Phishing: Recognizing the Threat
Phishing is a problem wherever people work. According to Proofpoint, in 2020, three-quarters of all businesses experienced a phishing attack of one kind or another. And they're becoming more sophisticated as well, with infected pages looking more and more professional as time goes by. In this article, we'll let you know how you can identify phishing attempts and protect your data.
What Is Phishing?
Phishing refers to the sending of professional, authentic-looking emails which request sensitive data from their recipients, either directly, or upon visiting an infected site. The most commonly sought-after information includes online banking PINs or passwords, which will then be used to drain accounts. Phishing emails can forward their victims to infected websites or even be used as a springboard for launching ransomware attacks that install malware capable of rendering your computer useless.
Phishers often try to pass themselves off as employees at reputable businesses or organizations, despite not having any affiliation with them whatsoever. Most commonly, they'll send emails in the name of banks or social networks and engage in fearmongering, threatening, for example, to suspend a PayPal account unless the user logs in within 24 hours.
Many phishers disguise themselves as PayPal staffers.
This makes phishing a type of social engineering since cybercriminals don't have to take advantage of technical weaknesses (code errors or exploits), but rather, human emotions and fears. After gaining their victims' trust, it becomes possible to easily (and voluntarily) con them out of their data.
The URLs contained in phishing emails often look just like those of trusted and reputable websites. Since the page's layout doesn't have any readily discernible differences at first glance, no alarm bells are set off. In addition to website spoofing, there's also domain spoofing, whereby a reputable email address displays in the message's header. It's not uncommon for both types of spoofing to be used side-by-side.
The origins of the term phishing are not entirely clear. One theory is that the word is based on 'fishing' but spelled using 'leetspeak', an Internet language. This 'language' plays on how words are spelled, often interchanging phonetically identical sounds with one another, or substituting numbers for letters (or vice versa). Alternatively, some argue that the spelling is derived from "phone phreaking", a type of telephone hacking popular in the 90s that reversed tones to allow for free international calling.
Whatever its roots, one of the first recorded usages of the term was in 1996, when mentioned in conjunction with AOHell, a piece of malware that stole AOL usernames and passwords.
What Types of Phishing Are There?
The goal of all phishing attacks is the same: Gain their victims' trust and glean sensitive data from them. With that said, the types of attacks vary depending on the target group:
- Classic Phishing – Basic phishing emails are sent by the thousands to random addresses in a scattershot fashion. The senders attempt to pass themselves off as working for platforms used by millions of people, such as PayPal or Amazon. This raises the likelihood that targets will volunteer information without the sender needing to invest any time or effort in scouting their victims. Recipients are often requested to change or confirm their password owing to an alleged security breach of some sort or another.
- Spear Phishing – As its name suggests, in contrast to classic phishing, spear phishing targets a specific person, usually, an executive, IT administrator, or IT manager within an organization. Hackers using this method will often attempt to pass themselves off as working for IT companies that market products used by the target's organization.
- Whaling – This type of phishing goes after the big fish, that is to say, CEOs, managers, or departmental heads. These will receive emails that look to be from within the company or from trusted business partners. To appear as legitimate as possible, hackers will research their targets online, checking their social network profiles, copying older pictures, and even reading through comments.
Around 94% of all phishing attacks occur via email, however, there are two other varieties of phishing attacks:
- Smishing (SMS-Phishing) – Attackers contact their victims via SMS. Like classic phishing, a link redirects the victim to an infected website or commences the download of malware.
- Vishing (Voice Phishing) – This type of fraud involves the impersonation of police officers, bank employees, or IT staffers, who proceed to request sensitive data from their victims.
How Can I Recognize a Phishing Email?
Unfortunately, it isn't always possible to discern a phishing email from a legitimate one at first glance since most phishers create authentic-looking logos, layouts, and even signatures. In the event that you receive an email that you believe could be fraudulent, do not click on any of its hyperlinks or supply any data. Pay attention to the following signs:
Emails from organizations with non-specific domains
Companies and authorities never use commercial email domains such as @gmail.com or @yahoo.com. Businesses, such as banks, will only ever use the bank's domain, while for government or state authorities, the email address should originate from a .gov domain. For that reason, pay close attention to the domain. Delete all emails that don't have a readily discernible sender.
Legitimate queries always refer to a customer or individual by name or username. Generic greetings such as "Dear Sir/Madam" or "To whom it may concern", or "Hey!" usually signify some sort of fraud. Should you be unsure about the legitimacy of an email, you can always contact the company or organization directly (ideally through another channel or their generic service team) before passing judgment on the original message.
Grammar and spelling mistakes
Professional businesses the world over maintain high standards when it comes to syntax, spelling, and writing. Still, it is possible for a legitimate email to be missing a word or have a typo. All the same, if the message has an error in every sentence, or just doesn't 'sound' right, it's likely from a dubious source. In the event that you notice multiple grammatical or spelling errors in an email, we recommend deleting it.
Payment requests via email
In some cases, cybercriminals will try to pass themselves off as debt collectors or legal firms, threatening their victims with sizable fines if they don't pay up within a given time period. Legitimate legal firms will only ever get in touch via mail. Here too, it's a good idea to delete any such emails immediately.
