26 Nov 2019 • BLOG - News
What Is Phishing?
26 Nov 2019
Even though technical security measures are improving constantly, phishing remains one of the cheapest and simplest ways for cybercriminals to get access to sensitive information. As easy as clicking a link, victims of phishing are susceptible to sharing private information and put themselves at risk of identity theft.
To know how to best protect yourself, you need to understand what a phishing attack is, what types there are, and how you can recognize it if and when it appears in your inbox. Keep reading and we’ll help you avoid any security issues from phishing.
What is a phishing attack?
Phishing is an online scam where criminals impersonate legitimate entities in order to trick victims into sharing sensitive information or installing malware.
The term ”phishing” is a play on the word “fishing” since in both cases someone throws out bait and waits for users or fish to “bite”. Most often hackers do this via malicious emails that appear to be from trusted senders by including a link that will seem to take you to the company’s website. Once you fill in your data, that sensitive information can be stolen.
That data can be any private information that could be valuable, such as login credentials (email and password), financial data (credit card details or online banking credentials) or even personal data (date of birth, address or social security number). Phishing is considered a type of social engineering attack because it relies on human failures instead of hardware or software ones.
A brief history of phishing
The first example of phishing is from the mid-1990s, when an attempt to steal AOL user names and passwords was made using tools like AOHell. Despite many warnings from AOL, the attacks were successful, since phishing was a brand new concept and not something user had ever seen before. Following the initial AOL attacks, many early phishing scams came with obvious signs that they were not legitimate – including strange spelling, weird formatting, pixelated images and messages that often didn’t make a lot of sense.
Some phishing campaigns remain really easy to recognize (we’ve all received the email from the down on his luck prince who wants to leave his fortune to you), but others have become so advanced that it’s nearly impossible to tell them apart from real emails. This is because phishers have evolved along with new technical capabilities. Scams have now spread to social media, messaging services and apps.
If you check email or social media sites from your phone, you may become an easy target. Since the email interface on mobile phones is a lot smaller than on a computer, it makes it more difficult to flag signs of phishing, such as seeing the full URL.
Ultimately, if you have an email address, it is all but guaranteed that you have received a phishing message in your inbox at least once.
How does a phishing attack work?
A basic phishing attack attempts to trick a user into entering personal details or other confidential information. Around 3.7 billion people send 269 billion emails every single day and that makes for an ideal channel for cybercriminals. Imagine if even 1% of those emails are a scam, and 1% of those work. That is 26.9M success attempts every day!
We can assure you that more than 1% of the emails sent are a scam, but we’d like to help you make sure that far less than 1%of those are successful.
A phishing attack can have a specific target, such as people using a specific product, or can be scattershot, going after the general public with fake contests and prizes. In both cases, the victims are asked to enter their names, email addresses and, in some cases, passwords and bank details.
Another option is that the email contains a malicious attachment that you will be requested to download. In many cases, the malicious payload will be hidden inside a Microsoft Office document which requires the user to enable macros to run. Once you try to open the document you may be asked to update your software or provide certain permissions to allow the document to be viewed properly. But if you agree with any of this, you are likely opening yourself up to a severe security breach.
How do phishers find the email addresses they want to target?
There are a lot of ways for phishers to retrieve your email address and link it to a service you are using, and this can happen without your knowledge or the knowledge of the service provider.
Here are a few:
- Searching over the web for the @ sign. Spammers and cybercriminals use advanced tools to scan the web and harvest email addresses. If you ever posted your email address online, a spammer will easily find it.
- Cybercriminals use tools to generate common usernames (using the first letter of a first name and a common last name) and combine them with common domains. These tools are like the ones that are used to crack passwords.
- Phishers are also able to find what each service provider would ask you to do as a client and then find a vulnerability to figure out if you are a client. For example, in the case of ESPs, scammers can check your public DNS records (SPF, CNAME, TXT) and try to find information that can link it to the ESP you use.
Now we know the basics of what is phishing, its history, and how it works, we can explore some of the most common types of phishing.
What are the different types of phishing attacks?
We can easily assume that pretty much everybody has already received a phishing attack via email or landed on a suspicious website. There are many types of attacks and hackers are becoming more and more creative every day, so we need to stay on top of some of the new methods being used to easily flag it as risky before getting caught.
Below, we have listed some of the most popular types of attacks that are used today. The main difference between these attacks is the method being used and the target. Let’s first dig deeper into the different targets that phishers are going after.
Spray and pray
The ‘spray and pray’ approach is the least complex type of phishing attack, where one message is mass-mailed to millions of users. These messages claim urgency one way or another. Either by stating that there is an “important” message from your bank or a popular service, or that “you’ve won the latest iPhone and need to claim it now.”
