What is Phishing?
Phishing attacks – The Story
It was an average Monday. Mukesh entered his office and opened his mailbox to find an email waiting for him. This email was by his Computer system, explaining the expiry of his current password and asking him to change it. A link was attached with the mail, and the web page that followed after was nothing out of the ordinary. Mukesh followed the steps and changed his password. He then carried on with his day. Little did he know, this phishing attack email was not actually from the operating system, but from a group intending to steal his credentials.
These types of attacks are becoming increasingly common and are known as phishing attacks. Phishing is a form of cyber-crime, wherein a socially engineered attack is used to steal user data, including login credentials and credit card numbers. The attacker generally masquerades themselves as a trusted entity like your computer, or bank or from the software you use and trick victims into opening a malicious email, or text message. They may lead to the installation of malware and the freezing of the system.
Before an attack, preliminary surveys may be used to uncover names, job titles and email addresses of potential victims. Information about their colleagues and the names of key employees in their organizations is also looked into. This is then used to craft a believable email. Targeted attacks typically begin with a phishing email containing a malicious link or attachment. Dating back to the 1990s, phishing is one of the oldest cybercrimes. However, it is still widely used and becoming increasing nuanced with passing time.
Types of phishing
Attackers are using different techniques of the phishing over the time. The email Mukesh received was a type of phishing attack known as mass market emails. However, with passing time and advancement in technology, attackers have developed various other methods to carry out phishing attacks such as spear phishing, whaling, clone phishing, snowshoeing and vishing.
The goal here is to help familiarize you with many of the different types of phishing attacks that exist and provide an overview of how they work or what sets them apart from other phishing scams.
Mass Market Phishing mails
The most commonly occurring form of phishing is the mass-mailed type or phishing mails. It is usually seen as a way of attempting to acquire information such as usernames, passwords, and credit card details. An email is sent by the attacker, pretending to be someone else and trying to trick the recipient is engaging in an action, usually logging into a website or downloading malware.
Attacks frequently rely on email spoofing, where the email header, the from field, is forged to make the message appear as if it was sent by a trusted sender. These e-mails may not be targeted at all, being sent to millions of potential victims to try to trick them into logging in to fake versions of popularly accessed websites. Another trick used is to get the victim to infect their own computer with malware.
These attachments are often .zip files or Microsoft Office documents with malicious embedded codes. It was found that in 2017, 93 percent of phishing emails contained ransomware attachments, making it the most common form of malicious code found.
Spear Phishing attacks
Created from the image of a fisherman aiming for one specific fish, rather than just casting a baited hook in the water to see who bites, spear phishing is when attackers try to create a message which should attract to a targeted individual. Targets are identified, sometimes using the information on social networking sites like LinkedIn.
Spoofed addresses are then used to send emails that could plausibly look like they’re coming from co-workers. The attackers use of the victim’s name, location or other personal information helps make the e–mails more believable. Hence, spear–phishing attacks are extremely successful, due to the time spent by attackers on it.
For instance, the spear phisher might target someone in the finance department and pretend to be the victim’s manager requesting a large bank transfer on short notice.
Whaling phishing attacks
This is a phishing attack which specifically targets an enterprise’s top executives. This is because the victim is considered to be high-value, and the stolen information is believed to be greater in value than what a regular employee may offer. The end goal is to steal data, employee information, and cash.
Despite being more fruitful in terms of information stolen, whaling requires additional research, as the attacker needs to be aware of the intended victim’s communication channels and their topics of discussions. Hence, attackers typically begin with social engineering, to gather information about the victim and the company before crafting the phishing message to be used in the whaling attack.
Clone Phishing method
Clone phishing is when an attacker creates a nearly identical replica of a legitimate, previously delivered message or e-mail to trick the victim into thinking it is real. The email is sent from an address resembling the legitimate sender, and the body of the message looks the same as a previous message.
The key difference between the original and the cloned e-mail, however, is that the attachment or link in the original one is swapped out with a malicious one. It may claim to be a resend of the original or an updated version to the original.
The term “Snowshoeing” or “Snowshoe spam” is derived from the strategy being similar to actual snowshoes that distribute the weight of an individual over a wide area to avoid sinking into the snow. This form of spam is where attackers are required to push out messages via multiple domains and IP addresses.
Every IP address sends a small number of messages, so notoriety or volume-based spam filters can’t perceive and block noxious messages immediately. Some of the messages make their way to inboxes before the filters learn to block them. It is essentially unsolicited bulk email.
Over time, this has also been termed as “hit-and-run” spam, gaining its name from the temporary aspect of sending out massive volumes of spam in very short bursts. Spammers are also getting increasingly creative and sophisticated with what constitutes the spam messages, as they strive for exacting duplication of legitimate bulk mail or using randomization techniques to evade detection.
This has the added impact of making it challenging to separate unsolicited mail from solicited mail based on content.
