, they often use personal email addresses for
business-related correspondence, which doesn't have the protections offered by
corporate email.
In these cases, the content will be crafted to target an upper manager and the
person's role in the company. The content of a whaling attack email may be an
executive issue such as a subpoena or customer complaint.

EXAMPLE:-

This attempted attack originated from Johannesburg where the attacker registered a
similar domain name, using a double “c” which was overlooked.

16 | P a g e
 CHAPTER 4: PHISHING TECHNIQUES
4.1Link manipulation
Most methods of phishing use some form of technical deception designed to make a
link in an email (and the spoofed website it leads to) appear to belong to the spoofed
organization. Misspelled URLs or the use of subdomains are common tricks
used by phishers. In the following example URL, http://www.yourbank.example.com/It
appears as though the URL will take you to the example section of the yourbank
website; actually this URL points to the "yourbank" (i.e. phishing) section of the
example website. Another common trick is to make the displayed text for a link (the
text between the <A> tags) suggest a reliable destination, when the link actually
goes to the phishers' site.

Many desktop email clients and web browsers will show a link's target URL in the
status bar while hovering the mouse over it. This behavior, however, may in some
circumstances be overridden by the phisher. Equivalent mobile apps generally do not
have this preview feature. Internationalized domain names (IDN) can be exploited via
IDN spoofing or homograph attacks, to create web addresses visually identical to a
legitimate site, that lead instead to malicious version. Phishers have taken advantage
of a similar risk, using open URL redirectors on the websites of trusted organizations
to disguise malicious URLs with a trusted domain. Even digital certificates do not
solve this problem because it is quite possible for a phisher to purchase a valid
certificate and subsequently change content to spoof a genuine website, or, to host
the phish site without SSL at all.

4.2 Website forgery

some phishing scams use JavaScript commands in order to alter the address
bar of the website they lead to. This is done either by placing a picture of a
legitimate URL over the address bar, or by closing the original bar and opening up a

17 | P a g e
new one with the legitimate URL. An attacker can also potentially use flaws in a
trusted website's own scripts against the victim.

These types of attacks (known as cross-site scripting) are particularly problematic,

because they direct the user to sign in at their bank or service's own web page,
where everything from the web address to the security certificates appears correct. In
reality, the link to the website is crafted to carry out the attack, making it very difficult
to spot without specialist knowledge. Such a flaw was used in 2006 against PayPal.
To avoid anti-phishing techniques that scan websites for phishing-related text,
phishers sometimes use Flash-based websites (a technique known as phlashing).
These look much like the real website, but hide the text in a multimedia object.

4.3Vishing (voice phishing)

In phone phishing, the phisher makes phone calls to the user and asks the user to
dial a number. The purpose is to get personal Information of the bank account
through the phone. Phone phishing is mostly done with a fake caller ID.

18 | P a g e
4.4 Smishing (SMS phishing)
Phishing conducted via Short Messages Service (SMS), a telephone-based text
messaging service. A smishing text, for example, attempts to entice a victim into
revealing personal information via a link that leads to a phishing website.

4.5 EMAIL TECHNIQUE:

Using the most common phishing technique, the same email is sent to millions of
users with a request to fill in personal details. These details will be used by the
phishers for their illegal activities. Most of the messages have an urgent note which
requires the user to enter credentials to update account information, change details,
or verify accounts.

19 | P a g e
 Chapter 5: PREVENTION

Nobody wants to fall prey to a phishing scam. There’s a good reason that such scams will
continue, though: They are successful enough for cybercriminals to make massive profits.
Phishing scams have been around practically since the inception of the Internet, and they
will not go away any time soon. Fortunately, there are ways to avoid becoming a victim
yourself.

1. Keep Informed About Phishing Techniques: - New phishing scams are being
developed all the time. Without staying on top of these new phishing techniques, you
could inadvertently fall prey to one. Keep your eyes peeled for news about new
phishing scams. By finding out about them as early as possible, you will be at much
lower risk of getting snared by one. For IT administrators, ongoing security
awareness training and simulated phishing for all users is highly recommended in
keeping security top of mind throughout the organization.

2. Think Before You Click! – It’s fine to click on links when you’re on trusted sites.
Clicking on links that appear in random emails and instant messages, however, isn’t
such a smart move. Hover over links that you are unsure of before clicking on them.
Do they lead where they are supposed to lead? A phishing email may claim to be
from a legitimate company and when you click the link to the website, it may look
exactly like the real website. The email may ask you to fill in the information but the
email may not contain your name. Most phishing emails will start with “Dear
Customer” so you should be alert when you come across these emails. When in
doubt, go directly to the source rather than clicking a potentially dangerous link.

3. Install an Anti-Phishing Toolbar – Most popular Internet browsers can be

customized with anti-phishing toolbars. Such toolbars run quick checks on the sites
that you are visiting and compare them to lists of known phishing sites. If you
stumble upon a malicious site, the toolbar will alert you about it. This is just one
more layer of protection against phishing scams, and it is completely free download
files from suspicious emails or websites. Even search engines may show certain
links which may lead users to a phishing webpage which offers low cost products.

20 | P a g e
4. Check Your Online Accounts Regularly:-

If you don’t visit an online account for a while, someone could be

having a field day with it. Even if you don’t technically need to, check in with each of your
online accounts on a regular basis. Get into the habit of changing your passwords
regularly too. To prevent bank phishing and credit card phishing scams, you should
personally check your statements regularly. Get monthly statements for your financial
accounts and check each and every entry carefully to ensure no fraudulent transactions
have been made without your knowledge.

