August 07, 2022
What is Phishing and How to Defend Your Business?
There are many types of cyberattacks that hackers use to gain information, files, and other assets from individuals and companies. Staying protected from these is crucial.
As cybersecurity solutions become more effective compared to traditional types of attacks, hackers are leveraging the human nature of users to bypass security measures.
Definition: What is phishing?
Phishing (pronounced: fishing) is a type of social engineering attack that is designed to trick users into handing over sensitive information such as login credentials, bank account numbers or IT system access. These attacks usually come in the form of an email or a text message that imitates legitimate brands, or users.
Brief History of Phishing attacks
Back in the early 1990’s users required a “dial-up” connection to access the internet and AOL was one of the largest services providers. Due to its popularity it became a prime target for hackers and became the go-to cover for the first phishing attacks.
In 1995 “AOHell” was created to steal users' passwords and use algorithms to create randomised credit card numbers. It imitated AOL employees and administrators by asking users to provide access to their login credentials as part of system checks and audits.
In the early 2000s, attackers turned their attention to financial systems. By 2003, phishers started registering domain names that were slight variations of legitimate commerce sites, such eBay and PayPal, and sending mass mailings asking customers to visit the sites, enter their passwords and update their credit card information.
In September of 2013, Cryptolocker ransomware infected 250,000 personal computers, making it the first cryptographic malware spread by downloads from a compromised website.
Phishers start adopting HTTPS with gift card phishing campaigns starting in 2018 only to evolve to vendor email compromise in 2019.
In 2020, 74% of organisations in the United States experienced a successful phishing attack.
To this day attacks are still growing and pose a real risk for both individuals and companies across the world, which is why it's important to know about and mitigate against cyber attacks.
Common phishing techniques: sense of urgency
Emails from fake businesses asking for personal or sensitive information.
Emails from fake financial institutions asking for bank account numbers and passwords.
Emails from government agencies asking for personal information.
Messages on social media that ask you to log in with your username and password.
Phishing attack examples
Fake Websites and Login Credentials
One of the most common forms of phishing attacks is sending emails that imitate common services such as Netflix. This has been used multiple times and reported by police and security services around the world.
It's a fairly simple tactic that leverages trust, as users already know the brand. It also starts a sense of urgency as it suggests your account is on hold. However, in reality this is an imitation email that will link to a fake website where you can “update” your card details. Once you then update the details, you effectively have just handed over your details to the attacker who can then use that for anything they wish.
Trust, Urgency, Clear Goal. These tactics are at the backbone of all successful phishing attacks.
Different Types of phishing attacks
There are many different types of attacks, but they all have one thing in common: they try to get the victim to share their personal information. However there are various ways to achieve this, from suspicious emails to text messages, phishers will try to trick you anyway they can.
Spear phishing is a targeted type of phishing that involves an attempt to trick a targeted individual into sharing access to credentials or sensitive information. Compared to more common types of phishing attacks that are indiscriminate and target large groups of people.
Attackers pass themselves off as someone the target knows well or an organisation they’re familiar with. A good spear phishing example is a hacker pretending to be a CEO at the company of a target user. They spoof the CEO’s email address and then claim that their login credentials are not working and ask for the target to share theirs so they can use them to gain access to a file or data.
There might be additional time pressures to add a sense of urgency, e.g. a board meeting or press conference. As the target user knows the CEO / works at that company they might be trusting and with the time pressure they might not check red flags as thoroughly as possible.
These attacks are typically crafted after research of the target has occurred, resulting in a more personally relevant attack.
Whaling email Phishing
Whaling phishing is a form of phishing attack with a focus on a high-value target or senior employee within an organisation. These attacks are more detailed than generic phishing emails as they target an individual, normally contain personalised information and are often crafted with a solid business language understanding. These traits can make them very hard to spot and regularly result in senior employees being tricked into transferring funds, sensitive data or triggering malware.
One of the largest examples of these CEO Fraud / whaling attacks was in 2016 at Belgium bank, Crelan Bank. This attack resulted in a $75m loss for the company.
Although this type of attack is very targeted, it's essential to ensure all employees are aware and protected of cyber attacks as everyone can be a target, not just high level executives.
Mass phishing messages are sent to as many people as possible to trick users into handing over sensitive data or financial information. These attacks usually involve imitating a popular brand requesting a password reset or updating billing information.
The damage caused by falling victim to a mass campaign may not be as immediately evident as more targeted attacks as there is a lag time between the successful attack and sale of the data obtained in the attack.
Ambulance Chasing Scams / Phishing
Ambulance chasing phishing scams are exploiting human nature to the extreme by targeting people at times of extreme stress. These campaigns normally target users with fake fundraising campaigns during disaster events such as fire, floods, wars. Due to the emotional pull on these types of events it can be extremely effective to trick users.
This form of phishing is commonly a mass campaign, but can also be a spear phishing attack depending on how targeted the message is.
Pretexting is a highly effective method of phishing as it involves two key touch points. One which builds trust normally in person or via a phone call to set an expectation that they’ll be sending something seemingly legitimate in the near future. The second point via email or digital message with a trigger point that contains a malicious link to either capture sensitive data or to download malware.
For example, attackers may call and leave a voicemail acting as a vendor saying that their contract will be sent shortly via email. Then, an email pertaining to the voicemail will be sent containing malicious links, that might contain ransomware or another form of malware.
As attackers look to take advantage of users by any means, mobile phishing is a growing trend. By leveraging SMM and MMS applications attackers are able to hit users 24/7.
Mobile Phishing also known as smishing, is where attackers send phishing messages SMS or social media messages to users to trick them into taking a quick action by posing as a trusted third party.
For example a user might get a text message from someone they believe is their bank saying: “We’ve detected unusual activity on your bank account, if this was not you, please login to your account and review these transactions.” This is designed to cause panic and get users to take quick action by handing over their bank login details.
Clicking through links in these messages can give hackers access to your data, or allow them to install malicious software on your device.
This type of attack is more sophisticated, as it involves intercepting emails between two people. The attacker can then send emails back to these two people, who think they are coming from each other, but are actually from the attacker.
They can ask for private information or request certain actions, and the person may easily fall victim as they think the email is from a trusted source.
In this method, hackers will create a Wi-Fi network copying the address of another. Anyone who connects to this spoofed network will be exposed to the hackers, allowing them to access passwords and other information.
This is usually done in public spaces such as coffee shops, malls and airports.
Reporting phishing scams report phishing email
If you or a client of yours fall victim to a phishing attack there are things that can be done to try to recover your details, protect others, and stop attackers from causing further damage. Most local governments have their own guides and advice around reporting fraud however for citizens in the USA, UK, Australia you can find support on the links provided.
United States Fraud Prevention: https://www.usa.gov/stop-scams-frauds
UK Report Phishing Scams: https://www.ncsc.gov.uk/collection/phishing-scams/report-scam-website
Australia Scamwatch: https://www.scamwatch.gov.au/report-a-scam
Phishing protection: How to defend against scams?
There are a few key ways to protect an organisation from phishing and increase your cyber resiliency.
Regular training of staff and customers
Learn the psychological triggers
Build a positive security culture
Implement technical measures e.g. email security or anti-phishing solutions
Test the effectiveness of the training
To learn more about these protection methods read our blog on "How to Spot and Protect Against Phishing Email Attacks"