What is Phishing?

Next story

Have you ever received an email or electronic communication – seemingly coming from a bank or other trustworthy source – that requested you “confirm” your account credentials or other sensitive information? The chances are that you have, and you’re already familiar with the absolute basics of phishing.

 

What is phishing?

Phishing is an online scam where the cybercriminal impersonates a trustworthy entity in order to obtain the victim’s sensitive data. Think of phishing like those nuisance phone calls you get from a stranger who claims to be from your bank, but they ask far too many questions and request all of your personal information. Phishing is the digital version of that.

This can come through email, text, a computer virus or malware. Phishing attacks all have something in common: they’ll show you something that looks legitimate and trustworthy, but it’ll be asking for personal information that you shouldn’t be sharing.

 

Origin of the term phishing

The concept was first described in a 1987 conference paper by Jerry Felix and Chris Hauck called “System Security: A Hacker’s Perspective” (1987 Interex Proceedings 1:6). It discussed the technique of an attacker imitating a reputable entity or service. The word itself is a homophone of ‘fishing’ for targets – as it uses the same ‘bait-catch’ logic. The ‘ph-’ at the beginning is a reference to ‘phreaks’, a group of hackers who experimented with, and illegally explored the borders of, telecommunication systems in the 1990s.

 

How phishing works

Phishing is a way to steal your personal information, but how does it work exactly, and what do phishers do with your data once they’ve got it?

Phishing works in a number of different ways, each aiming to trick you into providing personal data – whether it’s logins, bank details or security information.

  1. Target identification – The criminals decide who or where they are going to target. Is it one individual they’re going to bombard with messages, a particular website or a mailing list? In some instances, they’ll decide that hacking and duplicating a website is the best course of action, but in others they’ll rely on illegally obtained databases of email addresses.
  2. Target setup – Once they’ve identified their targets, they’ll create a plan of action. The most common will be a mass email, but in some cases they may create malware or prepare to hack a site.
  3. Target attack – This is generally where the individual comes in. In a mass email attack, multiple individuals will receive an email that looks like it’s from a trusted source, like their bank, or else the phishers may cast a wider net with more generic spam emails. Should they choose to target a site, they’ll hack it, duplicate it and redirect key pages, then add a layer of data collection. Regardless of which method they use at this stage, it’s when they are trying to trick you into giving up your information.
  4. Data collection – Whether it’s through an email or a redirected URL, your attackers will aim to get you on a page where you’ll enter your credentials.
  5. Fraud – Once you’ve entered your details, you’ll be open to a number of attacks; whether it’s fraud, theft or identity theft. Sometimes they’ll make purchases in your name or simply clean out your bank account, but in other cases they may use the information to steal your identity and open bank accounts, credit cards or loans in your name.
 

The different types of phishing attack

Phishing has been around for years and in that time, attackers have developed a wide array of methods to target victims.

The most common phishing technique is to impersonate a bank or financial institution via email, to lure the victim either into completing a fake form in (or attached to) the email message, or to visit a webpage requesting entry of account details or login credentials.

Similar attacks can also be performed via phone calls (vishing) as well as SMS messages (smishing). These attacks have been growing in prominence in recent years, with a number of notable attacks occurring in the UK where the texts claimed to be from a notable delivery service.

In the past, misspelled or misleading domain names were often used for this purpose. Today, attackers incorporate more sophisticated methods, leading the links and fake pages to closely resemble their legitimate counterparts.

Information stolen from the victims is usually misused to empty their bank accounts or is sold online.

There are five prominent types of phishing attacks:

  • Spear phishing – An advanced phishing method whereby seemingly authentic phishing messages land in the inboxes of specific groups, organisations or even individuals. Authors of spear phishing emails perform detailed research on their target(s) in advance, making it difficult to identify the content as fraudulent. Attacks focussed on specific, mostly high-profile business individuals – such as top managers or owners – are labelled as ‘whaling’ due to the size of the potential pay-off (the bad guys going after ‘the big fish’).
  • Smishing – Smishing is a form of phishing where a cybercriminal will try to trick you into giving them your private information via a text or SMS message. Smishing has now become an emerging and growing threat in the world of cybersecurity. This form of phishing is particularly alarming because people tend to be more inclined to trust a text message than an email, especially as there is no spam filter on a text message inbox.
  • Deceptive phishing – Deceptive phishing is the most frequent type of phishing attack. In this case, the attacker attempts to obtain confidential information from the victims, then use the information to steal money or to launch other attacks. An email from a trusted company such as a bank asking you to visit a link and verify your account details is an example of deceptive phishing. While spear phishing is usually more targeted, a deceptive phishing attack often casts a wider net.
  • Whaling – Whaling is a type of spear phishing. When attackers go after a ‘big fish’ like a CEO or similar, it’s called whaling. These attackers often spend a considerable amount of time profiling the target to find the opportune moment and means of obtaining their credentials. High-level executives are able to access a great deal of company information so whaling is of particular concern.
  • Pharming – Pharming sends users to a fraudulent website that appears to be legitimate. However, in this case, victims do not even have to click a malicious link to be taken to the dishonest site. Attackers can infect either the user’s computer or the website’s DNS server and redirect the user to a false website even if the correct URL is typed in.

