Since the mid-1990s, phishing techniques have been enabling cybercriminals and fraudsters to wreak havoc on and reap profits from the internet. Hit and miss or mass-market distribution and more targeted selection of victims may be employed in a phishing attack. As a result, both private individuals and corporate bodies can be vulnerable to phishing scams.
What is Phishing?
Phishing is a cyber assault technique that uses bogus messages to trick the recipient into disclosing valuable or sensitive information, releasing funds to the sender, or compromising their device or network by unknowingly installing malicious software or malware.
The term “phishing” has been attributed to several sources. Historically, the character set <>< (which resembles a fish) was often used by hackers as an HTML tag in chat logs on the internet platform AOL, as a substitute for any reference to illicit activities. More commonly, “phishing” (which is pronounced like “fishing”) is taken as an angling reference, whereby the messages sent out by attackers are used as bait or a lure to net victims to fall for the ruse.
The technique has been highly successful over the years, and many forms of communication have been used for phishing attack purposes.
How Does Phishing Work?
The key to how phishing works relies on the natural human tendency to act without thinking in the face of a distressing, urgent, or tempting situation. Phishing lures, therefore, tend to be crafted to present the recipient with a scenario that may:
Present a crisis situation that has to be resolved by providing information or taking a specific action such as downloading a particular file or clicking on a link to visit a website.
Provide a highly lucrative offer that can only be redeemed by providing information, performing a certain action, downloading an attachment, or visiting a link.
Some common phishing attack examples would include:
- Scams where an attacker poses as an online payment platform (Venmo, PayPal, etc.) inform the victim that their account has been suspended or shows irregular activity. The provision of personal identifying information and/or credit card details are typically required to resolve the issue.
- Urgent messages from a credit card company or financial institution informing the recipient that their account has been suspended or compromised can only be retrieved by providing certain information or visiting their (spoofed) website.
Types of Phishing Attack
There are several types of phishing attacks, which employ several communication vectors and technology platforms. They include:
Using email to distribute phishing lures is the most common method employed by cybercriminals and fraudsters. Also known as deception phishing, the technique typically involves the perpetrator sending a fake email message whose tone and content induce the recipient to disclose sensitive or personal information. The objective is to get the recipient to click on an embedded link or download a file attachment that is supposedly critical to the situation described in the message text.
Clicking on the embedded link may lead to a bogus website, where the recipient is requested to enter personal information, credit card details, or other potentially valuable data. A file attachment associated with a phishing email will often contain malicious software code (malware) that can infect the victim’s computer. This may enable the attacker to gain remote access to their systems and network or commit sabotage by encrypting the victim’s files with ransomware.
Standard email phishing is usually a broadly scaled, hit or miss process, with the perpetrator distributing messages to hundreds or even thousands of potential victims on the understanding that at least a few of them will respond in the required manner. For this reason, the messages often purport to come from trusted brands or organizations or provide too good to be true offers to entice the recipient.
This is a more targeted form of email phishing, typically staged against employees or members of commercial organizations and institutions. Before crafting the lure, the attackers will typically spend some time gathering Opens Source Intelligence (OSINT) — information from web searches, social media, and other publicly available sources — on the target organization and its employees.
This information enables the attacker to create a believable message using employee names, phone numbers, and job functions. Typical messages might be in the form of internal requests for credentials, intellectual property, or funds.
Whaling or whale phishing is an even more targeted version of spear phishing, whose victims are usually top-level executives of commercial organizations. In what is also known as CEO fraud, whaling attackers will typically scour OSINT and corporate websites to discover the name of a company CEO and recent projects or contacts relevant to that Chief Executive. They can then use this knowledge to craft messages to trick the CEO into divulging corporate data and employee information or releasing cash to the attacker.
A related attack vector is Business Email Compromise (BEC), in which the cyber-attacker acquires enough data to impersonate a chief executive successfully. Posing as the CEO, a typical attacker may then email a lower-level employee to urgently request a fund transfer, the disclosure of network access credentials, etc.
Vishing or voice phishing uses the telephone as its medium for the attack. The perpetrator will typically call the victim’s phone number and present an urgent situation requiring their immediate action — which might require the victim to divulge financial account or credit card information, a Social Security number, or similar. Attackers often time vishing calls to coincide with high-stress periods such as tax assessment time or pose as representatives of critical services like Finance or Technical Support.
SMS phishing or Smishing relies on the Short Message Service (SMS) text protocol popular on smartphones and other mobile communication devices. The technique largely depends on mobile users’ tendency not to exercise the same degree of caution with text messages as they would with emails. It is, therefore, easier for attackers to lure victims into clicking on a link that then installs malware on their device.
This is the social media variant of phishing, which uses notifications and direct messages to induce recipients to act irresponsibly and in ways that run counter to their best interests. Common ruses include notifying the victim that they have just been tagged in a post (and providing a link for them to follow up) or including a malicious link or attachment in a message from a “friend” on the platform.
