Phishing attacks remain one of the largest and most frequent security issues faced by individuals and businesses. From stealing sensitive business information, passwords, and credit card information, hackers are using a range of online communication channels, primarily email and social media, to scam victims out of money and/or information.
Verizon’s 2019 Data Breach Investigations Report revealed that almost a third of all data breaches were a result of phishing. When this is narrowed down to only cyber-espionage attacks, the number rises to 78%.
The worst news? Thanks to a myriad of templates and easily available tools and target lists, hackers are getting better at it.
So, what is phishing exactly?
It is a fraudulent attempt where a perpetrator masquerades as a reputed person or company, generally through email but sometimes through other forms of communication. After establishing contact, this person generally attempts to dupe you into transferring funds or entering sensitive information into a fake website that logs said information. Sometimes, phishing emails often come with malicious attachments or malware designed to log your keystrokes and other personal information.
A few phishing attempts in recent times have been so daring and successful, they’ve made the news headlines. For example, in 2016, hackers were able to get John Podesta, Hillary Clinton’s campaign chair to give up his Gmail account, throwing her entire campaign into disarray. In the same year, University of Kansas employees shared paycheck deposit information to a phishing email – scammers were able to take off with the victims’ salaries.
Phishing remains popular due to its low barrier to success – it is easier to fool a person into clicking on a malicious link rather than attempting to break through a system’s defenses.
How does phishing work?
Attackers generally use social networking techniques that are then applied to email or other communication forms. These methods include sending direct messages on social media and attempting contact through SMS messages.
Public information sources such as LinkedIn, Twitter and Facebook are used to gather background information. Names, job positions and email addresses are easy to identify – this information is then used to create a strong, authentic-looking email or message.
The message received by the victim will look like one sent by a known organization or individual. Sometimes these emails contain a malicious attachment or may have a link that takes users to a malicious website. Either way, the final objective is to install malware or take users to a fake website. This fake website will then trick users into entering financial information like credit card numbers, passwords and account IDs.
Where phishing attempts were once a poorly written mess that users could quickly identify as fake, today’s attempts are increasingly incorporating professional marketing strategies to create effective messages and emails.
There are three main forms of phishing.
Spear phishing is when hackers create a message specifically targeted to a single person. Perpetrators use social media sites to gather information and then use spoofed email addresses to send out emails that look like they are coming from a colleague.
One common example of a spear phisher is where a scammer targets an individual from the finance department, pretending to be a manager and requesting an urgent bank transfer, usually on a weekend and on short notice.
Whaling is a fork of spear fishing but where high-value targets such as CEOs and board members are targeted.
Board members especially are very vulnerable to this. They are appealing to scammers because of their high rank in the organization. However, since they don’t work at the organization full-time, board members are not familiar with most of the employees. Additionally, they are known to often use personal email addresses for business-related discussions – these emails don’t offer the same protections that a corporate email address would.
Finding enough information to con a target like this takes time but it does, surprisingly, pay off.
A 2008 whaling attack saw criminals target CEOs with emails that had fake FBI subpoenas attached. 2,000 individuals fell for the scam, clicking a link in the email that they believed was a browser add-on to view the file. This link installed keyloggers on the computer that recorded passwords and passed it on to the criminals.
SMS phishing is phishing through SMS. Similar to email phishing, it incorporates a threat or an enticing text to lure users into clicking the link or calling a number. In some cases, a link may direct to a security app that’s actually malware under the hood.
How to protect yourself as an end user from phishing?
There are a few steps one can take to keep themselves from becoming another victim of phishing.
- Always check the domain and its spelling on an email link before you reply or send sensitive information.
- Keep an eye out for URL redirects where you are sent to a fake page that looks exactly like the original.
- If ever in doubt as to the source of a suspicious email, contact the source through another channel or new email before responding.
- Be wary about posting personal information, addresses, phone numbers, vacation plans and birthdays on public social media channels.
How to protect your organization from phishing?
If you are working in an IT security department, there are plenty of proactive measures to protect your employees.
- By “sandboxing” inbound emails, you keep the rest of the network and system secured in case a user clicks on a malicious link.
- Monitor and analyze all web traffic
- Pen-test your networks for weak spots
- Educate all employees on safe browsing etiquette