What Does Phishing Mean?
Phishing is a security exploit in which a perpetrator impersonates a legitimate business or reputable person in order to acquire private and sensitive information such as credit card numbers, personal identification numbers (PINs), and passwords.
Phishing relies on technical deception, as well as social engineering tactics designed to manipulate the victim into taking specific action on behalf of the attacker, such as clicking on a malicious link, downloading and/or opening a malicious email attachment, or divulging information the attacker can use in a future attack.
According to a joint project run by the United States Cybersecurity and Infrastructure Security Agency (CISA), 90% of all cyberattacks begin with phishing. One of the key reasons behind the prevalence of phishing attacks is the attack vector’s versatility and high return on investment for cybercriminals.
To mitigate the risks associated with phishing, individuals and organizations need to prioritize phishing awareness education, implement robust email filtering, consider using anti-phishing cloud services, and follow best practices for safe online behavior.
How Phishing Works: Phishing Attack Indicators
In a successful phishing attempt, one of the scammer’s primary objective is to gain the victim’s trust. To achieve this, scammers use both technical and psychological tactics to make communication with potential victims appear credible and legitimate.
To safeguard against phishing scams, it’s important for individuals to know the indicators of a phishing attack in email, voice, and text messages. It’s important to be wary of messages that ask for personal data such as login credentials, credit card numbers, or Social Security numbers. One of the biggest telltale signs is that the communication is unsolicited and it requests sensitive information or asks the victim to verify sensitive information. Legitimate organizations typically do not make such requests through email, text or voice messages.
If the sender’s contact information doesn’t precisely match what would be expected from the legitimate source, that’s another sign the unsolicited communication could also be a phishing attempt. Phishers often use deceptive email addresses that closely resemble a legitimate entities and phone numbers that don’t match the legitimate entity’s area code.
Some phishers, however, use compromised legitimate email accounts or phone numbers to conduct their attacks. This can make it harder to spot discrepancies in contact information.
That’s why other factors, such as the message content, appearance and overall context of the request, should also be taken into account when evaluating the authenticity of a communication. Any unsolicited communication that requests sensitive information to be verified should be regarded as a possible phishing attempt.
Types and Examples of Phishing Exploits
Phishing exploits can be adapted to meet the needs of different types of targets and attack objectives. It’s this versatility that allows cybercriminals to choose the communication medium that suits their target audience and objectives and cast either a broad net designed to increase the chance of finding a vulnerable target – or a narrow net designed to catch a specific victim.
Popular types of phishing exploits include:
This is the most common type of phishing attack. The attacker sends an email that appears to be from a legitimate source, such as a bank, credit card company, or government agency. The email often contains a link that, when clicked, takes the victim to a fake website that looks like the real website. Once the victim enters their login credentials or other sensitive information on the fake website, the scammers can steal it.
Here are some examples of email phishing scams:
- Invoice scam: The scammer sends an email that appears to be from a legitimate company, such as a utility company or credit card company. The email says that the victim has an unpaid invoice and asks them to click on a link to pay it. The link takes the victim to a fake website that looks like a real website. Once the victim enters their payment information on the fake website, the scammers can steal it.
- Password reset scam: The scammer sends an email that appears to be from a legitimate company, such as a bank or social media website. The email says that the victim’s password has been reset and asks them to click on a link to change it. The link takes the victim to a fake website that looks like a real website. Once the victim enters their new password on the fake website, the scammers can steal it.
- Tech support scam: The scammer sends an email that appears to be from a legitimate tech support company. The email says that the victim’s computer has a problem and asks them to call a certain number for help. When the victim calls the number, they are connected to a scammer who will try to convince them to give them remote access to their computer. Once the scammer has remote access to the victim’s computer, they can steal their personal information or install malware.
This is a more targeted type of phishing attack in which the attacker crafts a communication that is specifically tailored to the victim. For example, the attacker’s email might be about a topic that the victim has shown previous interest in because it is relevant to their work. When artificial intelligence (AI) and machine learning (ML) are used for personalization, the email is more likely to be opened, and the victim is more likely to fall for the scam.