Emails with attachments
Banks and insurance providers generally do not send any data to their clients in the form of attachments. Instead, after logging in to your bank or account, you'll be able to download any required files directly from the platform. Keep an eye out for .ZIP, .EXE or .RAR attachments, refraining from downloading, executing, or unzipping them.
If you receive a suspicious email containing a hyperlink, hover your mouse over the link for a few seconds. After this, you should see the actual URL to which the link will take you. Should the text and actual links not match, it's almost certainly to an infected website. Close untrusted websites immediately, and delete any email which prompted you to visit them.
PIN and/or password request via link
The most distressing phishing attacks are online banking scams. Most of the time, victims will receive an email with a link to a website that looks fairly similar to that of their bank. Should a victim log in, the hackers will gain access to their account.
Banks will never ask their customers to log in to online banking via a link. Any email asking you to do so should be ignored and deleted.
The sender addresses for phishing emails often appear to be reputable businesses or organizations. The actual sender will typically contain a random combination of numbers and characters at an unknown domain.
Notorious Phishing Attacks
Phishing attacks are nearly as old as the Internet itself. Over the past few years, however, hackers have managed to con quite a few highly lucrative victims. Some of the most infamous of these include:
- The Loveletter computer worm has caused around $10 billion worth of damages since May 2000. A Filipino IT student forwarded an email that had a subject line reading "ILOVEYOU". Anyone who clicked on the attachment which the email contained unknowingly installed malware on their computer which would delete large numbers of files. Loveletter was the first case of phishing that generated worldwide attention.
- Between 2013 and 2015, a Lithuanian scammer sent fake invoices in the name of Quanta to workers at Facebook and Google. Prior to being caught, he earned around $100 million.
- Owing to a spear-phishing attack, Crelan, a Belgian bank, lost more than €70 million in 2016. Hackers impersonated CEOs and managed to convince the bank's finance department to transfer the funds to a variety of accounts.
- In 2015, a spear-phishing attack managed to knock out the three largest Ukrainian power suppliers after compromising their IT infrastructure and SCADA systems. In the aftermath, more than 200,000 people had to make do without electricity for longer than six hours.
What Should Victims of Phishing Attacks Do?
Should you have become the latest victim of a phishing email, your biggest concern should be minimizing damage:
- Immediately change all passwords for any impacted accounts (i.e. Amazon). Should you do this relatively quickly after opening the email or attachment, there's a good chance that you won't suffer any consequences. Keep an eye on any suspicious account activity or failed logins over the following days.
- Should you no longer be able to log in, this means that hackers have already changed your password. Your next steps should be to contact the company (ideally, by telephone), lock your account, and cancel any pending orders.
- In the event that you've downloaded or opened a suspicious attachment, refrain from using your browser. Bring your computer to an IT specialist who will be able to tell you whether or not your system is infected with malware or a Trojan.
- If your bank account has been impacted, immediately lock your online banking and inform the bank's staff. Report the matter to the police as well.
- Should you have incurred any financial damages, get in touch with a lawyer specialized in cyber criminality.
Preventing Phishing: How To Protect your Data
- Never click on suspicious or dubious links. If you do click on a link, make sure that it's to a secure website (in most browsers, a green link appears to the left of the URL).
- Serious applications, such as those for net banking, don't open in pop-up windows. For that reason, never input sensitive data into a pop-up window and make sure you're using a pop-up blocker.
- Make sure that your email service has a solid spam filter. Keep in mind that even the best filters won't block all phishing emails.
- Password managers only input a password when the URL you open matches the one it has on record. As such, these provide considerable protection against website spoofing.
- Configure emails to display in text rather than HTML. This reduces the likelihood of inadvertently clicking on a malicious link. As a drawback, it also prevents images in legitimate emails from displaying correctly.
- Regularly update your anti-virus software.
- Create frequent backups of your data. In this way, you'll limit any potential damage caused in the aftermath of an attack.
In the above email, the PayPal logo looks authentic, however, the greeting and non-matching email addresses show that its a phishing email.
Phishing attacks are some of the most common on the Internet. Those who employ them rely on convincing their victims that they are legitimate and reputable so that they can acquire access to their sensitive data, the same as conmen. Whenever you receive an email asking for your password, all sorts of red flags should go up. On the other hand, those who only click on trusted links, regularly update their anti-virus software, and open email attachments only after verifying their content with the sender reduce their exposure. If you've fallen prey to a phishing attack, IT specialists and legal experts can help to reduce the damage.
How do I recognize a phishing email?
Phishing emails aren't always readily discernible at first glance. There are several characteristics that you will notice if you spend a minute or two reading through the email though, such as a generic greeting ("Dear user"), poorly written copy, and links that display a URL different than that which is actually redirected to. Generally, any email containing an attachment from someone you don't recognize, or from a public email domain (rather than that of the organization or company) is highly suspect.
What should I do if I've fallen prey to a phishing email?
Should you still have access to the affected account, log in and immediately change your password. If access is no longer available, contact the platform or company directly and lock your account. Should any financial damages have arisen, get in touch with a lawyer and report the incident to the authorities.
What is the best way to protect against phishing?
The spam filters that most email services come with offer decent protection against phishing emails, while anti-virus programs and anti-malware software recognize malicious attachments and links. Password managers provide yet another line of defense against phishing, since these only supply login credentials when the URL matches the one on record.