Depending on the hacker’s technical abilities, spray & pray attacks may not even involve fake web pages – victims are often just told to respond to the attacker via email with sensitive information. These attacks are mostly ineffective but can be sent to a massive amount of email addresses. It doesn’t take many victims to be deemed a success for the phisher.
Spear phishing is more advanced. Unlike “spray and pray”, which sends to a mass list, ‘spear phishing’ targets specific groups with a more personalized message. Phishers will, for instance, target users of a specific brand and will design the email to replicate the brand. In fact, they can target anything from a specific organization to a department within that organization, or even an individual in order to ensure the greatest chance that the email is opened and more personal information is acquired. The highest profile cyber-attacks typically come from this type of approach.
The message will be designed to look as if someone wants you to change your password because of an issue on the service side. In this case, the message will appear to be a legit message – as close as possible to the original one and they will redirect you to a page that looks like a real one too. These attacks are way more effective because they are well planned.
Depending on the target, the methods may vary. Spray and pray targets require less effort than spear phishing for example. You do not need to invest so much in finding a targeted list of emails, creating custom landing pages, and so on. As phishing has evolved over time, more and more we’re seeing methods that are not limited to email, but also include websites or social media.
Clone phishing emails will look nearly identical to an email that you have previously received. However, in this case, the new email will be sent from a spoofed address that resembles the original one.
For example firstname.lastname@example.org instead of email@example.com (notice the three “P”s).
Within the content, the only difference between the cloned email and the original email is that the links and/or attachments have been changed, likely directing you to malicious sites or software. As the email looks really close to the original one the recipients are more likely to fall for this sort of attack.
This is an attack targeting a smaller group of people – high-profile individuals, such as board members or members of the finance or IT team of a company. The email can appear to be coming from a trusted source, such as the CEO of your company.
This attack is harder to create because hackers will firstly need to find the exact right targets, and then find the right way to impersonate their CEO. However, the rewards are potentially greater: CEOs and other C-level executives have more information and greater levels of access than junior employees. Inboxes like GSuite can help prevent this by assigning profile pictures to internal colleagues’ email addresses, but also through features like whitelisting.
Business Email Compromise (BEC)/Email spoofing
BEC attacks are mostly “urgent” requests from a brand or a brand’s senior staff member. These emails are social engineering tactics to fool other staff members or users into giving their bank account details or making a donation.
A lot of popular service providers in the software space become victims to such attacks. Here’s an example of a phishing email sent from someone trying to impersonate WordPress:
Once you have clicked on a link or any of the buttons you will be redirected to a fake page created to collect your information.
Fake websites pages are designed to look and sound authentic. In most cases you will land on a simple login page or payment page, as they are very easy to recreate for many use cases and can be effective at capturing personal information.
Pharming/DNS cache poisoning
This method of phishing would require the hacker to create a website that impersonates a real one and, by exploiting vulnerabilities in the domain name system, match the URL with the IP behind it. In fact, the phishers would be able to redirect the traffic from a real site to a fake one. This is maybe the most dangerous type of phishing, because DNS records are not controlled by the end-user and it is harder to defend yourself against this attack.
This type of phishing is easier to create than the pharming one, because you don’t have to completely impersonate exactly the domain you want to spoof. The URL will look genuine but with a slight difference from the real one. The goal is to take advantage of typos when users enter URLs. For instance, they might:
- Misspell the legitimate URL by using letters that are next to each other on the keyboard;
- Swap two letters around;
- Add an extra letter;
- Swap letters that sound the same in some cases – “n” and “m”, for example.
This type of attack means that hackers are placing clickable content over legitimate buttons. For example, an online shopper might think they are clicking a button to make a purchase, but will instead download malware.
Nowadays, everything happens on social media, including phishing attacks. Imagine receiving a Facebook message with a link asking “Vote for me” or “Do you remember your time in Paris?” that redirects you to the Facebook login page when you click on it. Strange, right? But some people are not paying close attention or think that it is just a glitch, and will enter their username and password. But this new page is not really Facebook, and scammers now have your account details…
Some attacks are easier to spot, such as Facebook or Twitter bot sending you a private message containing a shortened URL. This URL likely leads to an empty page or one with suspicious content.
New attacks using social media continues to emerge, and some of them are playing a longer game. For example, they may be pretending to be someone else on the internet, which is not that hard to do with so many public images. Over time, these fake profiles may send you legitimate messages along with phishing messages to capture more information about you.
SMS and mobile phishing
Now that nearly everyone has a smartphone in their pocket, most of the world is even more vulnerable to phishing attacks via SMS or any other messaging apps. An SMS phishing attack works mostly in the same way as an email attack, presenting the victim with content as an incentive to click through to a malicious URL. The SMS are short and likely somewhat relevant to your life in order to grab the attention of the recipient quite easily and make them act quickly without thinking. Because of the plain text nature of SMS, and the ease of phone number spoofing, it is more difficult to spot this. After the link in the SMS is clicked, the attack works in the same way as the one with email attacks do.
