What Is Phishing and How to Defend Your Business?

There are many types of cyberattacks that hackers use to gain information, files, and other assets from individuals and companies. Staying protected from these is crucial.

As cybersecurity solutions become more effective compared to traditional types of attacks, hackers are leveraging the human nature of users to bypass security measures.

Definition: What is phishing?

Phishing (pronounced: fishing) is a type of social engineering attack that is designed to trick users into handing over sensitive information such as login credentials, bank account numbers or IT system access. These attacks usually come in the form of an email or a text message that imitates legitimate brands, or users.

Brief History of Phishing attacks

Back in the early 1990’s users required a “dial-up” connection to access the internet and AOL was one of the largest services providers. Due to its popularity it became a prime target for hackers and became the go-to cover for the first phishing attacks.

In 1995 “AOHell” was created to steal users' passwords and use algorithms to create randomized credit card numbers. It imitated AOL employees and administrators by asking users to provide access to their login credentials as part of system checks and audits.

In the early 2000s, attackers turned their attention to financial systems. By 2003, phishers started registering domain names that were slight variations of legitimate commerce sites, such eBay and PayPal, and sending mass mailings asking customers to visit the sites, enter their passwords and update their credit card information.

In September of 2013, Cryptolocker ransomware infected 250,000 personal computers, making it the first cryptographic malware spread by downloads from a compromised website.

Phishers start adopting HTTPS with gift card phishing campaigns starting in 2018 only to evolve to vendor email compromise in 2019.

In 2020, 74% of organizations in the United States experienced a successful phishing attack.

To this day attacks are still growing and pose a real risk for both individuals and companies across the world, which is why it's important to know about and mitigate against cyber attacks.

Common phishing techniques: sense of urgency

• Emails from fake businesses asking for personal or sensitive information.

• Emails from fake financial institutions asking for bank account numbers and passwords.

• Emails from government agencies asking for personal information.

• Messages on social media that ask you to log in with your username and password.

Phishing attack examples

Fake Websites and Login Credentials

One of the most common forms of phishing attacks is sending emails that imitate common services such as Netflix. This has been used multiple times and reported by police and security services around the world.

It's a fairly simple tactic that leverages trust, as users already know the brand. It also starts a sense of urgency as it suggests your account is on hold. However, in reality this is an imitation email that will link to a fake website where you can “update” your card details. Once you then update the details, you effectively have just handed over your details to the attacker who can then use that for anything they wish.

Trust, Urgency, Clear Goal. These tactics are at the backbone of all successful phishing attacks.

Different Types of phishing attacks

There are many different types of attacks, but they all have one thing in common: they try to get the victim to share their personal information. However there are various ways to achieve this, from suspicious emails to text messages, phishers will try to trick you anyway they can.

Spear Phishing

Spear phishing is a targeted type of phishing that involves an attempt to trick a targeted individual into sharing access to credentials or sensitive information. Compared to more common types of phishing attacks that are indiscriminate and target large groups of people.

Attackers pass themselves off as someone the target knows well or an organisation they’re familiar with. A good spear phishing example is a hacker pretending to be a CEO at the company of a target user. They spoof the CEO’s email address and then claim that their login credentials are not working and ask for the target to share theirs so they can use them to gain access to a file or data.

There might be additional time pressures to add a sense of urgency, e.g. a board meeting or press conference. As the target user knows the CEO / works at that company they might be trusting and with the time pressure they might not check red flags as thoroughly as possible.

These attacks are typically crafted after research of the target has occurred, resulting in a more personally relevant attack.

Whaling email Phishing

Whaling phishing is a form of phishing attack with a focus on a high-value target or senior employee within an organisation. These attacks are more detailed than generic phishing emails as they target an individual, normally contain personalised information and are often crafted with a solid business language understanding. These traits can make them very hard to spot and regularly result in senior employees being tricked into transferring funds, sensitive data or triggering malware.

One of the largest examples of these CEO Fraud / whaling attacks was in 2016 at Belgium bank, Crelan Bank. This attack resulted in a $75m loss for the company.

Although this type of attack is very targeted, it's essential to ensure all employees are aware and protected of cyber attacks as everyone can be a target, not just high level executives.

Mass Campaigns

Mass phishing messages are sent to as many people as possible to trick users into handing over sensitive data or financial information. These attacks usually involve imitating a popular brand requesting a password reset or updating billing information.

The damage caused by falling victim to a mass campaign may not be as immediately evident as more targeted attacks as there is a lag time between the successful attack and sale of the data obtained in the attack.

Ambulance Chasing Scams / Phishing

Ambulance chasing phishing scams are exploiting human nature to the extreme by targeting people at times of extreme stress. These campaigns normally target users with fake fundraising campaigns during disaster events such as fire, floods, wars. Due to the emotional pull on these types of events it can be extremely effective to trick users.

This form of phishing is commonly a mass campaign, but can also be a spear phishing attack depending on how targeted the message is.

Pretexting

Pretexting is a highly effective method of phishing as it involves two key touch points. One which builds trust normally in person or via a phone call to set an expectation that they’ll be sending something seemingly legitimate in the near future. The second point via email or digital message with a trigger point that contains a malicious link to either capture sensitive data or to download malware.

For example, attackers may call and leave a voicemail acting as a vendor saying that their contract will be sent shortly via email. Then, an email pertaining to the voicemail will be sent containing malicious links, that might contain ransomware or another form of malware.

Mobile Phishing

As attackers look to take advantage of users by any means, mobile phishing is a growing trend. By leveraging SMM and MMS applications attackers are able to hit users 24/7.

Mobile Phishing also known as smishing, is where attackers send phishing messages SMS or social media messages to users to trick them into taking a quick action by posing as a trusted third party.

For example a user might get a text message from someone they believe is their bank saying: “We’ve detected unusual activity on your bank account, if this was not you, please login to your account and review these transactions.” This is designed to cause panic and get users to take quick action by handing over their bank login details.

Clicking through links in these messages can give hackers access to your data, or allow them to install malicious software on your device.

Man-in-the-Middle

This type of attack is more sophisticated, as it involves intercepting emails between two people. The attacker can then send emails back to these two people, who think they are coming from each other, but are actually from the attacker.

They can ask for private information or request certain actions, and the person may easily fall victim as they think the email is from a trusted source.

Wi-Fi Twin

In this method, hackers will create a Wi-Fi network copying the address of another. Anyone who connects to this spoofed network will be exposed to the hackers, allowing them to access passwords and other information.

This is usually done in public spaces such as coffee shops, malls and airports.

Reporting phishing scams report phishing email

If you or a client of yours fall victim to a phishing attack there are things that can be done to try to recover your details, protect others, and stop attackers from causing further damage. Most local governments have their own guides and advice around reporting fraud however for citizens in the USA, UK, Australia you can find support on the links provided.

• United States Fraud Prevention: https://www.usa.gov/stop-scams-frauds

• UK Report Phishing Scams: https://www.ncsc.gov.uk/collection/phishing-scams/report-scam-website

• Australia Scamwatch: https://www.scamwatch.gov.au/report-a-scam

Phishing protection: How to defend against scams?

There are a few key ways to protect an organisation from phishing and increase your cyber resiliency.

• Regular training of staff and customers

• Learn the psychological triggers

• Build a positive security culture

• Implement technical measures e.g. email security or anti-phishing solutions

• Test the effectiveness of the training

To learn more about these protection methods read our blog on "How to Spot and Protect Against Phishing Email Attacks"