Phishing is a cyber attack that gathers sensitive information like login credentials, credit card numbers, bank account numbers or other financial information by masquerading as a legitimate website or email. Personal information like social security numbers, phone numbers and social media account information are also common targets for cybercriminals who perform identity theft.
Phishing scams trick victims by using social engineering to create a sense of urgency. Once the victim opens a phishing email or text message and clicks the malicious link, they are taken to a fake website that matches the legitimate site.
Common phishing attempts clone financial institutions, emails from colleagues, auction sites, social media sites and online payment processors.
Despite being one of the oldest cyber crimes, phishing remains as a large cyber threat to many organizations. This is due to its widespread use and sophisticated phishing campaigns. Phishers are increasingly gathering information about their targets to improve the effectiveness of their phishing messages.
Security awareness training is a great way to minimize phishing's cyber security risk. Phishing emails may also contain infected attachments to install malware such as ransomware or to gain unauthorized access to sensitive data to cause a data breach.
It's important to remember that some of the biggest data breaches come from outside of your organization. If your third-party vendors have access to sensitive data, then it's as important to have them educate their staff about phishing risks. Third-party risk, fourth-party risk and vendor risk related to phishing must be part of your third-party risk management framework and vendor risk management program.
What is the Purpose of Phishing?
In general, phishing serves at least one of the following:
- Gathering sensitive information: Suspicious emails that aim to trick the victim into revealing login credentials or expose personally identifiable information. The classic phishing scam is sending millions of email tailored to look like a major bank. If a victim clicks on the link and logins into the webpage the phisher then has access to their bank account.
- Downloading malware: Phishers may attach an infected file to an email to install malware or ransomware. This is different to malware that exploits vulnerabilities like WannaCry.
What is a Phishing Kit?
A phishing kit is a set of tools that make it easy for people to launch phishing campaigns. Even with limited technical knowledge.
Popular phishing kits mirror legitimate websites like Microsoft, Google, Apple, AOL and PayPal.
Once the scammer has installed a phishing kit on a server and bought a domain name for their phishing website they can start sending emails to their targets. Phishing kits with mailing lists and email message templates are available for purchase on the dark web.
What are the Different Types of Phishing Attacks?
There are at least 11 different phishing techniques:
- Spear phishing
- Clone phishing
- Link manipulation
- Filter evasion
- Website forgery
- Covert redirect
While the approach is different all phishing relies on some form of disguise. In general, the type of phishing attack used will depend on how the phisher has chosen their target(s). A phishing attempt that is send to millions of potential targets will be tailored to a popular brand like Microsoft, PayPal or Facebook. In contrast, a spear phishing attack will be hyper targeted to an specific organization or individual.
1. What is Spear Phishing?
Spear phishing is an email or electronic communication targeted toward a specific individual or organization. Although spear phishing is often used to obtain sensitive data, cybercriminals may also use it to install malware on a target's computer.
While spear phishing takes more time and effort than spam phishing, it greatly increases the probability of success due to the presence of personal information in the phishing message.
The most famous example of spear phishing was directed at Hillary Clinton's 2016 presidential campaign where Threat Group-4127 (Fancy Bear) targeted more than 1,800 Google accounts with phishing emails from the accounts-google.com domain name.
2. What is Whaling?
Whaling is a form of spear phishing that targets senior executives or high-profile targets. Whale hunter's phishing messages are targeted at the individual and their role in an organization.
As an example, a whaling attack may come in the form of a fake request from the CEO to pay an AWS bill and be emailed to the CTO.
A common target for whaling are company board members. This is because board members have a great deal of authority but aren't full time employees. They may also use personal email rather than a corporate account, which may not have anti-phishing features.
3. What is Clone Phishing?
Clone phishing is a form of phishing where a legitimate and previously delivered email is used to create an almost identical phishing email.
In the phishing email, the attachments or links in the email are replaced with a malicious version. It is then sent from a spoofed email designed to appear to come from the original sender. It may even claim to be a follow up or updated version of the original email/attachment.
This requires the phisher to have access to the sender or recipients inbox to obtain a legitimate email to clone.
4. What is Vishing?
Vishing or voice phishing is conducted by phone and often targets users of Voice over IP (VoIP) services like Skype.
Improvements in technology have made it easier for scammers to spoof caller IDs, so it can appear from a local area code or even a trusted organization.
Vishing paired with voice deep fakes is a massive cybersecurity risk. According to The Wall Street Journal, the CEO of a UK-based energy firm sent $243,000 to an attacker's bank account believing he was on the phone to his boss.
5. What is Smishing?
Smishing or SMS phishing is phishing by SMS. Just like email phishing, smishing messages typically include a threat or enticement to click a link or call a number to create a sense of urgency and improve the probability of success.
6. What is Link Manipulation?
Link manipulation is a form of phishing that attempts to make a malicious link look like it belongs to the spoofed organization.
