What is phishing and how does it work?
What is phishing?
Phishing is an attack when the threat actor impersonates a reliable person or business to deceive potential victims into sending them money or sharing sensitive information. There are various strategies for reeling in a victim, just like in actual fishing: Vishing, smishing, and email phishing are three prevalent varieties. Some attackers employ a targeted strategy, as shown in spear phishing and whale phishing (more on the types of phishing below).
How does a phishing attack work?
Phishing assaults start with a message sent by the threat actor pretending to be someone they know or trust. The sender requests a response from the receiver and frequently conveys a sense of urgency. Scam victims could divulge private information that could be used against them. More information about phishing attempts is provided below:
The sender: In a phishing attempt, the sender pretends to be someone reliable that the receiver is likely to know (this is known as “spoofing”). It could be a person, such as a recipient’s family member, the CEO of the firm they work for, or even a renowned person who is purportedly giving away something, depending on the sort of phishing attempt. Phishing emails frequently look like emails from well-known organizations like PayPal, Amazon, Microsoft, banks, or governmental agencies.
The message: The attacker will request that the victim open a link, download an attachment, or give money while posing as someone they can trust. When the victim reads the message, they discover a terrifying message designed to make them feel afraid, overriding their better judgment. The victim may be instructed to visit a website immediately and take action, or else risk facing consequences, via the message.
The target: Users who fall for the trick and click the link are taken to a fake version of an authentic website. They are then prompted to log in using their username and password. If they are credulous enough to agree, the attacker receives the sign-on information and uses it to steal identities, hijack bank accounts, and sell personal data on the dark web.
Who is targeted by phishing?
Phishing attacks can target anyone, but some of them target extremely particular individuals. Some threat actors will send a mass email to a lot of people in the hopes that a few will fall for the trap because of a shared characteristic. An illustration would be if someone informed you that something was amiss with your Facebook or Amazon account and that you needed to log in immediately to remedy it. The link would probably take you to a fake website where you might reveal your login information.
If threat actors are wanting anything specific, like access to a certain company’s network or data, or information from a politician or political candidate, they will deploy more focused phishing assaults. Spear phishing is what this is. So that the target is more likely to click a link or supply information, they may conduct research to make their attack seem familiar and legitimate. An illustration would be to look up the name and communication style of the CEO of a target company, then pretend to be the CEO while emailing or messaging certain employees at that company.
Threat actors frequently pose as CEOs in their phishing assaults, but occasionally the CEOs themselves are the target. Whale phishing refers to phishing attacks against high-profile targets like business executives, famous people, or well-known wealthy people. Anyone can become a phishing target, regardless of whether an attack is general or highly targeted, addressed to one person or many individuals, so it’s crucial to
Types of phishing attacks
Despite their many variations, phishing assaults all exploit a false pretense to obtain valuables as their common denominator. Several broad types are:
One of the most prevalent types of phishing is email phishing. It has been common since the beginning of e-mail. The attacker sends you an email asking you to click a link to complete a crucial action or even download an attachment under the guise of someone reliable and well-known (online retailer, bank, social media company, etc.).
Examples of email phishing include the following:
Business email compromise (BEC): A business email compromise (BEC) assault aims to trick someone in the organization’s financial department—typically the CFO—into transmitting huge amounts of money. To persuade the target that delivering the money is urgent and vital, attackers frequently employ social engineering techniques.
Clone phishing: In this technique, fraudsters create copies of valid emails that have already been sent and contain either a link or an attachment. The phisher then replaces the attached files or links with malicious copies that look just like the originals. Users who are unaware typically click the link or open the attachment, giving hackers access to their systems. The phisher can then impersonate the victim to pretend to be a reliable sender to further victims inside the same organization.
419/Nigerian scams: One of the oldest and most persistent frauds on the Internet is a lengthy phishing email from a person posing as a Nigerian prince. This “prince” will either give you money in exchange for a little payment, or he will claim that he is in need of money to address a problem. The fraud is linked to the number “419.” It alludes to the portion of the Nigerian Criminal Code that deals with fraud offenses, accusations, and punishments.
Vishing (voice call phishing)
When conducting phone-based phishing attacks, also known as “voice phishing” or “vishing,” the scammer contacts you and pretends to be from your neighborhood bank, the police, or even the IRS. They then threaten you with a problem and demand that you either share your account details or pay a fine in order to resolve it right away. They typically request wire transfers or prepaid cards as payment, making them tough to trace.
Smishing (SMS or text message phishing)
Vishing’s evil twin, SMS phishing, or “smishing,” uses SMS texting to conduct the same kind of scam (often with an embedded harmful link to click).
Are you catfishing or catphishing? It’s phishing, but with a romantic touch, either way. Visit Bad Romance: Catphishing Expounded for more information. Citing the article:
Catfishing, which is spelt with a “f,” is a type of online fraud in which an individual builds a social media presence as a sock puppet or a made-up online identity with the intention of enticing someone into a relationship—typically a romantic one—in exchange for cash, goods, or attention. Similar to phishing, catphishing (spelled with a “ph”) aims to establish rapport with the target in order to get access to information and/or resources that the target is unaware they are entitled to.