Voice phishing, also known as “Vishing”, entails the use of the phone. The victim typically receives a call disguised as a communication from a legitimate institution. It is generally called to be the voice equivalent of online phishing. For example, the message may request that the beneficiary call a number and enter their record data or PIN for security or other authorized purposes. Be that as it may, the telephone number rings directly to the aggressor by means of voice-over-IP services.
Recently, Attackers were calling victims and pretending to be from Apple technical support team and providing users with contact details to resolve the “security issue.” Like the old Windows tech support scam, these tricks take advantage of users fears of their systems getting hacked.
How to Recognize Phishing E-Mail?
As it turns out, Mukesh was not the only one in his office to receive the phishing email. A lot of his co-workers and friends working in different departments were also a recipient of the same email, and many of them made the same mistake of “updating” their passwords on the link attached. This is because a common user generally fails to assess and understand the impact of falling for a phishing attacks.
A naïve individual may be unaware of the impact of downloading a malicious document or opening harmful link. A tech–savvy user may be able to understand the risk factor of clicking on a suspicious link in an email, as that could result in a malware download or scam messages asking for money. It is usually only the most-savvy users can estimate the potential damage from credential theft and account compromise.
This risk identification gap makes it difficult for users to understand the importance of spotting a malicious message.
Organizations, like Mukesh’s, must consider existing internal awareness campaigns and make sure employees are given the tools to recognize different types of attacks. They also need to beef up security defences, because some of the traditional email security tools — such as spam filters — are not enough defence against some phishing types. For example, spam filters fail to identify BEC attacks.
Scammers Learn and Update
Scammers update their tactics often, but there are some signs that will help you recognize a fishhook email or text message. Phishing emails and messages may look like they are from a person or organization you know or trust.
They may also look like they’re from a bank, a credit card company, a social networking site, an online payment website or app, or an online store. Phisher often tells a story in the email or message to trick you into clicking on a link or opening an attached file.
Easily recognize phishing emails:
- The use of sub domains, misspelled URLs (ty po squatting) or otherwise suspicious URLs.
- Recipient uses a Gmail or other public email address as compared to a corporate email address.
- The message is written to invoke fear or a sense of urgency.
- The message includes a request to verify personal information, such as financial details or a password.
- Message is poorly written and has spelling and grammatical errors.
- They ask you to confirm some personal information, including a fake invoice, want you to click on a link to make a payment, say you’re eligible to register for a government refund, offer a coupon for free stuff or other items that prove to be enticing to the recipient.
Real-Life Phishing Examples
With the advancement in the technological mindset of individuals and anti-phishing systems, phishers are till succeeding to a very large extent. Promises of monetary gain, financial danger or data loss are sensitive topics often used by scammers to lure people into falling for the same. However, certain examples are very frequently found to be sent by scammers. A few examples would include:
Also known as pharming, these are very similar looking copies of popular websites. These are extremely close to the real website and normal users might not even recognize small phishing points present in the website URL for the look-alike website also contains some part of the URL of the real website. These can be very hard to detect when not paying close attention.
However, take a careful look at the domain (URL) oof the link emailed to you, or directly going to the mentioned website to ensure it’s legitimacy instead of clicking the e-mailed link.
Despite their official name being “advance fee frauds”, these scams get their name from their country of origin, and where exist the largest number of scammers, at least per capita. These typically involve promising the victim a significant share of a large sum of money, in return for a small up-front payment, which the fraudster claims to require in order to obtain the large sum.
If a victim makes the payment, the attacker either creates a series of further fees for the victim or simply disappears.
Although certain anti-malware software’s filter these emails out, these emails are intentionally targeted susceptible groups of individuals to prey on. A few examples Nigerian419 scam, the Spanish Prisoner scam, the black money scam, Fifo’s Fraud and the Detroit-Buffalo scam. To avoid falling for these scams, any source of free money that seems too good to be true must not be believed.
How to prevent phishing attempts
It just takes one moment to make yourself or your organization the victim of the Phishing attack. While there is no simple method to anticipate phishing, a multi-pronged way to deal with the threat can limit the risk.
- Educate your team and create awareness about the cybersecurity by conducting training sessions.
At Matrix3D we are offering free cybersecurity awareness sessions – write to us at firstname.lastname@example.org or drop us a line on our contact page
- Test employees on how to identify a phishing attacks – You can do a competition in your organization of recognizing the correct email and phishing email by using Google phishing quiz https://phishingquiz.withgoogle.com/
- Deploy two–factor authentication – All leading mail provider offers multi–factor authentication an additional layer of security which helps to protect your user even after somebody knows their password.
- Security patches and updates – Always install all the latest updates of software and OS to protect against vulnerabilities and security issues.
- Install and monitor antivirus software on all devices.
Phishing, in the modern world, is used to collect personal information from the intended victim. Campaigns to inform the general population about phishing have existed for quite a while, with a continuous increase in attempts and sophistication.
It is important to stay aware of the phishing trends and to keep your computer and internet browsers up to date with current antivirus and security patches. Although 100 percent safety is never guaranteed, these measures help you stay as secure as possible!