What Is Phishing? A Brief Guide to Recognizing and Thwarting Phishing Attacks

What Is Phishing?In this day and age, cybersecurity is at the forefront of operational priorities. High-profile data breaches have taught the hard-earned lesson that the protection of data and personally identifiable information (PII) needs to take precedence. Among one of the most prevalent threats to organizations is phishing.

Phishing scams account for nearly 80% of security incidents. Because these attacks rely on human fallibility rather than the strength of your systems, they can be difficult to combat. This overview of phishing provides a brief primer on the subject and helps to understand how you can thwart such attacks.

Phishing Defined

What is phishing? Well you don’t need a pole, but it does involve reeling in unsuspecting victims.

Phishing is a type of cyberattack that uses email, phone or text to entice individuals into providing personal or sensitive information, ranging from passwords, credit card information and social security numbers to details about a person or organization. Attackers pose as legitimate representatives to gain this information, which is then used to access accounts or systems, often leading to identity theft or significant financial loss.

How Does Phishing Work?

Phishing scams happen over various forms of communication, notably email, text and phone. Attackers are hoping to be trusted, so they make efforts to masquerade as legitimate representatives of organizations, often constructing emails that appear genuine or making phone calls in a manner that sounds like valid requests for information.

Phishing works mostly by manipulation and relies on human interaction, with victims unknowingly clicking on a malicious link or providing information to an attacker.

Because the goal is to obtain passwords or PII, people performing phishing attacks often seek to impersonate tech support, financial institutions or government entities.

History of Phishing

The term phishing was first used in reference to a program developed by a Pennsylvania teen known as AOHell. The program used a credit-card-stealing and password-cracking mechanism which was used to cause trouble for AOL. This software spawned other automated phishing software, such as the one later used by the Warez community.

The first organized phishing attacks are attributed to the Warez community, a group known for hacking and piracy. These phishing scams targeted AOL users in 1996.

The Warez community infamously used an algorithm to generate random credit card numbers. When the group landed on a valid number, they were able to create real AOL accounts that they used to scam other AOL users. This was later followed by social engineering tactics when members of the group impersonated AOL employees in an attempt to gather more sensitive information.

After this phishing scam, attackers quickly moved on to email as a method for trying to gather useful intel. Phishing emails ranged in sophistication from the less-than-convincing Nigerian princes asking for financial backing to the much-more convincing 2003 Mimail virus, which originated from an email claiming to be from PayPal.

The email containing the Mimail virus was fairly successful at convincing users to enter their username and password credentials. The email warned of expiring credit card information with a request to update it as soon as possible. The link took visitors to a window with PayPal’s logo, and many users entered their password and credit card information on what turned out to be a malicious website.

Today, phishing can use multiple communication methods and has evolved from low-level schemes to the sophisticated targeting of individuals and organizations.

Types of Phishing

Phishing can take on many different forms. Here are some variations of the phishing attack.

  • Angler Phishing: This cyberattack comes by way of social media. It may involve fake URLs, instant messages or profiles used to obtain sensitive data. Attackers also peruse social profiles to glean any personal information they can use for social engineering. Read more about phishing attacks and how to identify fake URLs and email addresses.
  • Clone Phishing: Clone phishing involves exact duplication of an email to make it appear as legitimate as possible.
  • Domain Spoofing: In this category of phishing, the attacker forges a company domain, which makes the email appear to be from that company.
  • Email Phishing: Phishing emails are often the first to come to mind when people hear the term phishing. Attackers send an illegitimate email asking for personal information or login credentials.
  • Search Engine Phishing: Rather than sending correspondence to you to gain information, search engine fishing involves creating a website that mimics a legitimate site. Site visitors are asked to download products that are infected with malware or provide personal information in forms that go to the attacker.
  • Smishing: Combine SMS with phishing and you have the technique called smishing. With smishing, attackers send fraudulent text messages in an attempt to gather information like credit card numbers or passwords.
  • Spear Phishing: Spear phishing is particularly targeted as attackers take time to gather details that they can use to present themselves as trusted entities. They then construct personalized phishing emails, including details that make it seem as though the email is coming from a friendly source.
  • Whaling: A whaling attack targets the big fish, or executive-level employees. An attack of this sort often involves more sophisticated social engineering tactics and intelligence gathering to better sell the fake.
  • Vishing: Combine VoIP with phishing and you get vishing. This type of phishing involves calls from a fraudulent person attempting to obtain sensitive information.

How to Prevent and Protect Against Phishing

To help prevent phishing attacks, you should observe general best practices, similar to those you might undertake to avoid viruses and other malware.

First, make sure your systems are updated to help protect against known vulnerabilities. Protect devices and systems with reputable security software and firewall protection. You can also add software that watches for PII being sent over email or other insecure methods.

Since the weak link in phishing attacks is the end user, you should provide proper end-user security awareness training and educate your team on how to recognize a phishing scam. The key to protecting against phishing lies in the ability to recognize the cyberattack as illegitimate. Following are some key concepts to include in end-user training:

  • Instruct users to choose strong passwords and be wary of posting your personal details on social media. Information like birthdates, addresses and phone numbers are valuable to an attacker.
  • If there are any suspicions about an email or social post, contact the IT team to have them examine the situation.
  • Only open attachments from a trusted source. When in doubt, check with the alleged sender directly.
  • Note any language differences in messaging or emails that vary from legitimate organizational communications.
  • Never give away personal information in an email or unsolicited call. For instance, financial institutions will never call and ask for login credentials or account info because they already have it.
  • Inspect emails for typos and inaccurate grammar. This is usually a dead giveaway of less-sophisticated phishing scams.
  • Don’t supply personal information via email or text.
  • Beware of urgent or time-sensitive warnings. Phishing attacks often prompt action by pretending to be urgent.
  • Verify emails and other correspondence by contacting the organization directly. If you think something is fishy (okay, bad pun), a phone call can quickly identify a legitimate call from a fake one.

Remember, when it comes to thwarting a phishing attack, acting as a skeptic is a wise move.

Check out this video, where cybersecurity expert David Landsberger provides tips on how to identify fake websites and phishing emails.

What’s the Difference Between Ransomware vs. Malware vs. Social Engineering vs. Phishing?

Ransomware, malware, social engineering and phishing all encompass different forms of ill-intentioned cyberattacks.

  • Malware is a general term formed by the words “malicious” and “software” that describes different types of software intended to compromise systems, obtain sensitive data or gain unsanctioned access to a network.
  • Ransomware is a category of malware where attackers use various methods to encrypt your data, making it inaccessible, or bar you from entry to a particular system or device. Attackers then demand a ransom in exchange for reinstating your access.
  • Social Engineering, by contrast, is a method used to extract sensitive details by way of human manipulation. With social engineering, hackers connect with users while pretending to represent a legitimate organization and seek to ascertain critical information such as account numbers or passwords.
  • Phishing is a form of social engineering that involves email, phone, text or illegitimate websites. In both instances, the collected information is used to access protected accounts or data.

While our guide acts as an introduction into the threats posed by phishing, this is by no means an exhaustive list. Phishing and the cybersecurity world change on a daily basis, and attacks are becoming increasingly sophisticated. The best way to combat cyberattacks is to stay informed about the latest attacks.

Read more about Cybersecurity.

Tags : Cybersecurity