Phishing vs. spear phishing: Spear phishing is targeted, whereas most phishing efforts send out mass emails to as many recipients as they can. With content that is frequently specifically tailored for the victim or victims, spear phishing targets a particular person or organization. Discovering names, job titles, email addresses, and other information takes reconnaissance prior to the attack. The hackers comb the Internet to compare this data with other gathered facts about the target’s coworkers as well as the identities and employment histories of important figures in their companies. The phisher uses this to create a convincing email.
A fraudster might, for instance, spear phish a worker whose duties include the power to approve payments. The email demands that the employee submit a significant payment to either the sender or a firm vendor, claiming to be from an executive within the organization (when in fact, the malicious payment link sends it to the attacker).
One of the oldest and most persistent hoaxes on the Internet is a lengthy phishing email from a person pretending to be a Nigerian prince.
One of the first and longest-running frauds on the Internet is a lengthy phishing email from a person pretending to be a Nigerian prince. Phishing that targets well-known targets is what whale phishing is most likely. This can apply to C-level executives, politicians, and public figures. The attacker typically tries to con these well-known targets into divulging their private information and/or login credentials. Social engineering techniques are frequently used in whaling assaults to convince the victim of the untruth.
How to spot a phishing scam
It’s not always simple to spot a phishing effort, but a few pointers, some self-control, and some common sense will help a lot. Look out for anything odd or weird. When evaluating a message, ask yourself if it “smells right.” Trust your gut, but resist the urge to give in to fear. Fear is a common tactic used by phishing campaigns to impair judgment.
Here are a few additional indicators of phishing:
A seemingly too good to be true offer is made in the email. It can claim that you have won the lottery, a pricey prize, or some other extravagant thing.
Although you are familiar with the sender, you don’t communicate with them. Even if you are familiar with the sender’s identity, be wary if it is someone you rarely speak to, especially if the email’s subject line has nothing to do with your typical work duties. The same applies if a bunch of coworkers from unrelated business divisions or people you don’t even know are on the “cc” line of an email that you’ve received.
The message seems terrifying. Watch out if the email uses alarmist or inflammatory language to incite you to click and “act now” before your account is suspended. Keep in mind that respectable businesses seldom request personal information online.
Unexpected or peculiar attachments are included in the mail. These attachments could include viruses, ransomware, or other online dangers.
Links in the message appear to be a little wrong. Don’t believe any embedded hyperlinks, even if none of the aforementioned set off your spider sense. Instead, move your mouse over the link to view the URL in its entirety. Watch out for small misspellings on otherwise trustworthy-looking websites because they are a sign of fraud. It is always preferable to manually enter the URL as opposed to clicking on an embedded link.
How can I safeguard myself from phishing?
Phishing, as previously said, is an all-encompassing danger that can appear on desktops, laptops, tablets, and smartphones. The majority of web browsers include tools to determine whether a link is secure, but your judgment is the best line of defense against phishing. Every time you check your email, read Facebook updates, or play your preferred online game, strive to practice safe computing by becoming familiar with the warning signs of phishing.
Emails from senders you are unfamiliar with should not be opened.
Never click on a link inside an email unless you are certain of its destination.
To provide an additional layer of security, if you receive an email from an unknown sender, manually access the offered link by typing the correct website address into your browser.
Keep an eye out for a website’s digital certificate.
Check sure the URL of the website begins with “HTTPS” rather than just “HTTP” if you are asked to provide sensitive information. Secure is denoted by the letter “S.” Although it’s not a guarantee, the majority of trustworthy websites utilize HTTPS since it’s more secure. Even trustworthy HTTP sites can be attacked by hackers.
Take a name or some text from the email and enter it into a search engine to see if any known phishing attempts have been known to use the same techniques if you feel the email isn’t authentic.
To check if a link is valid, mouse over it.
Why does phishing work so well?
Phishing does not require a high level of technological ability, in contrast to other online risks. In fact, phishing is the most straightforward and destructive type of cyberattack, according to Adam Kujawa, Director of Malwarebytes Labs. That’s because it targets the strongest and most susceptible computer on Earth: the human mind.
Phishers use social engineering rather than trying to take advantage of a technical flaw in the operating system of your device. No operating system is totally protected from phishing, no matter how good its security is, including Windows, iPhones, Macs, and Androids. In reality, since they are unable to exploit any technological flaws, attackers frequently turn to phishing. When you can deceive someone into giving you the key, why waste time trying to break past multiple layers of security? The weakest link in a security system is typically not a bug hidden in computer code, but rather a person who neglects to double-check the source of an email.
How will phishing impact my company?
