Phishing is an attack method that has been around since the mid-1990s. It started when a group of young people engineered AOL’s chat room feature to impersonate AOL administrators. They stole credit card numbers from other users to ensure they would always have free AOL access.
AOL’s “new member chatroom” was designed for users to receive site access assistance. The hackers created what appeared to be valid AOL administrators’ screen names like “BillingAccounting,” and told users that there were issues with their account.
The user was asked to provide a card number to get the issues resolved. The criminals then used the card numbers to pay for their own accounts. While the term “phishing” was coined to describe this attack and others like it, it has now come to be associated primarily with email scams. Phishing scams continue to this day in abundance. According to the Verizon 2021 Data Breach Investigations Report (DBIR), 36% of breaches involved phishing.
Since phishing primarily relies on social engineering, it is critical for all users to understand how the attackers work to exploit human nature. First, social engineering is a con that hackers use to convince users to do something they wouldn’t normally do.
Social engineering could be as simple as someone with full hands asking that a door be opened. Similarly, a social engineering attack can start with someone dropping USB thumb drives labelled “family photos” in a parking lot. These USB thumb drives could contain malware that gets installed onto a computer, compromising security in some way. This is known as baiting.
Phishing is primarily used in reference to generic email attacks. This is when an attacker sends out emails to as many addresses as possible, using common services like PayPal or Bank of America.
The email states the account is compromised and prompts you to click on a link to verify that the account is legitimate. The link will usually do one of two things, or both:
- It can take you to a malicious website that looks similar to the authentic site, for example, “www.PayPals.com” versus “www.PayPal.com.” Note the extra “s” on the first URL. Once you go to the malicious website, the hacker can capture your user ID and password when you attempt to log in.
The hacker now has access to your bank account and is able to transfer money anywhere. There is a second possible benefit, though. The hacker might now have a password that can be used for your other accounts, including Amazon or eBay.
- It can infect your computer with downloaded malicious software called malware. Once installed, the software can be used for future attacks. The malware could be a keystroke logger that captures logins or credit card numbers or it could be ransomware that encrypts drive contents and holds them for ransom, usually in the form of Bitcoin.
It is possible at that point for the hacker to use the infected computer to mine for Bitcoin. This can be done when you are not on the computer, or the malware could lock you out of part of the CPU’s capability at all times. The hacker can now successfully mine for Bitcoin and your computer typically functions more slowly.
Phishing has evolved throughout the years to include attacks that address different types of data. In addition to money, attacks can also target sensitive data or photos.
A phishing attack is the action or set of actions a hacker undertakes to exploit you. Email phishing schemes are often easy to spot due to grammar and/or spelling errors in the emails. Attackers are becoming technically sophisticated, however, and new attacks focus on exploiting human emotions to get you to engage, including fear, outrage, and curiosity.
The attack against RSA in 2011 was targeted at just four people within the organisation. The email was not very sophisticated, but it was successful because it targeted the right people. The email, entitled “2011 Recruitment plan.xls” was designed to pique the interest of those individuals and would not necessarily be of interest to others in the organisation.
Types of phishing
There are many different types of phishing attacks. These include the classic email attack, social media attacks, and portmanteau-named attacks like smishing and vishing.
- Phishing – typically done by email
- Spearphishing – finely-targeted emails
- Whaling – very targeted email, usually towards executives
- Internal phishing – phishing attacks originating from within an organisation
- Vishing – done by phone calls
- Smishing – done by text messages
- Social media phishing – Facebook or other social media posts
- Pharming – compromising a DNS cache
Internal phishing attacks are a growing concern. They occur when one trusted user sends a phishing email to another in the same organisation. Since the originating user is trusted, recipients are more likely to click on a link, open an attachment, or respond with requested information.
To send internal phishing emails, an attacker controls your email account with compromised credentials. An attacker can also be in control of your device either physically, due to device loss or theft, or through malware on the device. Internal phishing emails are part of a multi-stage attack with the end goal of extortion with ransomware, for example, or theft of financial or intellectual assets
Smishing is an attack that exploits mobile devices. As there are more mobile devices sold today than personal computers, hackers have flocked to this platform to steal personal data. Smishing attacks often occur when the attackers send a text to your phone number with a message informing you of a problem with your account along with a return number to call to resolve the issue. A return call will often put you in touch with either the hacker personally or an “employee” hired by the threat actor to continue the scam.
If you do not return the phone call, the hackers may call to inform you that your, “account has been attacked and that you need to share account details to resolve the issue.” Hackers often rely on the quantity of outgoing calls for success. This is called vishing.
Learn more about smishing.
Social media phishing
Social media has become a major part of our online world – enough so that hackers are able to utilise it easily to execute phishing scams. One common Facebook phishing scheme includes posting “deals” or “offers” on “friends’” accounts with instructions to click through. To undertake this scam, hackers must gain access to your account.
This can be easy to do in many accounts if there has been a breach in another company’s online servers that results in password leaks. The hackers try the same email and password combinations on other common platforms like Facebook or LinkedIn.
Learn more about social media phishing.
As users have become savvier about phishing attacks, hackers have created new attack methods. Pharming compromises the domain name system (DNS) cache in your computer. This is done through the use of drive-by downloads.
As you browse websites, clicking from one to the next, the attacker exploits the lack of security often found within websites. It is fairly easy to alter a website’s HTML text so it includes an information download when you reach the website or click through to it.
If you do not click through the email, the attacker simply waits for you to connect to the bank. The altered DNS cache information directs you to the hacker’s version of your bank website. You enter your user ID and password, giving the attacker your credentials to access your bank account and steal funds.
How do you prevent phishing?
There are some very specific things you can do as an individual to protect yourself:
- Enable two-factor authentication (2FA) on any qualifying account
- Use anti-malware programs
- Use firewalls
- Be suspicious of pop-ups and pop-unders
- Be suspicious of email attachments from known and unknown sources
- Be suspicious of text messages or IMs from known and unknown sources that want you to click through to some destination or result in a query about your personal information
- Don’t give out your personal information
In addition to the recommendations above, an organisation should do the following:
- Filter for phishing email and malicious web traffic at the gateway
- Authenticate email senders using Domain-Based Message Authentication, Reporting, and Conformance (DMARC)
- Filter for phishing emails based on sender and content, and analyse URLs and attachments for malicious attributes using static and dynamic techniques
- Employ advanced filtering techniques that use artificial intelligence (AI) to spot business email compromise (BEC) and credential-stealing attacks
- Prevent internal phishing attacks with a service-integrated security solution for your cloud or on-premises email platform using APIs. These are available for Microsoft 365, Google G Suite, Microsoft Exchange Server, and IBM Domino server