Phishing: What is it and how does it affect me?
Over 85% of global organisations experienced phishing attacks in 2020. It is the single largest cause of data breaches and is only gaining in popularity among hackers.
Find out about it, and what you can do about it, below.
What is Phishing?
Phishing is a fraudulent attempt by attackers to gain sensitive information by the impersonation of a reputable source using email or other online communication. It’s a technique that’s worked since the mid-1990s and is still just as effective today.
Attackers often masquerade as popular social networking sites, online shops, banks, credit card companies or even your own IT help desk!
It is a criminal offence and costs the global economy over £14,000 every minute!
Let’s take a look at the history of Phishing and how it got that ridiculous name.
How did phishing get its name?
The “ph” spelling of phishing comes from an earlier word for an illicit act: “phreaking.” Phreaking involves fraudulently using an electronic device to avoid paying for telephone calls. Its name is suspected of being a shortening of “phone freak.”
Back in the early to mid-1990s, the only Internet option was ‘dial-up’ access for a fee. For those that were reluctant to pay for Internet access, the alternative was a thirty days free trial to access to the Internet via an AOL floppy disk.
Understandably, life without the Internet after the trial period expired was simply too much to bear. Some rather devious folk found a way to change their screen names to make it appear as if they were AOL administrators. Using these fake screen names, they would “phish” for log-in credentials to continue accessing the Internet for free
Internet use dramatically increased in popularity. This new breed of scammer had to adapt fast to keep these tactics fresh and maintain their disguise as administrators of the ISP. They used a myriad of tactics to successfully email the accounts of the ISP’s customers and steal their login credentials. Having “spoofed” someone, they could access the Internet from that user’s account with the bonus of sending spam from the user’s email address.
Those 3 (deadly) little words...
A change in tactics saw the world fall victim to the Love Bug on May 4 2000. Starting in the Philippines, a message entitled “ILOVEYOU” filled mailboxes around the globe. It simply said “Kindly check the attached LOVELETTER coming from me”.
Those who could not resist unearthing their secret crush, opened what they thought was a harmless .txt file. Harmless couldn’t have been further from the truth, the now-famous ‘LoveBug’ unleashed a worm that wreaked havoc on the local machine. It overwrote vital system image files. It sent a copy of itself to all the user´s contacts in their Outlook address book. ‘LoveBug’ infected 50 million computers. Not only that, it accomplished this in only 10 days.
‘LoveBug’ not only showed us how to get spam to send itself, but that the role played by human psychology in cyber security was equal to or greater than any hardware or software. This was the first time a little code, mixed with a splash of intrigue cost the global economy £12 billion. That’s 4 times what it cost to run the entire NHS over the same period.
It would seem logical that people should have learned to avoid the trap of surrendering login credentials, clicking links or even opening attachments. Yet this is still an effective tactic for hackers with over 90% of successful data breaches starting with a phishing attack.
The 3 most commonly used phishing attacks today
Internet users must have a solid knowledge of what a phishing attack looks like, how they work and what new methods hackers are employing to further their malicious activities. This is the basis of security awareness training.
The 3 examples below represent the most-used forms of phishing attacks by hackers today.
1 - Deceptive email phishing
The most common method of phishing attack is a simple deceptive email.
Often impersonating trusted brands or authoritative organisations, hackers send out generalised deceptive emails, hoping victims will fall for the contents. This could be downloading a malicious attachment, clicking a link that leads to a credential harvesting site, and much more.
The low cost, lack of required technical skill or knowledge of the target is what makes these campaigns so popular and so effective.
Their success is directly linked to quantity, rather than the quality of emails sent, hence its alternate name: “spray and pray phishing”.
2 - Spear phishing
Spear phishing is the sophisticated, more refined sibling of deceptive email phishing.
Though the principal remains the same (send an email to a target, hoping they are fooled by the contents), the execution is vastly different.
Hackers will expend enormous energy and lengths of time to ensure they pick the right target and get the contents just right before sending it to either a single target or very small group of targets.
Once the target is chosen and the perfect email constructed, the hacker strikes.
As these campaigns are significantly more targeted and well thought-out, the sums earned by hackers are usually considerably larger than in the former “Spray and pray” method.
3 - Business Email Compromise (BEC)
A form of spear phishing in its own right, but now so popular it deserves its own place on the leader board.
BEC attacks, also often referred to as “CEO Fraud”, impersonate high-ranking members of an organisation, usually asking a lower ranking employee to perform a specific task. This will often be diverting funds from one account to another, sending a quick £500 to the CEO who is apparently stuck at a train station, or even buying gift vouchers for a visitor that is apparently en route to the office.
In all cases they require some knowledge of the organisational structure, and the language used by the members within.
The more effort the hacker puts into the research and planning phases of these attacks, the more effective they tend to be.
How To Prevent Phishing
Phishing emails range from extremely easy to spot to almost impossible. Hackers use ever-increasingly sophisticated techniques to fool you into parting with your sensitive information.
To this day there is no ‘catch-all’ method for stopping phishing, one has to remain vigilant at all times and treat all emails and websites with caution when online.
We recommend all readers educate themselves on the dangers of phishing. With well managed Security Awareness Training the threat posed by today’s advanced phishing techniques can be significantly reduced. Take back control, today.