What is phishing?
Phishing is a type of cybercrime in which a hacker poses as a trustworthy entity to obtain sensitive information. Phishing might target individuals for banking credentials or credit card details, or might also target organizations via their employees. As cryptocurrency explodes in popularity, a host of crypto scams also use phishing techniques to target the victim’s crypto wallet address. Deloitte estimates that a huge 91% of cyber attacks begin with a phishing email.
Phishing is a significant problem for organizations trying to remain secure, since employees are often targeted as a way to infiltrate the company. With so much at stake, it really pays to understand the biggest phishing attacks.
How phishing works
Phishing attacks can take many forms, but they all have the same objective: tricking you into revealing sensitive information.
Phishing might target many people at once (the “spray and pray” approach) or it may be part of a highly focused campaign that targets a select few people. But in either case, it normally begins as a message that looks legitimate.
Phishing relies on social engineering. Its whole premise is to build a degree of trust with the victim so they will feel comfortable providing information. This might involve the hacker posing as a colleague, manager or tech support. Once the victim is convinced they are speaking with a known entity, the stage is set for the attack.
Phishing attack examples
Let’s take a look at the diverse forms a phishing attack can take.
Phishing email
Imagine you receive an email that looks like it’s from your bank. It says that you need to reset some of your account details and contains link that you’re prompted to click. You’re directed to a webpage with a pop-up that captures your old and new banking credentials. Unfortunately, either the webpage itself or the pop-up is fake – and you just gave your banking credentials to the scammer.
Smishing
Short for SMS phishing, smishing utilizes Short Message Service (SMS) systems to send bogus text messages. Smishing scams frequently seek to direct the text message recipient to visit a website or call a phone number, at which point the person being scammed is enticed to provide sensitive information such as credit card details or passwords. Smishing websites are also known to attempt to infect the person’s computer with malware.
Spear phishing
Spear phishing is an email attack that targets a specific group or type of individuals, such as a company’s system administrators. These emails are customized with the target’s name, position, company, work phone number, and other information that would trick the recipient into believing they are the sender they claim to be. This kind of phishing is common thanks to social media sites such as LinkedIn, where attackers can use different data sources to create a targeted attack email.
Company tech support phishing
Employees receive an email from their IT department asking them to install new instant messaging software. When employees click to install the software, ransomware is installed on the company network.
Clone phishing
Clone phishing is an email based attack in which the bad actor resends a legitimate email and attachments, pretending to be the original sender. However, the email attachments will have been replaced with malware, deploying malicious code to your device as you open them.
Whaling
Whaling targets high-level employees in order to steal sensitive information from a company. A whaling attacker sends a legitimate-appearing email posing as a senior executive such as a CEO or CFO with the aim to manipulate the victim into either authorizing a large amount of funds to be wire transferred or clicking on an attachment or link that installs malware. The goal of whaling is to receive money and/or sensitive company information that gives the attacker access to the company’s intellectual property, data, or other information that could be sold.
Vishing
Vishing is the telephone equivalent of phishing, short for voice phishing. A vishing attacker often pretends to be calling from the government, tax department, police, or the victim’s bank, and tries to convince the victim that there is no other option to fix the spoofed problem than by providing the information being asked of them. Attackers may tell victims that if they don’t respond to the problem, they will face criminal charges, have their bank account shut down, or other, serious consequences.
Search engine phishing
Search engine phishing is unique in that the attacker doesn’t bother in sending targeted emails. Instead, the attacker creates a website that offers cheap products and too-good-to-be-true deals. This website is crawled then indexed by legitimate search engines. A potential victim clicks on the website, thinking it’s a typical page. This website will encourage users to enter in personal information.
Smishing (social media phishing)
But this is far from the only scenario. Phishing can sometimes take the form of a private message from a social media influencer you follow, asking for details as part of a “giveaway”. This is a very common scam in the crypto space. Since the message seems to be from someone you follow, you trust the sender and provide your details. This – often known as smishing – is another great example of phishing in action.
Google login phishing
An email posing as Google support claims that they’ve updated their login credential policy. The attacker asks a potential victim to confirm their Google account information. The senders email is similar to a Gmail address, such as [email protected]
WiFi hotspot phishing
You’re at a coffee shop and want to login to their public WiFi hotspot. You spot an unsecured public WiFi hotspot by the same name as the cafe, and enter your details (email and name) in the pop-up to access the connection. What you don’t know is that the hotspot is part of a phishing scam – in the background, a hacker is spying on the details you enter.
