What is phishing?
A phishing attack is a type of cyber security breach that is disguised within an email. The main goal is to make the recipient of the email believe that what is enclosed, is something they want or need. This can be anything from a request from their bank to a note from a colleague with a link to click or download an attachment.
The cyber criminals hide behind a trusted identity of some kind and the emails look very authentic and believable. These types of attacks have been around since the 1990’s and are one of the oldest types of cyberattacks around, and still one of the most widespread. They are also becoming increasingly sophisticated and developed. Due to this, nearly a third of all cyber security breaches in 2019 involved phishing, according to the 2019 Verizon Data Breach Investigations Report.
Some of these scams have succeeded well enough to make news headlines. Those you may be familiar with are the 2016 Clinton presidential campaign, where hackers managed to get Hillary Clinton campaign chair John Podesta to offer up his Gmail password and the celebrity “fappening” attack, in which intimate photos of celebrities were made public online.
How to spot phishing attacks
So how can you spot this type of cyber attack or better yet, how can you avoid them? Well, as we mentioned, scammers use emails or text messages to trick you into giving them personal information. This could be anything from passwords and account numbers to social security numbers and data.
Once they have this information, they could gain access to private information in your email account, bank or anything else you may have provided them access to resulting in a scam. These attacks are launched thousands of times a day and often, they’re successful. The FBI’s Internet Crime Complaint Center reported that people lost $57 million to phishing schemes in one year.
The techniques used by these cyber criminals come in various forms. While scammers often update and improve their tricks and tactics, there are some signs that can help you recognize a potential attack;
Email phishing scams
This is pretty much a numbers game. An attacker sends out thousands of fraudulent emails and the hope is that even if only a small percentage of recipients fall for the scam, they’ve succeeded. Here are some techniques attackers use to increase their success rates.
- They look like they’re from a trusted source.
- These emails often tell a story to convince you into clicking or opening something. This may include;
- Noticing suspicious activity in one of your accounts
- Problems with payment information
- Government bodies who need information
- Payment rewards
In addition, attackers will usually try to push users into action by creating a sense of urgency. For example, an email could threaten suspicious activity in one of your accounts and place the recipient on a timer in order to ‘fix’ the issue. Applying such pressure causes the user to be less diligent and more prone to error.
However, before falling down the rabbit hole, the first point of call is to check the email address. While this often looks legitimate, if you look closely you’ll notice that the address either has what looks like a typo or is not actually the official body’s email address.
These attacks are defined as a targeted and personalized attempt to steal sensitive information from a specific victim, often for malicious reasons. The attackers disguise themselves as a friend or business entity to acquire sensitive and personal information, typically through email.
However, Spear phishing differs from general phishing attacks as these attacks target a specific victim, and the messaging is adapted to address a specific person, usually from an entity that they are familiar with and containing personal information. Spear phishing requires more thought and time to achieve. The attackers try to get as much personal information about their victims as possible to make the emails they send look legitimate and to increase their chance of success. Due to the personalization of these emails, it is much harder to identify spear-phishing attacks than to identify phishing attacks conducted at a wide scale.
So how might a spear phishing attack play out? Well as an example, an attacker could research names of employees within an organization and gain access to the latest invoices. Through this information, they could then pose as a person high up in the same organization and email their victim regarding a specific invoice or project, with an urgent subject line. The text and style of the email will also look exactly like the organization’s standard email. Within the email, they’ll add a link that redirects to a password-protected internal document, which is actually a spoofed version of a stolen invoice. The employee will be required to log in to view the document, where the attacker will then steal their credentials, gaining full access to sensitive areas within the organization’s networks.
A ‘Whaling’ phishing attack is when cyber criminals target high profile individuals like CEO’s and CFO’s or organizations. The attack itself is very similar to spear phishing whereby the only difference is the targets of the attack. The victims in whaling attacks are more like whales in the sea and not fish. This is why the name “whaling” is given for these phishing attacks.
Cyber criminals spend months researching their victims, their contacts and their trusted sources, in order to send fake emails to get sensitive information, and then steal important data.
Whaling attacks can be crippling for businesses as they target high profile individuals that usually run large organizations making losses for the organization much more substantial.
Vishing is a form of phishing attack that isn’t done via email, rather via targeting mobile phone numbers, hence the name; VoIP (Voice) + Phishing = Vishing.
In Vishing attacks, cyber criminals call mobile devices posing as a trustable source and usually asking for personal information. As an example, you may get a call from someone pretending to work at your local bank. They’ll request bank account numbers, ATM numbers or passwords to help you with a specific issue, and then once you have handed them this information, they have access to your accounts and finances.
This is why it’s very important to stay alert to such calls. Remember, banks and other reputable sources will never ask you for personal information over the phone.
Similarly to Vishing, SmiShing attacks are also related to mobile devices. In these attacks the cyber criminals send SMS messages to their victims requesting that they open a link within the message. Once the victim opens the fake link, a virus or malware is instantly downloaded onto their device, giving the criminals all the information they need from your mobile device.
If you ever receive messages with links and are unsure of the sender, why you have received it or any other reason to think it’s strange to be receiving such a message – do not open it.
How to prevent phishing attacks
This requires specific steps to be taken by both individual users and organizations. For individuals, vigilance is key. Look out for messages that have subtle mistakes in them that will help to expose an attacker. These can be anything from spelling mistakes or changes in email address, as we mentioned earlier. Also make sure you understand if you should be receiving such an email, why would you get it? Is there a reason? If not, think twice before clicking on anything within it.
Additionally, WOT can help, WOT can identify links that may be unsafe or that could contain phishing. Once installed on your desktop, you will have optimal website security and you’ll receive alerts on links that may be harmful – giving you the extra protection you need to avoid phishing attacks, malware and spyware. You can download it here.
For organizations, there are also some steps that can be taken to reduce the risks of both types of attacks. One idea is to implement two-factor authentication which is one of the most effective methods to reduce attacks, as it adds an extra verification layer when employees log into sensitive applications. It is also beneficial to educate employees on such attacks in order to diminish the threat by enforcing knowledge and practices on what to do, and what not to do to save the organization from being compromised.