Phishing: Nepal Threat Scenario

Phishing: Information and Communication Technologies (ICT) including Internet users are rapidly increasing in developing countries like Nepal. This has opened numerous opportunities for enterprises and individuals. At the same time, they are also misused by cybercriminals to conduct their illegitimate activities. In the context of Nepal, most of cybercrimes are financial-driven acts, and one of such cybercrimes is Phishing.

This information is used by phishers usually to defraud their victims. Phishers employ a number of techniques, such as social engineering schemes; in order to allure potential victims and make them divulge their account details and other susceptible information.

Phishing in Nepal

There has been a significant rise in phishing attacks in developing countries like Nepal. Primarily, there are two reasons for this literacy. Essentially computer literacy rate in the developing country is far below in comparison to the developed country.

The business culture in the developing country is significantly different to its counterparts in the developed country. In developing countries, most business still works on trust, and phishing is harmful to trust. Moreover, there is no proper research on cybercrimes like phishing in Nepal.

Cybercriminals usually exploit users with a lack of digital/cyber ethics or who are poorly trained in addition to technical vulnerabilities. Susceptibility to phishing varies between individuals according to their attributes and awareness level.

Therefore, in most attacks, phishers exploit human nature for hacking, instead of utilizing sophisticated technologies. Even though the weakness in the information security chain is attributed to humans more than the technology; there is a lack of understanding about which ring in this chain is first penetrated.

What phishing does?

The process of phishing starts when an attacker targets user whose data or credentials in some way profit the attackers. This profit can be monetary or any other gain. The attackers then send a fraudulent email or message by a particular medium.

Furthermore, the victim believes the request to be coming from genuine sources. This email might transmit ransomware or malware into the target system. They may simply redirect the victim to a page; where the user’s personal information, credit card details, or login credentials might be demanded.

Advanced Persistent Threats (APT) and other such cyber-attacks all begin with phishing. When the victim opens the malicious email or message and proceeds to perform the requested action; the phishing tools sent by the attacker get active and perform the required action of stealing information attacking the financial resources of the victim.

Types of Phishing Attacks:

Standard Phishing: Casting a Wide Net

At its most basic, standard phishing is the attempt to steal confidential information by pretending to be an authorized person or organization. It is not a targeted attack and can be conducted in mass.

Malware Phishing:

Using the same techniques, this type of phishing introduces nasty bugs by convincing a user to click a link or download an attachment in order to install malware on a machine. It is currently the most widely used form of a phishing attack.

Spear Phishing:

Where most phishing attacks cast a wide net, hoping to entice as many users as possible to take the bait, spear phishing involves heavy research of a predefined, high-dollar target—like a CEO, founder, or public persona—often relying on publicly available information for a more convincing ruse.

SMS + Phishing = Smishing:

SMS-enabled phishing uses text messaging as a method for delivering malicious links, often in the form of shortcodes, to ensnare smartphone users in their scams.

Search Engine Phishing:

In this type of attack, cybercriminals wait for you to come to them. Search engine phishing injects fraudulent sites, often in the form of paid ads, into results for popular search terms.

Vishing:

Vishing involves a fraudulent actor calling a victim pretending to be from a reputable organization and trying to extract personal information, such as banking or credit card information. Most often, the “caller” on the other line obviously sounds like a robot, but as technology advances, this tactic has become more difficult to identify.

Whaling:

Whaling or whale phishing is the type of phishing attack that leverages on the executives, high profile end-users, or other top-level management. Attackers use social media and corporate websites to identify such “big fish” and impersonate that person. They use fake but similar email addresses to send emails to the employees, clients, or vendors who have access to sensitive and valuable information.

Evil Twin:

An evil twin wireless phishing attack uses a fake or fraudulent Wi-Fi access point, often making it look legitimate, that might intercept data during transfer. Subsequently, if someone uses the fake access point, the attackers are able to conduct man-in-the-middle attacks or eavesdropping attacks. This allows them to collect valuable information such as login credentials, bank details, or sensitive and personal information transferred through that connection.

Pharming:

Pharming, a term from “farming” and “phishing”, is a cyberattack where attackers poison a Domain Name Server (DNS) which translates the human-readable URL into the IP addresses. This attack is more technical and the most difficult to detect. A compromise on DNS enables an attacker to redirect the website to a duplicate and malicious website where users may enter their sensitive and personal information.

How to Protect Yourself from Phishing Attacks:

Protecting yourself from phishing attacks starts with knowing what’s out there. Here are a few tips to keep in mind to protect sensitive information.

Never click on links from unknown senders or if any detail about the exchange has aroused suspicion.
Whenever possible, hover over a link to ensure the destination matches your expectations.
If you suspect an email is a phishing attempt, double-check the sender’s name, specificity of the salutation, and a footer for a physical address and unsubscribe button. When in doubt, delete.
If you’re unsure if communication is legitimate, try contacting the brand or service via another channel (their website or by calling a customer service line, for instance).
Avoid entering personally identifiable information unless you are extremely confident in the identity of the party you are communicating with.

Banking and Business Sectors

Banking and business sectors are gradually changing and turning more generous in adopting new ICT technologies in order to offer better quality service to their customers. Most of the banks offer mobile banking and SMS (Short Messaging Service) banking.

Every day a large number of individuals and businesses (which is gradually increasing) are using such services to transfer funds and pay their bills. More importantly, e-banking and mobile banking users will significantly increase in the future. Therefore, in order to thwart exponential increases in phishing attacks, first people have to be aware.

Equally important are the laws and effective enforcement of those laws. It also demands well equipped authorized body with skilled personnel who can successfully apply preventive, detective, and responsive measures in order to protect civilians from falling for phishing.