Here are some examples of spear phishing scams:
- Targeted email scam: The scammer sends an email that is specifically tailored to the victim. The email may mention the victim’s name, company, or other personal information. Personalization makes the email more likely to be opened, and the victim is more likely to fall for the scam.
- Business email compromise (BEC) scam: The scammer sends an email that appears to be from a legitimate business associate, such as a vendor or customer. The email may ask the victim to make a payment or change their password. The scammer will often use a sense of urgency to pressure the victim into acting quickly.
- Appeal to authority scam:The scammer sends an email that appears to be from a high-level executive whose name the victim is likely to know. The email asks the victim to wire money to a specific account, usually overseas. The scammer will often use a sense of urgency to pressure the victim into acting quickly.
Here are some examples of whaling scams:
- CEO fraud: The scammer sends an email to the Vice President of Finance that appears to be from the company’s Chief Executive Officer. The email urges the potential victim to immediately take a specific action on behalf of the scammer that will ultimately result in financial loss or the unauthorized release of sensitive information.
- Vendor impersonation scam: The scammer sends an email to the Vice President of Procurement that appears to be from someone the victim’s company does business with. The bogus email asks the victim to authorize payment for an invoice that is allegedly “past due” or change a delivery address for a large order.
- Internal employee scam: The scammer targets the Vice President of Sales and sends an email designed to trick them into taking a specific action that will give the attacker access to sensitive information in customer records.
This type of phishing exploit uses SMS text messages to communicate with the target. The text messages will often contain a link that, when clicked, takes the victim to a fake website or asks the victim to provide sensitive information.
Here are some examples of smishing scams:
- Parcel delivery scam: The scammer sends a text message that appears to be from a shipping company, such as UPS or FedEx. The message says that the victim has a package waiting for them and asks them to click on a link to track it. The link takes the victim to a fake website that looks like a real shipping company website. Once the victim enters their personal information on the fake website, the scammers can steal it.
- Banking scam: The scammer sends a text message that appears to be from a bank, such as Bank of America or Wells Fargo. The message says that the victim’s account has been compromised and asks them to click on a link to verify their information. The link takes the victim to a fake website that looks like the real bank website. Once the victim enters their login credentials on the fake website, the scammers can steal them.
- Password reset scam: The scammer sends a text message that appears to be from a popular company such as Amazon or eBay. The message says that the victim’s password has been compromised and asks them to click on a link to change it. The link takes the victim to a fake website that looks like a real website. Once the victim enters their old password in order to change it to a new password on the fake website, the scammers can steal it.
Here are some examples of vishing scams:
- Tech support scam: The scammer calls the victim and claims to be from a legitimate tech support company. They inform the victim that their computer has a problem and ask for permission to access the computer remotely. Once the scammer has been granted remote access to the victim’s computer, they can steal their personal information or install malware.
- Government impersonation scam: The scammer calls the victim and claims to be from a government agency, such as the Internal Revenue Service (IRS) or Social Security Administration. They will inform the victim that they owe money and ask them to pay it over the phone. In this type of phishing exploit, the scammer may use threats or intimidation to pressure the victim into paying.
- Sweepstakes scam: The scammer calls the victim and informs them that they have won a prize in a sweepstakes or lottery. They will ask the victim to provide personal information, such as their social security number or bank account number, in order to claim the prize. The scammer will then use the victim’s information to steal money or conduct identity theft.
This type of scam targets cryptocurrency investors and traders. The scammers send emails or messages that appear to be from a legitimate source, such as a cryptocurrency exchange or wallet provider. The emails or messages often contain a link that, when clicked, takes the victim to a fake website that looks like the real website. When the victim enters their login credentials or other sensitive information on the fake website, the scammers can steal the information.
Here are some examples of crypto phishing scams:
- Security warning scam: The scammer sends an email that appears to be from a cryptocurrency exchange, warning the victim that their account has been compromised. The email asks the victim to click on a link to verify their account. The link takes the victim to a fake website that looks like the real exchange website. Once the victim enters their login credentials on the fake website, the scammers can steal them.
