Phishing is one of the oldest types of cyberattacks and continues to be one of the most widespread attacks in the world, even though this type of social engineering has been around for a long period of time it has constantly evolved, becoming more and more sophisticated over time. This article aims to provide readers with an in-depth introduction to Phishing including its origin, how it works and it’s many types.
What is Phishing?
Phishing is a social engineering tactic that consists of an attacker sending an employee a fraudulent message via email, instant message or text message, in the hope that the unaware employee will click a link that downloads malware onto their system, freezes the system as part of a ransomware attack or reveals sensitive information of the organization.
A Brief History of Phishing
Phishing as the name suggests was coined based on the analogy of a fisherman throwing a line and hook with bait attached to it, in the hopes that unwary fish bites. The term rose in popularity in the 1990s amongst hackers who targeted AOL users and their login credentials. The reason why ‘fishing’ is spelt with a ‘ph’ is because of a tradition amongst hackers and how they coin their techniques. It is spelt ‘Phishing’ as influenced by the hacking term phreaking or phone phreaking, an earlier form of hacking.
Notable Phishing Attacks in the past that have had massive impacts:
- Facebook & Google - Between the years, 2013 and 2015, Facebook and Google lost $100 million in a phishing campaign that was successful. Hackers exploited Facebook and Google’s relationship with their Taiwanese vendor Quanta, sending the two companies fake invoices while impersonating Quanta, which ended up getting paid.
- Crelan Bank - The Crelan Bank in Belgium suffered a CEO Fraud attack that lost them $75.8 Million, the identities of the attackers still are unknown.
- FACC - An Austrian aerospace parts manufacturer was hit with a CEO Fraud attack which led to them losing $65 Million. The attacker posed as the CEO and sent an entry level accountant a request to transfer funds into an account for a fake project.
These are three of the biggest phishing attacks in recent times, Phishing still is the most widespread form of social engineering. In a Verizon Data Breach Incident Report for 2020, it was discovered that phishing was responsible for 22% of incidents that were reported.
Phishing Kits
A Phishing kit consists of tools that make it easy for individuals who have little to no technical skill to launch a phishing exploit. Phishing kits include website resources and tools that only need to be installed on a server, the attacker can then send out emails to their targets. Phishing kits can also allow individuals to spoof brands that are well known around the world, to increase the chances of the target clicking on the malicious link.
The Goal Of Phishing Attacks
There are a number of different types of phishing attacks, but what remains constant is they all incorporate elements of disguise, whether it is tricking users into thinking an email is coming from a trusted source, or luring a user to visit a fake website designed to look like one they frequently visit.
There are two key purposes of a phishing attack:
- Divulge sensitive information - these messages are designed to manipulate targets into sharing sensitive information - such as login credentials that enable access to systems. For example: a criminal can send out large amounts of emails out to numerous individuals masquerading as a bank, hoping that one of the recipients is an actual customer, the email usually will include a link that leads the target to a fake website that is disguised to imitate the actual login page of the bank. The unaware user will enter their login details which will allow the criminal behind the phishing attack to access their account.
- Infect systems with Malware - phishing attacks may also be designed to get a target’s system infected with Malware. For instance, an attacker may send a victim an email with a file attached that has malicious code embedded into it designed to install malware onto the victim’s system.
Phishing attacks can be targeted at individuals, like employees in a certain organization, in which case attackers will design their messaging to better manipulate their targets. However most times phishing attacks aren’t targeted at all and sent out to millions of individuals. An analogy to help understand this is; a fisherman who uses a line and hook with specific bait designed to catch a specific family of fish, versus a fisherman who uses a net.
COVID-19 and the effect of similar crises
Attackers who utilise phishing attacks or any social engineering tactic for that matter, rely on an element of urgency in their attack strategy in the hopes that it can stop targets from being analytical and reduce their skepticism or doubt regarding the legitimacy of the requests being made by the attacker.
During a crisis like COVID-19, phishing attacks and social engineering attempts in general skyrocket due to the general psyche of individuals. People are more on edge and are looking for any direction from their employers, banks, government or any other authoritative figure. Therefore there is less scrutiny on any requests or directives received via email, something that attackers thrive on.
How to Prevent Phishing
The best way for you to avoid falling for phishing attacks is educating yourself on what to look out for. There are so many examples of phishing attacks and methods online that you can familiarize yourself with so you can improve the chances of identifying an attempt when you are the target.
Other than educating and training yourself, there are a number of tips that can help you avoid falling victim to a phishing attack:
- Crosscheck URLs and email addresses for spelling mistakes
- Watch out for spoof website pages that are designed to imitate popular websites you regularly visit
- Email hijacking is a real threat, even if the email address checks out, but the message or request is suspicious, contact the sender in a new email to verify.
- Control how much you share online, attackers may use information you share online like your date of birth, address, mobile phone number etc. against you.
As an organisation you can protect employees by
- Conducting penetration tests or vulnerability assessments to identify and fix vulnerabilities in your systems that can be used against an employee and the organization in a phishing attack.
- Monitor web traffic on all devices
- Screen communications for suspect links
- Security awareness and training for all employees
The above methods are just a few ways to protect yourself against phishing attacks, phishing attacks are constantly evolving as attackers get smarter and more sophisticated in their trickery. It is vital that you stay informed on the latest trends in the cybersecurity landscape.
StickmanCyber's team is equipped to help your employees recognise such attempts, and prevent social engineering attacks.