Phishing is a type of cybercrime in which a digital attacker poses as a trustworthy entity to obtain sensitive information. Phishing might target individuals for banking credentials or credit card details, or might also target organizations via their employees. Deloitte estimates that a huge 91% of cyber attacks begin with a phishing email.
Phishing is a significant problem for organizations trying to remain secure, since employees are often targeted as a way to infiltrate the company. With so much at stake, it really pays to understand the biggest phishing attacks.
Phishing attacks can take many forms, but they all have the same objective. The scammer tricks you into revealing sensitive information by posing as a trusted entity.
Phishing might target many people at once (the “spray and pray” approach) or it may be part of a highly focused campaign that targets a select few people. But in either case, it normally begins as a message that looks legitimate.
Phishing relies on social engineering. Its whole premise is to build a degree of trust with the victim so they will feel comfortable providing information. This might involve the hacker posing as a colleague, manager or tech support. Once the victim is convinced they are speaking with a known entity, the stage is set for the attack.
Let’s take a look at the diverse forms a phishing attack can take.
Imagine you receive an email that looks like it’s from your bank. It says that you need to reset some of your account details and contains link that you’re prompted to click. You’re directed to a webpage with a pop-up that captures your old and new banking credentials. Unfortunately, either the webpage itself or the pop-up is fake – and you just gave your banking credentials to the scammer.
Short for SMS phishing, smishing utilizes Short Message Service (SMS) systems to send bogus text messages. Smishing scams frequently seek to direct the text message recipient to visit a website or call a phone number, at which point the person being scammed is enticed to provide sensitive information such as credit card details or passwords. Smishing websites are also known to attempt to infect the person’s computer with malware.
Spear phishing is an email attack that targets a specific group or type of individuals, such as a company’s system administrators. These emails are customized with the target’s name, position, company, work phone number, and other information that would trick the recipient into believing they are the sender they claim to be. This kind of phishing is common thanks to social media sites such as LinkedIn, where attackers can use different data sources to create a targeted attack email.
Employees receive an email from their IT department asking them to install new instant messaging software. When employees click to install the software, ransomware is installed on the company network.
Clone phishing is an email based attack in which the bad actor resends a legitimate email and attachments, pretending to be the original sender. However, the email attachments will have been replaced with malware, deploying malicious code to your device as you open them.
Whaling targets high-level employees in order to steal sensitive information from a company. A whaling attacker sends a legitimate-appearing email posing as a senior executive such as a CEO or CFO with the aim to manipulate the victim into either authorizing a large amount of funds to be wire transferred or clicking on an attachment or link that installs malware. The goal of whaling is to receive money and/or sensitive company information that gives the attacker access to the company’s intellectual property, data, or other information that could be sold.
Vishing is the telephone equivalent of phishing, short for voice phishing. A vishing attacker often pretends to be calling from the government, tax department, police, or the victim’s bank, and tries to convince the victim that there is no other option to fix the spoofed problem than by providing the information being asked of them. Attackers may tell victims that if they don’t respond to the problem, they will face criminal charges, have their bank account shut down, or other, serious consequences.
Search engine phishing is unique in that the attacker doesn’t bother in sending targeted emails. Instead, the attacker creates a website that offers cheap products and too-good-to-be-true deals. This website is crawled then indexed by legitimate search engines. A potential victim clicks on the website, thinking it’s a typical page. This website will encourage users to enter in personal information.
But this is far from the only scenario. Phishing can sometimes take the form of a private message from a social media influencer you follow, asking for details as part of a “giveaway”. This is a very common scam in the crypto space. Since the message seems to be from someone you follow, you trust the sender and provide your details. This – often known as smishing – is another great example of phishing in action.
An email posing as Google support claims that they’ve updated their login credential policy. The attacker asks a potential victim to confirm their Google account information. The senders email is similar to a Gmail address, such as [email protected]
You’re at a coffee shop and want to login to their public WiFi hotspot. You spot an unsecured public WiFi hotspot by the same name as the cafe, and enter your details (email and name) in the pop-up to access the connection. What you don’t know is that the hotspot is part of a phishing scam – in the background, a hacker is spying on the details you enter.
The common factor in all of these scenarios is that they seem legitimate. The internet means you never really know who you’re talking to. With some clever planning on the part of an attacker, you’ll feel comfortable giving away your highly sensitive information. This can make it hard to detect phishing when you see it.
Attackers are constantly looking for ways to outsmart your security set up, so it’s important to take extra measures to protect yourself. Steps to prevent phishing attacks include:
Don’t click suspicious links or download attachments from unexpected emails. This could be an attempt to get you to install spyware on your device.
Always hover over links to ensure that the destination is correct. If possible, navigate to the intended site by using a search engine instead of clicking on the link.
Don’t give personal information to an unsecured site. If the URL starts with http://, as opposed to https://, don’t enter any sensitive information or download files.
Change passwords regularly to be sure nobody has your credentials. Do this immediately if you think you’ve been phished.
Two-factor authentication is a fantastic security measure that means nobody can access yoour accounts, even if they have your login details. With 2FA installed using your phone, you’ll need to physically confirm every login for your important accounts. This provides an extra layer of protection, and keeps hackers out of your accounts even if you do get phished.
Use anti-phishing software
Anti-phishing software works to identify and block phishing content in websites, emails, and other online data capture fields. The software warns the user when it comes into contact with a malicious email or site. This software is often integrated with web browsers and email clients into the toolbar.
Phishing is one of the oldest forms of cyber attacks. It dates back to the 1990s when AOL was a leading internet service provider. With the large customer base totalling over one million, hackers formed a group known as the warez community, which consisted of people trading pirated and illegal software and tools, stealing user details, and generating random credit card numbers.
These credit card numbers were used to open new AOL accounts and spam other AOL members, but AOL quickly put an end to this by updating its security measures. AOHell, released in 1995, was a program designed to hack AOL users by allowing attackers to impersonate an AOL employee and send an instant message to potential victims, asking them to verify their AOL account with their credentials.
In 2001, the first direct attack on a financial system was launched against digital currency site, E-Gold, though it was unsuccessful. In 2003, phishing attackers registered domain names that were slight variations of legitimate e-commerce sites such as eBay and PayPal. Attackers then sent spoof emails to customers of eBay and PayPal asking them to visit the malicious site and update their password and credit card information.
By 2004, phishing evolved into a profitable business and was officially recognized as a fully organized part of the black market. According to a Gartner study, between 2004 and 2005, an estimated 1.2 million U.S. computer users suffered phishing losses valued at a combined $929 million. One of the primary tactics used by phishing attackers during this was using popup windows to gather sensitive information from unsuspecting potential victims.