- Giveaway scam: The scammer sends a message on social media that appears to be from a celebrity or influencer. The message asks the victim to send cryptocurrency to a certain address to enter a contest or crypto giveaway. The address belongs to the scammer, and the victim’s cryptocurrency will be stolen.
- Counterfeit website scam: The scammer creates a fake cryptocurrency website that looks like a legitimate exchange or wallet provider. The scammer then advertises the fake website on social media or other online platforms. When victims visit the fake website and enter their login credentials, the scammers can steal them.
Watering Hole Attacks
This type of phishing scam targets websites that professionals within a specific industry or market segment are likely to visit.
Here are some examples of watering hole scams:
- Community forum scam: The scammer compromises an industry-specific forum or community website that professionals in a particular field are likely to visit. When targeted individuals visit the forum, their devices are infected with malware, or they are directed to a fake login page that will harvest their credentials.
- Employee portal scam: The scammer targets an employee benefits portal or intranet site that employees frequently access to manage their benefits, view pay stubs, or access company resources. By compromising this portal, the attacker can potentially steal employees’ login credentials and personal information or even inject malware into their devices. This information can be used for corporate espionage or further attacks within the organization’s network.
- Malicious VPN scam: The attacker creates a fake website that offers access to free VPNs. People who sign up to use the bogus virtual private networks are at risk of having their credit card details stolen, private photos and videos leaked or sold online, and private conversations recorded and sent to the attacker’s server.
This type of phishing attack places malicious ads on legitimate websites. When victims click on the ads, they are taken to a fake website that will infect them with malware.
Here are some examples of malvertising scams:
- Drive-by download scam: This type of scam occurs when malware is automatically installed on a user’s computer when they visit a website that has been infected with malicious code. The malware can be used to steal personal information, install other malware, or take control of the computer.
- Pop-up ad scam: This type of scam involves displaying unwanted pop-up ads on a user’s computer. The ads may contain malicious code to hijack the victim’s browser or allow the attacker to move laterally through the victim’s network and look for other vulnerabilities to exploit.
- Clickjacking scam: This type of scam involves tricking a user into clicking on a malicious link or website button. The link or button may appear to be legitimate, but it is actually designed to install malware or steal personal information.
This type of phishing attack uses popular social media websites like Facebook and TikTok as the attack vector. The attacker creates fake social media accounts to interact with real users on social media platforms and gain their trust. Eventually, the attacker will send a direct message (DM) or post something on the site that contains a link to a phishing website.
Examples of angler scams include:
- Complaints on social media: In this scam, the attacker creates a fake social media account that looks like a legitimate customer service account for a company. They then reach out to people who have posted complaints about the company on social media and offer to “help” them resolve their issues. The attacker will then redirect the victim to a phishing website that asks for the victim’s email address, phone number, or other personal information the attacker can use to steal the victim’s identity.
- Community page scams: In this scam, the attacker creates a fake community page that requires personal information such as a name, address, or phone number before access will be granted. Once the scammer has collected the victim’s information, they can use it with other information to commit fraud or identity theft.
- Refund scams: In this scam, the attacker sends an email or text message that appears to be from a legitimate company, such as a bank or credit card company. The email or text message will say that the victim is owed a refund and provides the victim with a link to claim it. The link will take the victim to a fake website that looks like the legitimate company’s website. Once the victim enters their personal information on the fake website, the attacker can steal it.
Psychological Strategies Used in Phishing
Phishing strategies for getting a victim to carry out a specific action on behalf of the attacker often exploit human psychology. By masquerading as trusted entities, creating a sense of urgency, or appealing to victims’ desire to help or be part of a group, an attacker can prompt impulsive responses.
While technical tactics such as email spoofing, domain mimicry, or malware delivery are critical components, it’s the psychological manipulation that often determines success. Ironically, most of the strategies that phishers use are well-known marketing techniques.
Psychological strategies used to carry out successful attacks include:
- Creating a Sense of Urgency: Phishers often design their communication to have a sense of urgency. People tend to prioritize urgent matters and are more likely to act impulsively when they perceive a time-sensitive threat.