Another type of phishing on mobile devices is done through suspicious apps that are downloaded from unauthorized sites. The app may contain scripts that, once opened on your device, can access all of your data. All your passwords can be accessed and if you have saved your bank or credit card details, they will be exposed as well.
How to recognize a phishing attack
There are a few things you need to pay attention to whenever an email or a website seems suspicious. While some phishing campaigns are created to appear authentic, there are always some key clues to help spot them easily. Let’s have a look over some of the things that may show you if you are being a victim of a phishing attack.
The sender address
Check if you have ever received something from the same sender. If the phisher was smart enough, they will mask the sender address well, and the difference could be only one letter, so you may not even see it if you don’t take a closer look.
Misspelled domain names
If you have received a message that looks to be from an official company account (something like “firstname.lastname@example.org”) be sure to confirm that this is the proper email domain for this company. Even if the message looks legitimate, with proper spelling and grammar, the correct formatting and the right company logo, it could still be a fraudulent account.
One clue is to check if the domain is slightly different than usual (like adding a suffix to a domain name). More importantly though, most legitimate brands will never ask you to communicate personal information by email.
Bad grammar and spelling
Many phishing attacks are not very well planned, especially “spray and pray” attacks, and the messages may contain spelling and grammar mistakes. Official messages from any major organisation are unlikely to contain bad spelling or grammar, so badly written messages should act as an immediate indication that the message might not be legitimate.
It’s quite common for email phishing messages to ask the user to click on a link to a fake website designed for malicious purposes. The URL will look legitimate, but there will be small errors like missing or replaced letters.
If the message seems odd, it is always smart to take a second to examine the link more closely, by hovering the pointer over it to see if the web address is different than the real one. You can always contact the brand using their public email address or phone number to double check before clicking anything suspicious.
Sense of urgency
Many phishing attacks contain messages that warn of issues with your account, or problems with your payment. This is because the phisher are trying to make you act quickly without thinking too much. In these cases, it is even more important to double check the links in the message and the sender address.
The message is too good to be true
We’re sorry to break your bubble, but any message claiming that you have won a voucher or a prize is most likely a phishing attack. We’re sure it will require a bit more work than just putting in your personal information into a website, so you need to be super cautious and check all the key giveaways.
But hey, if you actually won a prize, congrats!
What to do if you become a victim of a phishing attack?
If you’ve been the victim of a phishing attack, the first thing to do is change all of your passwords immediately. It is a good idea to not only change the password for the service the phisher may be impersonating, but all passwords. It’s alarming what a phisher can do with just one login credential. Consider using a password manager in the future to lower the risk, and make sure you have an antivirus solution with secure web browsing features installed and up to date.
Also, it’s always good to reach out to the service provider that was mimicked in the phishing attack and follow any additional instructions from them.
How to mitigate phishing attacks
There are some preventative measures that you can take to avoid phishing attacks or at least mitigate them. Here are some ideas:
- Use your own links: If you are accessing websites daily or even weekly, it is better to use bookmarks for those sites. This is the only way to guarantee you land on the legitimate site. So even if you receive a notification, from say your bank, it is much safer to access your account via a bookmark than following a link.
- Use Browser Extensions: Install or activate a web tool that identifies malicious sites for you so you know the website you find is legitimate. Example: Signal Spam plugin.
- Install antivirus systems: Antivirus systems allow you to check if there is malware in a file before you open it, and potentially corrupt your computer.
- Be Suspicious! Build a positive security culture at your company: On the internet, it is not a bad thing to be suspicious. Of course, some things are harder to check and need more technical knowledge, but you can do at least the most common steps.
- Train your staff: If you are a security specialist, it is a smart idea to conduct regular security training for your employees to best recognize a phishing attack and what to do in such case.
- Test the effectiveness of the training: Simulated phishing attacks will help you determine the effectiveness of the staff awareness training, and which employees might need further education. Plus, a little non-malicious phishing among friends can be fun. 😉
- Use 2-factor authentication whenever possible: If criminals steal your credentials, they will still not be able to use them without the second authentication means (SMS, authentication app, hardware token, etc.).
It might have been around for almost twenty years, but phishing continues to be a threat for two reasons – it’s simple to carry out and it works. So if you come across a pop-up message or suspicious emails from someone you don’t know (a desperate prince, maybe?) or a brand you don’t use… don’t click on it! You don’t want to leak your information to some hacker on the other side.
You can never be too cautious when it comes to using the internet. Take some preventive measures, and ensure you’re on the safe side when you are making online purchases or entering your usernames and passwords.
Once you learn how to identify phishing attempts, it can even be entertaining to track some of the best and worst examples. Some might be impressively realistic, while others are just…
Have any questions about phishing that we haven’t covered in this post? Share them with us on Twitter.