What is a phishing attack?

Phishing is a type of attack where a malicious actor misrepresents themselves as an entity or business in order to mislead people and collect sensitive data such as credit card details, passwords, personal identification information, and others. Phishing relies on manipulating humans. Thus, it is more of a social engineering attack rather than a software or hardware failure.

Common phishing attacks rely on fraudulent emails that lead customers to put their information on a fake website. Phishing can also be used in cryptocurrencies to give users the impression that they are paying for legitimate services. But in reality, they are sending their money to the attacker’s address or providing access to their wallets.

Types of Phishing?

There are different types of phishing, and these are identified according to the target or mode of attack used by adversaries.

•  Clone phishing: An attacker will copy a previously sent legitimate email and add their fraudulent link. The attacker will provide an excuse such as “this is an updated link for our company” or “the previous link has expired” to deceive users.

• Spear phishing: This type of attack targets a specific person or entity. Usually, the attacker collects personalized data on their target thus they are able to make a more sophisticated attack on the user. The attack will lead the user to a fake website or to download a malicious file.

•  Pharming: The attacker does not directly target the user but rather poisons a website to redirect the user to their fraudulent link when they try to reach a website. This is more of a software compromise that users do not have access to, but the human compromise aspect is introduced when a user is unaware that they have been redirected to a fraudulent link.

• Whaling: A type of spear phishing that targets wealthy individuals, large companies, or government officials.

• Email spoofing: Phishing emails are the most common ways used to target victims. These will contain fake websites that are cleverly designed to collect personal data that is typed on the website.

• Website redirects: This is almost similar to pharming. The attacker will design a website that redirects users to a fraudulent email.

• Typo-squatting: Attackers use foreign language spellings, common misspellings, or small variations to the domain name to mimic a legitimate website. They target users who misspell when typing a web address or those that do not notice the small changes to redirect them to a fraudulent website.

• The ‘watering hole’: This is more of a software attack rather than social engineering. Attackers target specific users to determine the websites they use. The attackers will then scan such a website for code vulnerabilities and exploits these bugs to their advantage.

• Impersonation & giveaways: Attackers may represent themselves as influential figures or prominent members of society (such as a CEO, manager, or director of major institutions) looking to serve the community. They entice their victims by illustrating their wealth and status or by doing giveaways. The phishers can attack users at large or target specific victims through direct messages. The attackers may also create fake social media accounts that mimic legitimate projects, especially on Twitter or Discord, to target the crypto community.

• Advertisements: Phishers can pay search engines to have their fraudulent website show up as a top result. The websites are usually typo-squatted to mimic legitimate companies such as CoinMENA; thus, they will appear when users are trying to get to the legitimate website.

• Malicious applications: The attackers use malicious applications as a means of getting to their victims. The applications may be represented as digital wallets, price trackers or any other useful app, but in reality, their code is designed to gather personal data from the device.

• Text & voice phishing: The attackers use text or voice calls as a means of getting to their victims.

How to protect yourself from phishing?

• Be wary: Since phishing is mainly a social engineering attack, users should be on high alert for emails, messages, or calls that they do not expect. Additionally, pay close attention to typos and interfaces that look different from the norm. When in doubt, as a safety precaution, try to contact the legitimate customer support.

• Check the content: Check if the content or sender address has been caught up in a scam before by putting the information on a search engine, such as Google search engine.

• Try other means: Avoid clicking on links from suspicious emails that mimic services you use (e.g., CoinMENA or Coin market-cap). Instead, try and access the website through different means such as searching the link you rely on to access a commonly visited website.

• Check the URL: Check URLs closely for typos and other irregularities before clicking on them.

• Do not share your private keys: The difference with cryptocurrency is that it gives users full control of their assets, but this power comes with the added responsibility of protecting oneself. The user data and assets are stored personally hence, no central authority can control it, and equally, no central authority can be called to dispute a charge where the service is not provided as expected. Furthermore, Never share your private keys with anyone. CoinMENA will never ask you for your private keys, passwords or to send digital assets to another location.

• Service providers: As additional protection, users should rely on well-established and regulated entities like CoinMENA, which is fully regulated and licensed by the Central bank of Bahrain. Such entities will also provide an extra layer of protection, such as 2-factor authentication or anti-phishing codes to help identify official emails.