The vast majority of phishing attacks focus on deceptive phishing. They cast an incredibly wide net, designed to reach as many people as possible. That way, even if only a small fraction fall for the attack, it’s still a large number. Imagine a phishing attack that targets 1,000,000 people. Even if just 1% of people fall for it, that’s still 10,000 people.

 

How to identify common phishing attacks

An email or electronic message can contain official logos or other signs of a reputable organisation and still come from phishers. Below are a few hints that could help you spot a phishing message.

  1. A request for personal information – Frequently used by phishers, usually avoided by banks, financial institutions and most online services.
  2. Poor grammar – Spelling mistakes, typos and unusual phrasing often indicates a fake (but the absence of any of these is not proof of legitimacy).
  3. Generic or informal greetings – If a message lacks personalisation (e.g. "Dear Customer") and formality, then there is sometimes something amiss. The same applies to pseudo-personalisation using randomised, fake reference numbers.
  4. Unexpected correspondence – Unsolicited contact from a bank or online service provider is highly unusual and thus suspicious.
  5. A sense of urgency – Phishing messages often try to induce rapid and less-considered action.
  6. An offer you cannot refuse? – If the message sounds too good to be true, it almost certainly is!
  7. Suspicious domain – Would a US or German bank really send an email from a Chinese domain?

Treat any suspicious email or correspondence you receive like you would a cold call from someone claiming to be your bank. With a call like this, where you’re being asked for sensitive information from an unidentified person, you’d hang up, check for a number and call directly – and receiving a phishing email is the same. Performing some simple checks could keep you out of trouble.

 

About spear phishing

Spear phishing is the act of performing more detailed and targeted phishing attacks. It’s a type of phishing that’s been planned meticulously to target an individual or a single organisation. Generally speaking, a spear phishing attack has the same goal as a normal phishing attack: to steal data. However, it is often accompanied by malware installation, as a targeted source could be the key to spreading an attacker’s malware to a whole network.

These attacks are often incredibly well researched, and as such, the emails could come from incredibly trustworthy looking sources or lean on a victim’s known weaknesses. They may include information related to aspects of their life or other accounts, all aimed at making the point of contact feel more legitimate.

There are two additional types of spear phishing; whaling and clone phishing.

Whaling is a form of spear phishing where a high-ranking individual within an organisation is targeted with a well-researched phishing attack. This phishing attack may not only be aimed at their personal data – it could be aimed at obtaining important information about others within the business. A whaling attack could look to hijack a CEO’s email and contact everyone in his address book, for instance, gaining a considerable amount of personal data by using a trusted email address.

Clone phishing is becoming increasingly common and is incredibly insidious. It essentially copies, or ‘clones’, an email you’ve already received and replaces key links or information with phishing links. This makes them incredibly difficult to spot, especially as they often spoof the email address too. Plus, once you’ve succumbed to the attack, they often send emails out to your whole address book.

 

Online phishing techniques

While we’ve run through the different types of phishing, it’s worth understanding the techniques phishers are using to go about their attacks. These include:

  • Address bar manipulation – Using javascript to place a picture of a legitimate URL over the address bar to mask where you’re actually browsing to.
  • Link manipulation – A number of techniques designed to hide the links you’re clicking on from both users and email scanners.
    • Using legitimate links – Many antivirus programs and built-in email security systems will scan the links included in an email. One tactic that’s used by phishers is to include numerous legitimate links to the real site they are pretending to be, so that the dangerous link can slip through.
    • Using URL shortening – Using a link shortening service can mask the final destination of a link.
    • Redirects – Phishers will redirect trustworthy URLs to a different source.
  • Email manipulation – A simple method for masking the content of an email is to simply turn the whole email into an image. When there is no text for a filter to read, it may assume there’s nothing volatile in the email and let it slip through.
  • Hidden malicious code – Adding malicious code in amongst a large amount of legitimate code, like in an email signature, is a simple way for phishers to mask their attack.
 

How to stop phishing attacks

To avoid a phishing bait, be aware of the above indicators by which phishing attacks commonly give themselves away.

  1. Be aware of new phishing techniques – Follow the media for phishing attack reports, as the attackers may come up with new techniques for luring users into a trap.
  2. Don’t give away your personal details – Always be alert if an electronic message from a seemingly trustworthy entity asks for your credentials or other sensitive details. If necessary, verify the contents of the message with the sender or the organisation they seemingly represent (using contact details known to be genuine rather than details provided in the message).
  3. Think twice before you click – If a suspicious message provides a link or attachment, don’t click or download. Doing so might lead you to a malicious website or infect your device with malware.
  4. Check your online accounts regularly – Even if you don’t suspect that someone is trying to steal your credentials, check your banking and other online accounts for suspicious activity. Just in case…
  5. Use two factor authentication – Using two factor authentication can protect your accounts, even if you give away important information. Should someone have accessed your password, they may still be prevented from accessing your account.
  6. Keep on top of your passwords with a password manager – A password manager can keep track of your passwords, letting you know if any are compromised. They can also help you change them regularly, which can stop your passwords from being leaked.
  7. Check that sites are secure – An unsecure website is much more likely to suffer an attack, and it’s more likely to be used for phishing. Would your bank use an unsecure website for your information? Definitely not. So ensure you know that the site can be trusted before you give up any information.

 

And finally:use a reliable anti-phishing solution. Apply these techniques alongside a robust antivirus software to be certain that your digital world stays protected.