Phishing: What is it and how does it affect me?

Phishing is at the heart of over 90% of successful data breaches. It is one of the largest cyber threats to organisations around the world. Find out about it, and what you can do about it, below.

What is Phishing?

Phishing is a fraudulent attempt by attackers to gain sensitive information by the impersonation of a reputable source using email or other online communication. It’s a technique that’s worked since the mid-1990s and is still just as effective today.

Attackers often masquerade as popular social networking sites, online shops, banks, credit card companies or even your own IT help desk!

It is a criminal offence and cost the global economy over £14,000 per-minute in 2018.

Let’s take a look at the history of Phishing and how it got that ridiculous name.

History of email phishing - The early years

The “ph” spelling of phishing comes from an earlier word for an illicit act: “phreaking.” Phreaking involves fraudulently using an electronic device to avoid paying for telephone calls. Its name is suspected of being a shortening of “phone freak.”

“Back in the early to mid-1990s, the only Internet option was ‘dial-up’ access for a fee. For those that were reluctant to pay for Internet access, the alternative was a thirty days free trial to access to the Internet via an AOL floppy disk. 

Understandably, life without the Internet after the trial period expired was simply too much to bear. Some rather devious folk found a way to change their screen names to make it appear as if they were AOL administrators. Using these fake screen names, they would “phish” for log-in credentials to continue accessing the Internet for free

Internet use dramatically increased in popularity. This new breed of scammer had to adapt fast to keep these tactics fresh and maintain their disguise as administrators of the ISP. They used a myriad of tactics to successfully email the accounts of the ISP’s customers and steal their login credentials. Having “spoofed” someone, they could access the Internet from that user’s account with the bonus of sending spam from the user’s email address.

Those 3 (deadly) little words...

A change in tactics saw the world fall victim to the Love Bug on May 4 2000. Starting in the Philippines, a message entitled “ILOVEYOU” filled mailboxes around the globe. It simply said “Kindly check the attached LOVELETTER coming from me”.

Those who could not resist unearthing their secret crush, opened what they thought was a harmless .txt file. Harmless couldn’t have been further from the truth, the now-famous ‘LoveBug’ unleashed a worm that wreaked havoc on the local machine. It overwrote vital system image files. It sent a copy of itself to all the user´s contacts in their Outlook address book. ‘LoveBug’ infected 50 million computers. Not only that, it accomplished this in only 10 days.

‘LoveBug’ not only showed us how to get spam to send itself, but that the role played by human psychology in cyber security was equal to or greater than any hardware or software. This was the first time a little code, mixed with a splash of intrigue cost the global economy £12 billion. That’s 4 times what it cost to run the entire NHS over the same period.

It would seem logical that people should have learned to avoid the trap of surrendering login credentials, clicking links or even opening attachments. Yet this is still an effective tactic for hackers with over 90% of successful data breaches starting with a phishing attack.

Types of Phishing Used Commonly Today

To help prevent phishing, users should have knowledge of how the bad guys operate. They should also be aware of anti-phishing techniques to protect themselves from becoming victims.

Email/Spam

The same email is sent to millions of users at once, this is the most common phishing technique. They often contain a request to fill in personal details. These details will be used by the phishers for illegal activities. Most of the messages have an urgent note or time-limited offer. These require the user to enter credentials to update account information, change details, or verify accounts. Sometimes, they may be asked to fill out a form to access a new service through a link which is provided in the email.

Pharming

Phishing scams involving malware run on the user’s computer. Once it is activated, it can redirect the users computer to fake websites that resemble ones the user would often visit (specific banks or sites that require sensitive information). If successfully fooled, the user enters their data into the fake site, giving it straight to the hacker. Often, theses malicious files come attached to emails in innocuous-looking downloadable files.

Link Manipulation

Link manipulation is the technique in which the phisher sends a link to a fake website. When the user clicks on the deceptive link, it opens up the phisher’s website instead of the website mentioned in the link. Hovering the mouse over the link to view the actual address stops users from falling for link manipulation.

Web Based Delivery

Web based delivery is one of the most sophisticated phishing techniques. Known as “man-in-the-middle attacks,” the hacker is located in between the original website and the phishing system. They trace details during a transaction between the legitimate website and the user. As the user passes information, it is gathered by the phishers, without the user ever knowing about it.

Keyloggers

Keyloggers refer to the malware used to identify inputs from the keyboard. The information is sent to the hackers who will decipher passwords and other types of information. Some secure websites prevent keyloggers from accessing personal information. They provide options to use mouse clicks to make entries through a virtual keyboard.

Trojan

A Trojan horse is a type of malware designed to mislead the user with an action that looks legitimate, but actually allows unauthorised access to the user account to collect credentials through the local machine. The acquired information is then transmitted to cybercriminals.

Website Spoofing

Spoofed websites are built by hackers made to look exactly like legitimate websites. The goal of website forgery is to get users to enter information that could be used to defraud or launch further attacks against the victim.

Spear Phishing

Think of spear phishing as professional phishing. Classic phishing campaigns send mass emails to as many people as possible, but spear phishing is much more targeted. The hacker has either a certain individual(s) or organisation they want to compromise and are after more valuable info than credit card data. They do research on the target in order to make the attack more personalised and increase their chances of success.

Ransomware

Ransomware denies access to a device or files until a ransom has been paid. On PC's, malware is installed on a user’s workstation, often unnoticed. It's often the result of clicking on a link, opening an attachment, or clicking on malvertising.

Social Engineering

Users can be manipulated into clicking questionable content for many different technical and social reasons. For example, a malicious attachment might at first glance look like an invoice related to your job. Hackers count on victims not thinking twice before infecting the network.

"Evil-twin" WiFi

Hackers use devices like a "Pineapple" - a tool containing two radios to set up their own wi-fi network. They will use a popular name like Starbucks Wi-Fi, which is pretty common in a lot of public places. If you're not paying attention and access the network controlled by hackers, they can intercept any info you may enter in your session like banking data.

Session Hijacking

In session hijacking, the phisher exploits the web session control mechanism to steal information from the user. A simple session hacking example is known as session sniffing. The phisher can use a sniffer to intercept relevant information so that he or she can access the Web server illegally.

Domain Spoofing

One example is CEO fraud and similar attacks. The victim gets an email that looks like it's coming from the boss or a colleague, with the attacker asking for things like funds transfers. Use our free domain spoofing test to test your organisation's current security level!

Content Injection

Content injection is the technique where the phisher changes a part of the content on the page of a reliable website. This is done to mislead the user to go to a page outside the legitimate website where the user is then asked to enter personal information.

How To Prevent Phishing

Phishing emails range from extremely easy to spot to almost impossible. Hackers use ever-increasingly sophisticated techniques to fool you into parting with your sensitive information. 

To this day there is no ‘catch-all’ method for stopping phishing, one has to remain vigilant at all times and treat all emails and websites with caution when online.

We recommend all readers educate themselves on the dangers of phishing. With well managed Security Awareness Training the threat posed by today’s advanced phishing techniques can be significantly reduced. Take back control, today.

Red stop sign

Start Phishing & Security
Awareness Training Today!

 (no credit card required)

You have Successfully Subscribed!