Hackers try to imitate trusted parties such as Microsoft, your bank, or even your children to get you to part with your hard-earned money. They will stop at nothing and pull out dirty tricks like email you or even call you, all while playing on your sense of urgency.
Let's imagine that one night, your child calls you in tears. They are begging you to send them 200$ to a bank account you never heard of because their car broke down somewhere far away. They are alone, afraid and the mechanic won't let them leave because they can't pay.
This sounds like a horror scenario for every parent but I would recommend you to at least call your child back at the number you know they can be reached. Scammers will often try to pray upon their victim's emotions while stopping at nothing.
Another common way phishing is exploited would be via email. The attacker will spoof the email address of a company you trust or mimick it very closely. The only remedy for this would be to verify every single important email you get but this is not an easy thing to do. Keep a watchful eye and don't just click any link in any email but instead use the URL of your net banking application for example. This will ensure you are using the right URL and if you can't find anything that was mentioned in the email, that should raise your suspicions.
CSRF or Cross-Site Request Forgery can have a serious impact. What happens after exploiting this vulnerability is highly dependant on the features that are being affected.
An attacker will copy websites you trust such as your bank's website... but every transfer you make goes straight into the attacker's bank account. As the name suggests, this vulnerability occurs from one domain (such as one that the attacker controls). This allows the attacker to emulate a set of websites which they use for phishing. To prevent this, your bank can generate a random number bound to a session variable which is printed in a hidden field and sent along to the server. The server should check if the CSRF token is correct for every form that is submitted which requires the user to be authenticated.
In this vulnerability, you can stumble upon a malicious script being hidden deep inside of the website, and the next thing you know your account has been hacked. This loss can be devastating when the attacker runs off with your credit card details or orders expensive items using your account and the scary part is that it's easy to hide.
When we talk about reflected XSS we know 2 basic types being reflected and stored and we also know 2 sources being source-based XSS and DOM XSS. We will mostly talk about source-based XSS here as it takes a lot of time to explain the Document Object Model.
Source-based XSS is what most people are familiar with and they should have at least seen the following attack vector:
<script>alert()</script>
This is great ... If you like getting banned/filtered but besides that fact, this is how hackers sometimes go through the application several times to test for XSS while they test every single parameter.
Reflected XSS means our values are not saved in the database which means that when we want to attack, we need to send the link to my victim. This is usually not a great thing and it lowers the severity but don't be fooled, clicking on the wrong link is easy to do. The scammers are trying to separate you from your hard-earned cash with some swift manipulation. They can be very sly and hide these types of XSS links.