- Inspiring Fear: The attacker’s communication will claim the victim’s account will be suspended, or legal action will be taken unless they act immediately. Fearful individuals are more likely to react impulsively.
- Inspiring Curiosity: The attacker’s communication is designed to pique the victim’s curiosity by providing incorrect information or tantalizing details that will prompt them to click on a link or open an attachment to learn more.
- Appealing to Authority: The phisher’s communication seems to be from an authority figure like a CEO, IT administrator, or government official.
- Appealing to Familiarity: The attacker uses the victim’s trust in a known brand, organization, or individual to create a false sense of security.
- Creating a Sense of Scarcity: The attacker creates the perception of exclusivity or limited availability to motivate victims to take action quickly.
- Inspiring Guilt: The attacker’s communication is designed to make the victim feel guilty or ashamed for not complying with a request by claiming the communication is not the first one sent.
- Using Social Proofs: The attacker provides fake testimonials, endorsements, or references to make the request appear trustworthy and socially validated.
- Encouraging Reciprocity: The attacker offers something of perceived value to the victim (such as a discount or freebie) in exchange for their taking a desired action.
- Appealing to the Past: The attacker’s communication contains a request that is consistent with a prior action the victim is familiar with.
- Appealing to Friendship: The attacker’s communication closely mimics the writing style of a colleague or friend in order to lower the victim’s guard.
- Inspiring Sympathy: The attacker’s communication is designed to tap into the victim’s sense of sympathy and desire to help the attacker out of a jam.
- Using FOMO (Fear of Missing Out): The attacker’s communication exploits the victim’s fear of missing out on an opportunity or event. Typically, the scammer will claim that immediate action is required to participate.
- Appealing to Ingroup Biases: The attacker’s communication is designed to inspire a sense of belonging to a social group or “ingroup” the victim is familiar with. The phisher will craft phishing emails or messages that appear to come from sources that share a common identity or characteristic with the target.
Technical Techniques Used in Phishing
The psychological strategies above, when combined with the technical tactics below, are what make phishing attacks so highly effective. When recipients act on psychological triggers, they often fall victim to the technical traps concealed within phishing emails, vishing phone calls, and SMS text messages. (Editor’s Note: Attackers who lack the technical skills necessary to carry out an attack can purchase phishing kits on the dark web.)
Technical tactics commonly used in phishing attacks include:
Email Spoofing: The attacker manipulates email headers so they appear to be from a trusted source. Email spoofing is facilitated by weaknesses in the standard protocol for sending emails, Simple Mail Transfer Protocol (SMTP). SMTP does not require email senders to verify the accuracy of the “From” address they provide, which makes it relatively easy for attackers to forge this information.
Domain Spoofing: The attacker purchases domain names that appear to be legitimate because they closely resemble legitimate and well-known domain names.
Subdomain Takeover: The attacker identifies an organization’s vulnerable subdomains and takes control of them to host phishing sites.
Attachment-Based Attacks: The attacker sends phishing emails with attachments that contain macros or scripts that execute malicious code. The emails typically employ social engineering tactics designed to convince the recipient to enable the macro instructions or malicious scripts within the attachment.
Drive-By Downloads: The attacker exploits vulnerabilities in a victim’s browser or software to download and install malware without the victim’s knowledge.
Man-in-the-Middle (MitM) Attacks: The attacker intercepts communication between the victim and a legitimate website to capture sensitive data.
Data Exfiltration: The attacker sends data stolen from victims’ devices to a server the attacker controls, so the information can be used later on.
Credential Harvesting: The attacker creates fake login pages for popular services to capture usernames, passwords, and other credentials.
Session Hijacking: The attacker steals active session cookies or tokens to impersonate a user and gain unauthorized access to their accounts.
Tabnabbing: The attacker exploits the user’s trust in browser tabs by replacing inactive tabs with phishing pages.
Homograph Attacks: The attacker uses Unicode characters that look similar to Latin characters in domain names to deceive victims.
Content Spoofing: The attacker manipulates web content on a compromised website to trick visitors into engaging in actions that benefit the attacker.
