A phishing attack is when hackers attempt to trick you into sharing sensitive information. Their goal is to steal logins, credit card numbers, and sensitive corporate information. They could also be trying to infect your computer(s) with malware.
Phishing refers to the act of attempted theft via connected devices. The action can be manual or executed through a tool that automates the process. It can also be a combination that begins with a scripted tool opening the door for the hacker who completes the attack manually.
The term “phishing” was first used in 1994 when a group of teens worked to manually obtain credit card numbers from unsuspecting users on AOL. By 1995, they created a program called AOHell to automate the work for them.
Since then, hackers have continued to invent new ways to gather details from anyone connected to the internet. These actors have created a number of programs and types of malicious software still in use today. Some of these tools were created for the sole purpose of penetration testing, or “hacking with permission.” Once a tool exists, however, bad actors can figure out how to use it maliciously.
In the years since, hackers have managed to create malicious software specifically for phishing applications. One example is PhishX, a tool designed to steal banking details. Using PhishX, attackers create a fake bank website that appears to be a real bank where you might have an account. They customize the page with their phone number and email address. Clicking on “Contact Us” puts you in direct communication with the hackers.
Phishing Frenzy is an example of an email phishing tool originally created for penetration testing. Phishing Frenzy proved to be operator-friendly and many hackers used it due to its ease of use.
Another phishing tool is Swetabhsuman8, which enables attackers to create a fake login page used to hack Instagram accounts. When you try to log in, the hacker gathers your user ID and password.
In addition to spoofing websites, email phishing tools, and malicious login pages to steal your details, hackers create call centers connected to a phone number you receive via one of their emails, fake websites, or text messages.
Modern ransomware actors typically target larger enterprises for a maximum payoff. They tend to spend a significant amount of time conquering each section of the victim’s network until they launch their ransomware attack. This type of multi-stage attack often starts with a single phishing email.
Although there are a number of different phishing attacks, email phishing stands as the most prevalent and recognizable. This method of attack has become more sophisticated with the arrival of spear phishing, whaling, and laser-guided attacks. Phishing attacks have also spread from email programs into communication platforms, including text messaging and social media.
Phishing attacks include:
Hackers love to exploit our online world. They do so by creating fake websites or login pages to collect sensitive data. In addition to gaining access to credit card numbers, bank accounts, and social media credentials, threat actors look to target your friends’ or coworkers’ social media channels. This happens when a criminal gains access to your account and sends phishing attacks to your followers, friends, or co-workers via direct message. The widespread popularity of social media has made this method more common over the past decade.
There are many things you can do to protect yourself. The first and most important thing is to remain cautious.
The second thing to do is to protect your accounts. Passwords should be close to or longer than 20 characters. You do not have to have all four options (uppercase, lowercase, number, symbol) in your password. Two or three are enough, but change things up when you create new passwords. Many people have issues remembering passwords. Create one long password you will remember. Lock up the rest in a password manager such as LastPass or Password Safe.
Then, most importantly, enable two-factor authentication (2FA) on your accounts. If the only choice the site provides is to use your phone to receive a text message with a one-time password, that is better than just using a password for access.
The National Institute of Standards and Technology (NIST) has deprecated their support for SMS one-time passwords. A better solution is to create a one-time password using a tool, such as Google Authenticator, Microsoft Authenticator, or LastPass Authenticator. Look for these options under “settings” on your accounts.
Use software tools to help watch for things you miss. Use a firewall and anti-virus, anti-malware, and anti-phishing tools. Choose your browsers wisely. Does the one you use protect you by looking for things like phishing attempts? Is it possible to add a plug-in? If the answer is no, choose another browser.
In addition to the recommendations above for staff, an organization should do the following: