Phishing refers to the act of attempted theft via connected devices. The action can be manual or executed through a tool that automates the process. It can also be a combination that begins with a scripted tool opening the door for the hacker who completes the attack manually.
The term “phishing” was first used in 1994 when a group of teens worked to manually obtain credit card numbers from unsuspecting users on AOL. By 1995, they created a program called AOHell to automate the work for them.
Since then, hackers have continued to invent new ways to gather details from anyone connected to the internet. These actors have created a number of programs and types of malicious software still in use today. Some of these tools were created for the sole purpose of penetration testing, or “hacking with permission.” Once a tool exists, however, bad actors can figure out how to use it maliciously.
In the years since, hackers have managed to create malicious software specifically for phishing applications. One example is PhishX, a tool designed to steal banking details. Using PhishX, attackers create a fake bank website that appears to be a real bank where you might have an account. They customize the page with their phone number and email address. Clicking on “Contact Us” puts you in direct communication with the hackers.
Phishing Frenzy is an example of an email phishing tool originally created for penetration testing. Phishing Frenzy proved to be operator-friendly and many hackers used it due to its ease of use.
Another phishing tool is Swetabhsuman8, which enables attackers to create a fake login page used to hack Instagram accounts. When you try to log in, the hacker gathers your user ID and password.
In addition to spoofing websites, email phishing tools, and malicious login pages to steal your details, hackers create call centers connected to a phone number you receive via one of their emails, fake websites, or text messages.
Modern ransomware actors typically target larger enterprises for a maximum payoff. They tend to spend a significant amount of time conquering each section of the victim’s network until they launch their ransomware attack. This type of multi-stage attack often starts with a single phishing email.
Although there are a number of different phishing attacks, email phishing stands as the most prevalent and recognizable. This method of attack has become more sophisticated with the arrival of spear phishing, whaling, and laser-guided attacks. Phishing attacks have also spread from email programs into communication platforms, including text messaging and social media.
Phishing attacks include:
- Email phishing – A hacker sends an email message containing a link with the intention to cause you concern, worry, or intrigue. The purpose of the email is for you to click on the link.
- Vishing – A threat actor calls a landline, mobile, or VoIP phone to engage the user in a conversation.
- Smishing – A criminal sends a text message asking you to click on a link or to phone the sender.
- Pharming – As more people became aware of the dangers of clicking on unsolicited email links, bad actors created pharming. A pharming attack includes a malicious URL with hopes that you will copy and paste the web address into your browser and directly access the website. Pharming compromises the local cache of domain name system (DNS) information that delivers the victim to the correct destination. Following the malicious link brings you to a spoofed website.
- Spear phishing – A hacker sends a tailored, targeted email to an organization or individual. Spear phishing emails usually target executives or those working in financial departments.
- Whaling – Whaling is similar to spear phishing, but it often targets senior executives in an organization.
Hackers love to exploit our online world. They do so by creating fake websites or login pages to collect sensitive data. In addition to gaining access to credit card numbers, bank accounts, and social media credentials, threat actors look to target your friends’ or coworkers’ social media channels. This happens when a criminal gains access to your account and sends phishing attacks to your followers, friends, or co-workers via direct message. The widespread popularity of social media has made this method more common over the past decade.
There are many things you can do to protect yourself. The first and most important thing is to remain cautious.
- Inspect emails carefully before clicking. Hover over the originating email address or the link they want you to click on. This may reveal information that indicates it is a phishing email.
- Before typing sensitive data into a website, look twice at the URL at the top of the page. Is this the real website? Are there extra letters in the address? Are there letters swapped out for numbers like an O for a 0? It can be hard to tell the difference.
- Think before you click on posts from friends. If it seems like something is too good to be true, it probably is.
- Think before responding to a post that says your friend is in trouble and needs money. Is this how they would contact you?
- Think before clicking on a pop-up or pop-under.
- Think before opening an email attachment. Were you expecting an attachment from that person? If not, ask them.
- Think before responding to text (SMS) messages. Your phone company, bank, etc., is not likely to contact you by text.
- Don’t give out your personal data unless you are positive you are talking to someone you trust.
The second thing to do is to protect your accounts. Passwords should be close to or longer than 20 characters. You do not have to have all four options (uppercase, lowercase, number, symbol) in your password. Two or three are enough, but change things up when you create new passwords. Many people have issues remembering passwords. Create one long password you will remember. Lock up the rest in a password manager such as LastPass or Password Safe.
Then, most importantly, enable two-factor authentication (2FA) on your accounts. If the only choice the site provides is to use your phone to receive a text message with a one-time password, that is better than just using a password for access.
The National Institute of Standards and Technology (NIST) has deprecated their support for SMS one-time passwords. A better solution is to create a one-time password using a tool, such as Google Authenticator, Microsoft Authenticator, or LastPass Authenticator. Look for these options under “settings” on your accounts.
Use software tools to help watch for things you miss. Use a firewall and anti-virus, anti-malware, and anti-phishing tools. Choose your browsers wisely. Does the one you use protect you by looking for things like phishing attempts? Is it possible to add a plug-in? If the answer is no, choose another browser.
In addition to the recommendations above for staff, an organization should do the following:
- Use an email gateway to block spam emails and remove emails that contain suspicious links or attachments.
- Install a spam phishing filter to eliminate emails from unknown senders and emails that feature suspicious content.
- Use a domain-based message authentication, reporting, and conformance (DMARC) email authentication tool to stop criminals from spoofing a “from” address in an email.
- Use artificial intelligence (AI) filtering methods to spot business email compromise (BEC) emails. BEC emails are sent from criminals posing as members of an organization’s management, typically asking employees to transfer funds from a business account to the hacker’s spoofed account.
- Employ a service-integrated security solution to protect against phishing attacks that come from inside your organization.
- Make your employees aware of the dangers of phishing attacks by including them in regular phishing simulations and trainings.