5. Keep Your Browser Up to Date:–

Security patches are released for popular browsers all the time. They are
released in response to the security loopholes that phishers and other hackers inevitably
discover and exploit. If you typically ignore messages about updating your browsers,
stop. The minute an update is available, download and install it.

6. Use Firewalls: –

High-quality firewalls act as buffers between you, your computer and outside
intruders. You should use two different kinds: a desktop firewall and a network firewall.
The first option is a type of software, and the second option is a type of hardware. When
used together, they drastically reduce the odds of hackers and phishers infiltrating your
computer or your network.

7. Be Wary of Pop-Ups:–

Pop-up windows often masquerade as legitimate components of a website.

All too often, though, they are phishing attempts. Many popular browsers allow you to
block pop-ups; you can allow them on a case-by-case basis. If one manages to slip
through the cracks, don’t click on the “cancel” button; such buttons often lead to phishing
sites. Instead, click the small “x” in the upper corner of the window.
10. Use Antivirus Software:–

There are plenty of reasons to use antivirus software. Special signatures that are
included with antivirus software guard against known technology workarounds and
loopholes. Just be sure to keep your software up to date.

21 | P a g e
 Chapter 6: ANTI-PHISHING

There are anti-phishing websites which publish exact messages that have been recently
circulating the internet, such as Fraud Watch International and Millersmiles. Such sites
often provide specific details about the particular messages.
As recently as 2007, the adoption of anti-phishing strategies by businesses needing to
protect personal and financial information was low. Now there are several different
techniques to combat phishing, including legislation and technology created specifically to
protect against phishing. These techniques include steps that can be taken by individuals,
as well as by organizations. Phone, web site, and email phishing can now be reported to
authorities, as described below.

TECHNICAL APPROACHES:-

A wide range of technical approaches are available to prevent phishing

attacks reaching users or to prevent them from successfully capturing sensitive
information.

1) Browser alerting users to fraudulent websites-

Another popular approach to fighting phishing is to maintain a list of known
phishing sites and to check websites against the list. One such service is the Safe
Browsing service. Web browsers such as Google Chrome, Internet
Explorer 7, Mozilla Firefox 2.0, Safari 3.2, and Opera all contain this type of anti-
phishing measure. According to a report by Mozilla in late 2006, Firefox 2 was
found to be more effective than Internet Explorer 7 at detecting fraudulent sites in a
study by an independent software testing company.

2) Augmenting Password login:-

The Bank of America website is one of several that asks users to select
a personal image (marketed as Site Key) and displays this user-selected image
with any forms that request a password. Users of the bank's online services are
instructed to enter a password only when they see the image they selected.
However, several studies suggest that few users refrain from entering their
passwords when images are absent. In addition, this feature (like other forms
of two factor authentication) is susceptible to other attacks, such as those suffered
by Scandinavian bank Nordea in late 2005, and Citibank in 2006.

22 | P a g e
 3) Filtering out phishing mail:-
Specialized spam filters can reduce the number of phishing emails that
reach their addressees' inboxes, or provide post-delivery remediation, analysing
and removing spear phishing attacks upon delivery through email provider-level
integration. These approaches rely on machine learning and natural language
processing approaches to classify phishing emails. Email address authentication is
another new approach.
4) Monitoring and takedown:-
Several companies offer banks and other organizations likely to suffer
from phishing scams round-the-clock services to monitor, analyse and assist in
shutting down phishing website. Individuals can contribute by reporting phishing to
both volunteer and industry group, such as cyscon or Phish Tank. Individuals can
also contribute by reporting phone phishing attempts to Phone Phishing, Federal
Trade Commission. Phishing web pages and emails can be reported to Google.
Internet Crime Complaint Centre noticeboard carries phishing
and ransomware alerts.
5) Transaction verification and sign in:-
Solutions have also emerged using the mobile phone (smartphone) as a
second channel for verification and authorization of banking transactions.
6) Limitations of technical responses:-
An article in Forbes in August 2014 argues that the reason phishing
problems persist even after a decade of anti-phishing technologies being sold is
that phishing is "a technological medium to exploit human weaknesses" and that
technology cannot fully compensate for human weaknesses.
LEGAL RESPONCES:-

On January 26, 2004, the U.S. Federal Trade Commission filed the first
lawsuit against a suspected phisher. The defendant, a Californian teenager, allegedly
created a webpage designed to look like the America Online website, and used it to steal
credit card information.]Other countries have followed this lead by tracing and arresting
phishers. A phishing kingpin, Validr Paulo de Almeida, was arrested in Brazil for leading
one of the largest phishing crime rings, which in two years stole between US$18
million and US$37 million. UK authorities jailed two men in June 2005 for their role in a
phishing scam, in a case connected to the U.S. Secret Service Operation Firewall, which
targeted notorious "carder" websites. In 2006 eight people were arrested by Japanese
police on suspicion of phishing fraud by creating bogus Yahoo Japan Web sites, netting
themselves ¥100 million (US$870,000). The arrests continued in 2006 with
the FBI Operation Card keeper detaining a gang of sixteen in the U.S. and Europe.

23 | P a g e
Chapter 7: EFFECTS OF PHISHING

 Internet fraud

 Identity theft

 Financial loss to the original institutions

 Difficulties in Law Enforcement Investigations

 Erosion of Public Trust in the Internet.

24 | P a g e
 CHAPTER 8: CONCLUSION

No single technology will completely stop phishing. However, a

combination of good organization and practice, proper application of
current technologies, and improvements in security technology has the
potential to drastically reduce the prevalence of phishing and the losses
suffered from it.

25 | P a g e
CHAPTER 9: REFERENCES

 www.google.com

 www.wikipedia.com

 www.studymafia.org

 www.phishing.org/phishing-technique

26 | P a g e