Email Forwarding: The attacker sets up email filters (rules) in compromised email accounts that will automatically forward sensitive messages that contain account information to the attacker.
DNS Spoofing: The attacker manipulates DNS records to redirect users to fake websites when they enter legitimate URLs.
Cross-Site Scripting (XSS): The attacker injects a malicious script into a web page’s code that will execute an action on behalf of the attacker. XSS can be used to steal session cookies, which may contain login credentials or other sensitive information that allows the attacker to impersonate the victim.
Brand Impersonation: The attacker solicits sensitive information from the victim by leveraging the trust they have in a particular brand name.
SQL Injection: The attacker enters specially crafted SQL code into a website’s input fields to gain unauthorized access to databases the website uses. While SQL injection is more commonly associated with data breaches and web application attacks, it can be employed in phishing attacks to gather information or deliver malicious payloads.
How to Prevent Phishing Attacks
With the sensitive information obtained from a successful phishing scam, criminals can do damage to their victims’ financial histories, personal reputations, and professional reputations that can take years to unravel. The combination of psychological and technical elements in phishing attacks amplifies their effectiveness and underscores the importance of cybersecurity education and robust defenses to counter these threats.
The following security precautions are recommended to prevent phishing attacks from being successful:
- Never open email attachments that are not expected;
- Never click on email links that request personal information;
- Validate a URL before clicking on it by hovering the mouse cursor over the link to display the actual URL it leads to. The URLs should match;
- Never click on links that begin with HTTP instead of HTTPS;
- Be suspicious of all phone calls requesting personally identifiable information (PII) or the transfers of funds from one account to another;
- Don’t answer cell phone calls from unknown numbers;
- If someone calls claiming to be from a government agency or a legitimate company, hang up and call the number on the official website of that agency or company;
- Never give out credit card numbers over the phone;
- Always allow updates for web browsers, operating systems, and software applications running locally on internet-accessible devices;
- Use updated computer security tools, such as anti-virus software and next-gen firewalls;
- Verify a website’s phone number before placing any calls to the phone number provided in an email;
- Use strong passwords and two-factor authentication (2FA) for all online accounts;
- Report suspected scams to the company the phisher is impersonating, as well as government authorities such as the Federal Trade Commission (FTC).
If applicable, ask the Information and Communication Technology (ICT) team to:
- Review and reduce the number of corporate accounts with access to critical data and devices;
- Restrict password sharing;
- Reduce opportunities for privilege escalation by limiting access privileges;
- Implement security controls that will prevent users from running whoami and other command-line utility programs based on user roles.
Anti-phishing software can be thought of as a cybersecurity toolkit that employs a wide range of techniques to identify and neutralize phishing threats. Here are some key features and functions of anti-phishing software suites:
- Email Filtering: Anti-phishing solutions often include email filtering capabilities to scan incoming messages for suspicious content and analyze sender addresses, email content, and embedded links to identify phishing attempts. Adaptive email security apps can detect abnormal behavior and automatically restrict an employee’s access to sensitive data and systems.
- Link Analysis: These tools inspect URLs within emails or messages to verify their legitimacy. They compare the links against known blacklists of malicious domains and assess their reputation.
- Content Analysis: This type of anti-phishing software analyzes email content, looking for phishing indicators such as misspellings, suspicious attachments, or requests for sensitive information.
- Real-time Threat Intelligence: Many anti-phishing services rely on digital immune systems with real-time threat intelligence feeds to stay updated on emerging phishing threats and tactics. This helps in identifying and blocking new types of phishing campaigns promptly.
- Machine Learning and AI: Advanced anti-phishing software employs ML and AI algorithms to adapt and improve their detection capabilities. They can recognize patterns indicative of phishing attacks, even in previously unseen threats.
While anti-phishing software and anti-phishing cloud services are formidable weapons against cybercriminals, it’s crucial to remember that human vigilance remains a critical component of effective cybersecurity. No software can replace the need for individuals to be cautious, skeptical, and well-informed about phishing threats.
Security awareness training should go hand-in-hand with anti-phishing solutions to create a robust defense posture.