Phishing typically describes the social engineering techniques hackers use to steal user or corporate information through email. Phishing attacks are most effective when users are unaware this is happening.
Phishing is an attack method that has been around since the mid-1990s. It started when a group of young people engineered AOL’s chat room feature to impersonate AOL administrators. They stole credit card numbers from other users to ensure they would always have free AOL access.
AOL’s “new member chatroom” was designed for users to receive site access assistance. The hackers created what appeared to be valid AOL administrators’ screen names like “BillingAccounting,” and told users that there were issues with their account.
The user was asked to provide a card number to get the issues resolved. The criminals then used the card numbers to pay for their own accounts. While the term “phishing” was coined to describe this attack and others like it, it has now come to be associated primarily with email scams. Phishing scams continue to this day in abundance. According to the Verizon 2021 Data Breach Investigations Report (DBIR), 36% of breaches involved phishing.
Since phishing primarily relies on social engineering, it is critical for all users to understand how the attackers work to exploit human nature. First, social engineering is a con that hackers use to convince users to do something they wouldn’t normally do.
Social engineering could be as simple as someone with full hands asking that a door be opened. Similarly, a social engineering attack can start with someone dropping USB thumb drives labeled “family photos” in a parking lot. These USB thumb drives could contain malware that gets installed onto a computer, compromising security in some way. This is known as baiting.
Phishing is primarily used in reference to generic email attacks. This is when an attacker sends out emails to as many addresses as possible, using common services like PayPal or Bank of America.
The email states the account is compromised and prompts you to click on a link to verify that the account is legitimate. The link will usually do one of two things, or both:
Phishing has evolved throughout the years to include attacks that address different types of data. In addition to money, attacks can also target sensitive data or photos.
A phishing attack is the action or set of actions a hacker undertakes to exploit you. Email phishing schemes are often easy to spot due to grammar and/or spelling errors in the emails. Attackers are becoming technically sophisticated, however, and new attacks focus on exploiting human emotions to get you to engage, including fear, outrage, and curiosity.
The attack against RSA in 2011 was targeted at just four people within the organisation. The email was not very sophisticated, but it was successful because it targeted the right people. The email, entitled “2011 Recruitment plan.xls” was designed to pique the interest of those individuals and would not necessarily be of interest to others in the organisation.
There are many different types of phishing attacks. These include the classic email attack, social media attacks, and portmanteau-named attacks like smishing and vishing.
Internal phishing attacks are a growing concern. They occur when one trusted user sends a phishing email to another in the same organisation. Since the originating user is trusted, recipients are more likely to click on a link, open an attachment, or respond with requested information.
To send internal phishing emails, an attacker controls your email account with compromised credentials. An attacker can also be in control of your device either physically, due to device loss or theft, or through malware on the device. Internal phishing emails are part of a multi-stage attack with the end goal of extortion with ransomware, for example, or theft of financial or intellectual assets
Smishing is an attack that exploits mobile devices. As there are more mobile devices sold today than personal computers, hackers have flocked to this platform to steal personal data. Smishing attacks often occur when the attackers send a text to your phone number with a message informing you of a problem with your account along with a return number to call to resolve the issue. A return call will often put you in touch with either the hacker personally or an “employee” hired by the threat actor to continue the scam.
If you do not return the phone call, the hackers may call to inform you that your, “account has been attacked and that you need to share account details to resolve the issue.” Hackers often rely on the quantity of outgoing calls for success. This is called vishing.
Learn more about smishing.
Social media has become a major part of our online world – enough so that hackers are able to utilise it easily to execute phishing scams. One common Facebook phishing scheme includes posting “deals” or “offers” on “friends’” accounts with instructions to click through. To undertake this scam, hackers must gain access to your account.
This can be easy to do in many accounts if there has been a breach in another company’s online servers that results in password leaks. The hackers try the same email and password combinations on other common platforms like Facebook or LinkedIn.
Learn more about social media phishing.
As users have become savvier about phishing attacks, hackers have created new attack methods. Pharming compromises the domain name system (DNS) cache in your computer. This is done through the use of drive-by downloads.
As you browse websites, clicking from one to the next, the attacker exploits the lack of security often found within websites. It is fairly easy to alter a website’s HTML text so it includes an information download when you reach the website or click through to it.
If you do not click through the email, the attacker simply waits for you to connect to the bank. The altered DNS cache information directs you to the hacker’s version of your bank website. You enter your user ID and password, giving the attacker your credentials to access your bank account and steal funds.
There are some very specific things you can do as an individual to protect yourself:
In addition to the recommendations above, an organisation should do the following: