Cyber fraud is lurking everywhere across the internet and one of the most effective tactics on victims is “phishing.” Phishing is a term for the use of disguised and misleading emails, text, and instant messages to trick email recipients into believing that they are receiving a message from a trusted source. By posing as a bank, employer, or government authority, the attackers steal personal information and data such as login credentials, Social Security, credit card details, etc.
Phishing attacks can seem innocuous on the surface. An attack might look like a simple email message from the recipient’s company asking them to click on the link or download an attachment. However, when the link is clicked, the user is taken to a fake website where they are asked to take some action, like entering their credentials. Often the “ask” is the download of an innocent looking file which may actually install spyware or malware on their computer.
History and prevalence
Phishing is not a new phenomenon. One of the oldest and most common types of cyberattack, it can be traced back to the 1990s. Over time, users may have become savvier, but phishing messages have become more sophisticated and authentic in presentation. According to Verizon’s Data Breach Report, almost one-third of all data breaches in 2019 were a result of phishing attacks. Ultimately, its proliferation is the result of human trust – something that can be a challenge to firewall.
Phishing attack intent
Most commonly, an attacker will replicate an email that will look like an authentic email from a trusted source. The more convincing the disguise, the more likely they are to succeed. In tandem, the attacker will set up website landing pages that mimic a website that the victim trusts.
The intent is to get recipients of their messages to do one of two things:
Surrender sensitive information
Your personal information is literally the key to riches for phishing criminals. In many cases, attackers simply want your money. How do they get it? They lure you to a false landing page that looks like something your bank may host. If you “sign in” to your bank account in this case, you are really just handing over your bank account credentials to the attacker. Once they have them, it’s game over. They can go directly to your real account and empty it immediately. Millions of such emails are sent annually to would-be victims.
Keep in mind, it not always just about money from private citizens. The same process is often used on the corporate level to acquire secure documents – ideas, financial documentation, legal documentation, product specifications, etc.
Malware is all about taking control of the host’s computer for nefarious purposes. And Phishing is the preferred method for malware infections.
A typical malware injection scenario may resemble the following path: The Phishing attacker imitates a company’s HR department and asks the targeted recipient to download an important form or document, such as a job seeker’s resume. This attachment is typically a zip file or a Microsoft Word document with embedded malicious code. In most cases this will be ransomware, code that takes control of the victim’s computer in some debilitating fashion until the users pays the hackers to unlock it. According to a report, 93% of phishing attacks had ransomware attachments.
Types of phishing attacks
There are many types of phishing attacks, and they all have colorful names – but they are all dangerous. Some of the most common:
Whereas most Phishing targets a wide range of victims, Spear phishing is focused on defrauding a specific individual. Metaphorically, instead of casting a net or dropping a hook to see who takes the bait, the attacker focuses the attack in a personalized way.
Often targeted victim information is gathered through social media sites such as Facebook and LinkedIn. With this specific personal information, the attacker uses spoof email addresses and sends messages that appear to be coming from a trusted source, such as a friend, family member, employer or a co-worker.
For example, a spear-phishing fraudster may target an employee working in the finance department and pretend to be the department’s manager requesting the employee quickly transfer a large sum of money to an account.
Whale phishing, also known as whaling, is a type of spear phishing that targets high-value individuals, company board members or CEOs. These targets have authority within their organization as well as access to important data.
Being an executive doesn’t mean you are not vulnerable. Note that most board members are not full-time employees, so they often use their personal email addresses for official or business-related correspondences. Personal emails are more susceptible to phishing attacks because they may not provide the same protection offered by a corporate email system. While whaling is a more time-consuming and sophisticated activity than other cyberattacks, if successful, it can reap big rewards for hackers.
Clone Phishing employs a higher degree of disguise as it uses the content of an actual, legitimate email that contained a link or an attachment and was previously delivered to the victims.
After the attackers create the clone email, they replace the link or attachment with a malicious version or source and send it using a spoofed email address, impersonating an original sender.
These clone phishing messages may claim to be an updated version of the original email or the company resending the original email.
Here, cyber attackers use images instead of words to make these phishing messages harder to detect with anti-phishing filters. However, more sophisticated filters can identify and recover hidden text within a malicious image using optical character recognition (OCR).
Phishing attackers use potential flaws within trusted websites’ scripts against the victims. Such attacks are difficult for a common user to spot without a specialist’s help.
Covert redirect is where a link appears to be legit but takes the victim to attackers’ website. Typically, victims get an error message during log-in and the site asks them to enter their username and password again.
This type of phishing attack may also redirect the victims to fake websites covertly using malicious browser extensions. Attentive users will notice the malicious URL will be slightly different from the trusted URL.
Fake websites, fake messages, malicious links, and attachments are not the only phishing attacks plaguing us. Voice phishing uses fake caller IDs that appear legitimate. These calls will ask you to dial a number to discuss an issue related to your bank account. Once you dial the number, it will ask you to enter your card details, your account number and your PIN code to verify your identity. Once you do that, the phone disconnects, and the attackers have your details.
Tabnabbing is another technique that takes advantage of multiple open tabs in a victim’s browser. The technique is to open a fake web page silently on the already opened tab in a browser when the user tries to open a legitimate website. The user mistakenly falls for the fake page, considering it to be original, and end up handing out information to the hackers.
Protect yourself from phishing
The best way to protect yourself from phishing attacks is research. Google the terms above and, by looking at samples, familiarize yourself with the hallmarks of fraud, as well as how to verify that you are on a legitimate website.
Some quick tips:
- Check website URLs for spelling mistakes, especially if the link is mentioned in an email asking for sensitive information.
- Be cautious about the URL redirects. Links that send you to a different website than what you expected might be a phishing attack.
- If you have any doubts that the email may not be from the original source, contact them to confirm if they have sent you any message whatsoever.
- Do not post personal information, such as birthdays, home addresses, and phone numbers on social media. Always set your privacy settings to the highest level possible.
Phishing attacks are a common and ever-present threat. Keep your security tight and never share personal details over email, phone, or in a message. You never know when you are exposing yourself to cyber attackers out there.