Social engineering – your biggest digital risk
The common factor in all of these scenarios is that they seem legitimate. The internet means you never really know who you’re talking to. With some clever planning on the part of an attacker, you’ll feel comfortable giving away your highly sensitive information. This can make it hard to detect phishing when you see it.
How to spot a phishing attack
Luckily, phishing attacks typically have some similar features. This can help you spot a scam before you become the victim. Here are a few examples:
- Unsolicited contact: whenever you receive a request for information, your first question should be “why?” There are very few reasons why a legitimate institution would proactively demand details from you. This is therefore a great indicator that something’s up.
- Too good to be true: Avoid announcements or attention-grabbing statements that offer something unbelievable. A great example is a giveaway by a crypto influencer, promising a sum of crypto in exchange for some wallet details. If something seems too good to be true, it probably is.
- Sense of urgency: Beware messages that tell you to act fast or suggest dire consequences. Any message such as an account being suspended or shut down. Most reliable organizations give you plenty of time to respond and never ask for updated personal details over the internet.
- Fake URL: Hovering over a link in an email will show the URL that you will be directed to once clicked on. Instead of clicking on the link, hover over it and inspect it for misspellings. For example, “www.anazon.com” looks similar to www.amazon.com. Spotting this discrete misspelling could save you from a scam.
- Attachments: Don’t open any attachments you don’t recognize. Attachments sent by phishing attackers often include ransomware or other viruses. The only file that is always safe to click on is a .txt file.
- Unusual sender: If the email is sent from someone outside of your organization, it’s not related to your job responsibilities, or the domain seems suspicious, avoid clicking links or opening attachments.
Protect yourself against phishing attacks
Attackers are constantly looking for ways to outsmart your security set up, so it’s important to take extra measures to protect yourself. Steps to prevent phishing attacks include:
Protect your device
Don’t click suspicious links or download attachments from unexpected emails. This could be an attempt to get you to install spyware on your device.
Always hover over links to ensure that the destination is correct. If possible, navigate to the intended site by using a search engine instead of clicking on the link.
Protect your data
Don’t give personal information to an unsecured site. If the URL starts with http://, as opposed to https://, don’t enter any sensitive information or download files.
Protect your passwords
Change passwords regularly to be sure nobody has your credentials. Do this immediately if you think you’ve been phished.
Protect your accounts
Two-factor authentication is a fantastic security measure that means nobody can access yoour accounts, even if they have your login details. With 2FA installed using your phone, you’ll need to physically confirm every login for your important accounts. This provides an extra layer of protection, and keeps hackers out of your accounts even if you do get phished.
Never respond to messages on Web3
If you’re an active cryptocurrency and Web3 user, you may spend a lot of time interacting with online communities via platforms like Discord and Telegram. While these are great tools for engaging with the world of Web3, they are also a hotbed for scams. Best practice is to ignore any private messages you might receive from online community members. There is no reason for anyone to contact you directly here, and private messages are nearly always part of a phishing scam.
Use anti-phishing software
Anti-phishing software works to identify and block phishing content in websites, emails, and other online data capture fields. The software warns the user when it comes into contact with a malicious email or site. This software is often integrated with web browsers and email clients into the toolbar.
History of phishing
Phishing is one of the oldest forms of cyber attacks. It dates back to the 1990s when AOL was a leading internet service provider. With the large customer base totalling over one million, hackers formed a group known as the warez community, which consisted of people trading pirated and illegal software and tools, stealing user details, and generating random credit card numbers.
These credit card numbers were used to open new AOL accounts and spam other AOL members, but AOL quickly put an end to this by updating its security measures. AOHell, released in 1995, was a program designed to hack AOL users by allowing attackers to impersonate an AOL employee and send an instant message to potential victims, asking them to verify their AOL account with their credentials.
In 2001, the first direct attack on a financial system was launched against digital currency site, E-Gold, though it was unsuccessful. In 2003, phishing attackers registered domain names that were slight variations of legitimate e-commerce sites such as eBay and PayPal. Attackers then sent spoof emails to customers of eBay and PayPal asking them to visit the malicious site and update their password and credit card information.
By 2004, phishing evolved into a profitable business and was officially recognized as a fully organized part of the black market. According to a Gartner study, between 2004 and 2005, an estimated 1.2 million U.S. computer users suffered phishing losses valued at a combined $929 million. One of the primary tactics used by phishing attackers during this was using popup windows to gather sensitive information from unsuspecting potential victims.