The truth is that cybercriminals are aiming their attacks at your company. Attacks on businesses increased by 55 percent in the second half of 2018, according to the Malwarebytes Labs Cybercrime Tactics and Techniques Report (CTNT), with Trojans and ransomware emerging as the most prevalent attack types. In particular, ransomware attacks and Trojan attacks on organizations both increased by 84 and 88 percent, respectively. Due to the fact that hackers frequently employ phishing emails to trick victims into downloading software and starting an attack, phishing frequently plays a significant role in Trojan and ransomware attacks.
For instance, the Emotet banking Trojan that caused havoc throughout 2018 has a spam module that searches contact lists on compromised computers and sends phishing emails to your friends, family, and coworkers that lead to an attachment or download that contains malware. In an intriguing turn of events, Emotet, previously a standalone banking Trojan, is now used to spread ransomware and other types of malware.
What happens after a phishing assault allows malware like Emotet access to your network? Just ask the struggling Allentown city leaders. The 2018 attack on the city in Pennsylvania required direct assistance from Microsoft’s incident response team to clean up, and it is estimated that the patch cost the city more than $1 million.
Background of phishing
It is simple to find the name “phishing’s” earliest forms. A phishing scam is carried out in a manner akin to aquatic fishing. You put together some bait that is intended to trick your victim, cast it out, and wait for a bite. The digraph “ph” could have been created as a combination of the words “fishing” and “phony,” while some sources point to another potential origin.
A subculture developed around the use of low-tech hacks to take advantage of the telephone network in the 1970s. Phreaks, a mix of “phone” and “freaks,” was the name given to these early hackers. Phreaking was a popular way to make free long-distance calls or contact unlisted numbers when there weren’t many networked computers to hack.
A paper and presentation given to the 1987 International HP Users Group, Interex, explained a phishing tactic in detail before the term “phishing” became widely used.
Khan C Smith, a prolific spammer and hacker, is credited with using the name for the first time in the middle of the 1990s. Additionally, phishing was publicly utilized and recorded for the first time on January 2, 1996, according to Internet records. The mention appeared in the AOHell newsgroup on Usenet. With millions of daily log-ons, America Online (AOL) was at the time the leading supplier of Internet access.
AOL’s prominence made it a natural target for scammers. It was utilized by hackers and software pirates to coordinate attacks on legitimate users as well as to communicate with one another. The attackers changed their tactics once AOL took action to shut down AOHell. They pretended to be AOL workers and sent mails to users asking them to confirm their accounts and provide billing information. The issue eventually got so bad that AOL included notices saying “no one working at AOL will ask for your password or billing information” to all email and instant chat clients.
Social networking websites have grown to be a popular phishing target.
In the 2000s, phishing shifted its focus to taking advantage of online payment systems. Customers of banks and online payment services were frequently targeted by phishers, and some of them, according to later study, may have even been correctly recognized and connected to the actual bank they used. Social networking websites also became a popular phishing target since they provide easy access to personal information that may be used for identity theft.
Numerous domains that accurately imitated PayPal and eBay were registered by criminals, and if you weren’t paying careful enough attention, you might have mistaken them for the real thing. Following that, phishing emails with links to the bogus website were sent to PayPal customers requesting the updating of their credit card numbers and other personally identifying information. The Banker, a journal owned by The Financial Times Ltd., revealed the first documented phishing attempt on a bank in September 2003.
Turnkey phishing software was widely accessible on the illicit market by the middle of the 2000s. At the same time, groups of hackers started to band together in order to plan intricate phishing schemes. According to a 2007 Gartner research, up to 3.6 million individuals may have lost $3.2 billion as a result of successful phishing between August 2006 and August 2007.
“Target customers’ credit card information and 110 million customer records were stolen in 2013.”
When a suspected Chinese phishing campaign targeted the Gmail accounts of high-ranking members of the US and South Korean governments and militaries, as well as Chinese political activists, in 2011, phishing found state sponsors.
The most well-known incident occurred in 2013, when 110 million Target customers’ credit card information was obtained via a phished subcontractor account.
Even more notorious was the phishing campaign carried out in the first quarter of 2016 against email accounts connected to the Democratic National Committee by Fancy Bear, a cyber espionage outfit connected to the Russian military intelligence agency GRU. John Podesta, Hillary Clinton’s campaign manager for the 2016 presidential race, in particular, fell for the oldest trick in the book—a phishing attempt alleging that his email password had been compromised—and had his Gmail account hacked and later released (so click here to change it).
In 2017, a sizable phishing scam deceived the accounting departments of Google and Facebook into sending funds totaling over $100 million to foreign bank accounts under the control of a hacker.
Jeff Bosset is a computer technician with more than 25 years experience. Tech Jeff provides online computer help to home users and small business.
That Tech Jeff can help you with your computer no matter where you live! Get online computer help or computer tutoring no matter where you live. Just read the more than 900 five-star reviews. (thumbtack and google combined)
That Tech Jeff has 26 years experience and has offered computer help online since 2007. Before you head to Geek Squad get That Tech Jeff’s advice. Its free.
Affordable and honest FLAT RATE online help – no hourly charge.