Pop-up windows and advertising are a regular feature of many websites and digital platforms and can be vectors for malicious code if a site visitor makes the mistake of clicking on them. Fortunately, many internet users now employ ad and pop-up blockers, which filter out most of this dangerous content.
A more recent tactic for attackers is to exploit the “notifications” feature of popular web browsers, which display an on-screen prompt asking whether the user wishes a particular site to Allow or Block the notifications that it’s trying to display. Attackers create bogus prompts, which are themselves triggers for installing malware.
This type of attack generally takes one of two forms. In the first, the attacker manages to obtain a copy of an email message containing an attached document that someone has previously sent from a legitimate address. They then substitute a boobytrapped file for the attachment and resend the message to various contacts from the victim’s address book — often on the pretext that the original document was incorrect or corrupt. Recipients downloading this “updated” attachment then receive a nasty shock.
In the other permutation, cyber-attackers will research to discover the various companies or services that an organization uses on a regular basis. They can then “clone” phishing messages appearing to come from these trusted services.
Watering Hole Phishing
This type of phishing attack again relies on information gathered about the habits of workers in a particular organization — in this case, to identify websites that they commonly use. The attackers can then go on to infect these popular sites with infected downloads or malicious code.
Evil Twin Phishing
Free public Wi-Fi is still a temptation that many users find hard to resist. In this type of attack, the perpetrators will create a near-identical clone or “evil twin” of a free hotspot, using their own infrastructure. If an unsuspecting victim signs on to the network, the perpetrators can intercept data flowing to and from their device, inject malicious code into the data stream, eavesdrop, or steal data.
This is a more technical form of phishing attack. The perpetrators manage to hijack a Domain Name Server (DNS) — a system capable of translating natural language web URLs into IP addresses. The compromised server can redirect any address that the victim types to a malicious website set up by the attackers.
This is a hit-and-run tactic in which attackers can push out a brief burst of infected messages in the period before the assault can be detected and blocked by spam filters. Typically, each IP address within the attacker’s network will send out a low volume of messages to avoid detection by volume or reputation-based filtering systems. Assaults sent out over an extremely short time frame are known as hailstorm attacks.
A number of reputable web resources such as CSO Online and SlideShare publish slideshow presentations covering all these phishing variants. If you enter a string like “types of phishing attacks ppt” into your search engine, you’ll receive a listing of the top visual resources on this topic.
How to Prevent Phishing Attacks
If you’re wondering how to prevent yourself from falling victim to phishing scams, there are some measures you can take, including:
- On devices that display tooltips, hover over the sender’s name in a message header to reveal the true URL underlying their email address. In many cases, this will not be the organization or individual they claim to be.
- Look for grammatical errors, odd methods of salutation (“My Dearest”), and weird sentence structure in messages that purport to come from household name institutions or senior executives.
- Use a separate search engine to locate the apparent source of a message, or call the sender on the phone (from their search engine verified number) to check if they actually sent you the message you’re reading.
- Do not click on embedded links. If necessary, visit the sender’s website in an alternate browser window or via a search engine.
- Do not download attachments from unsolicited messages or emails.
- Use a spam filter to sift out the bulk of your suspicious messages.
- Use a pop-up blocker and anti-phishing software, and browser add-ons.
- Make regular clean backups of all your data. This will be your fallback if, for example, your files are encrypted by ransomware.
For organizations, the best defence against phishing is an attitude and a culture of security awareness. This extends to formalized training and periodic testing of members or employees by staging simulated phishing attacks.
What to Do if You’ve Been Phished?
If all of the precautionary measures described above fail and somehow you fall victim to a successful phishing attack, you will need a phishing attack incident response. Some steps to include in this strategy are:
- Restore clean data from your backups. In the event of a successful ransomware attack, this may be your best and only survival strategy.
- Change your passwords. If you use the same password for several accounts, this is a must. You can use a software password manager to regularly update and rotate your credentials.
- Report the incident. If you have an IT security department start with them before contacting relevant authorities.
- Have a response plan. This should include steps to identify, contain, remediate, and find the root causes of phishing threats.
- Consult an expert. A professional IT company like CG Technologies can walk you through the steps needed to prevent and recover from phishing attacks.
Partner With Experts in Cybersecurity
Keeping one step ahead of the continually evolving threat landscape is a full-time activity and requires specialist knowledge and skillset. Many smaller organizations do not have dedicated resources or a budget to hire security experts. Relying on a trusted partner in cybersecurity is a proven, cost-effective alternative. CG Technologies have over 25 years of experience delivering exceptional services to 100’s of companies in the Greater Toronto Area.
Our managed cybersecurity services take care of your IT security needs allowing you to focus on your business’ growth. We’ve designed our security services and solutions around the problems and obstacles that face small to medium businesses every day. Download our whitepaper, the small business guide to ransomware protection or contact us to arrange a security assessment and prevent a successful phishing attack from impacting your business.