Misspelled URLs and subdomains are often used by phishers. As an example, imagine your bank is called Global Bank.
In the following URL https://globalbank.secure.com it appears the URL takes you to the secure section of the Global Bank website. However, the URL actually takes you to the globalbank section of the secure.com website.
Another form of link manipulation is to change the text displayed for a link to suggest its from a reliable destination while leading to a phishing site. Most desktop clients will allow you to preview a link by hover over it. However attackers can override this function and many smartphones do not have a preview feature.
Internationalized domain name (IDN) spoofing is another form of link manipulation. It involves using virtually identical characters to mimic the URL of a legitimate site. SSL certificates do not solve this problem because phishers can often purchase a valid certificate and subsequently change content to spoof the genuine website.
7. What is Filter Evasion?
Filter evasion is a form of phishing where the phisher uses images to avoid anti-phishing filters. The idea behind filter evasion is that email clients have a hard time reading images and are very good at reading plain text. This is becoming less of a risk as email clients become more sophisticated and develop anti-phishing filters that use optical character recognition (OCR) in images.
8. What is Website Forgery?
Security flaws in trusted websites can lead to cross-site scripting (XSS) attacks. This is particularly dangerous because users can navigate to the correct site and still be in danger.
9. What is a Covert Redirect?
A covert redirect is a form of phishing that makes a link appear legitimate but redirects the victim to the phisher's site.
Covert redirects are hard to spot because the victim could be browsing a legitimate website and served a malicious login popup from a browser extension or another cyber attack.
For example, you may click a malicious link beginning with Facebook. A popup asks whether you would like to authorize the app. If you choose to authorize the app, a token will be sent to the attacker and your personally identifiable information (PII) could be exposed.
This could include email address, birth date, contacts and work history. It may even give the attacker control over your account. Even if you don't authorize the app, you may still be redirected to a phishing website.
10. What is Tabnabbing?
Tabnabbing is a phishing attacks that uses inactive tabs and the ability for browsers to navigate in inactive tabs.
The attacker causes an inactive tab to redirect to a phishing website and then waits for the user to navigate back to the tab. If the user opens the infected tab and logins their credentials will be exposed.
Tabnabbing can be highly successful if the attacker is able to check for well known websites the user has in their inactive tabs. Once detected, the attacker can replace the tab with an identical phishing login page to the original site.
11. What is Pharming?
Pharming is a phishing attack that relies on a form of man-in-the-middle attack called DNS cache poisoning that redirects users from a legitimate site to a phishing site even if they type in the correct domain name.
How to Recognize Phishing Attacks
Successful phishing messages usually masquerade as a well-known company or colleague and are difficult to distinguish from authentic messages.
The phishing email could include an organization's logo and data about the organization being misrepresented. Malicious links within phishing messages will look as though they come from the spoofed organization.
That said, people can be trained to recognize phishing attempts. Security awareness training can be effective, especially when training emphasizes conceptual knowledge and direct feedback.
Common indications of a phishing attempt are:
- The use of subdomains, misspelled URLs (typosquatting) or otherwise suspicious URLs
- The sender uses a Gmail or other free email address provider rather than a corporate email or the domain name doesn't not directly match the misrepresented domain
- The message is designed to invoke fear or a sense of urgency
- The message includes a request to verify personal information such as your bank login details or social media password
- The message is poorly written and has spelling and/or grammar mistakes
- The email contains an unexpected or unusual attachment that may be malware or ransomware
- You know the sender's name but you don't normally communicate with them, especially if the email has nothing to do with your job responsibilities
- The URL in the email does not match the misrepresented organization's URL
- The message sounds too good to be true like you've won the lottery or a competition you've never entered
How to Prevent Phishing Scams
The best way to prevent phishing is to study examples of phishing attempts and run training that provides direct feedback. Lehigh University has a great resource of recent phishing examples that you could use to train your staff.
To prevent phishing, train your staff to:
- Identify phishing attacks
- Be cautious of pop-ups
- Be wary of clicking on links in emails
- Hover over links to confirm they go where they expect
- Verify the website's SSL certificate matches their domain and is still valid
- Confirm suspicious emails from a colleague or boss by phone or in person
- Watch out for URL redirects where you are subtly sent to a different website with identical design
- Check the URL is what you expect it to be before entering sensitive information
- Not expose personally identifiable information (PII) that could be used for spear phishing or whaling like birth date, address or phone number
- Be cautious of emails that create a sense of urgency
- Avoid downloading attachments from emails unless you know they are real
- Not take hyperlinks at face value, they may not be taking you to where they say they are
- Use two-factor authentication (2FA) wherever possible
To prevent phishing emails from reaching your staff, use a layered cybersecurity program including:
- Antivirus software
- Desktop firewalls
- Network firewalls
- Antispyware software
- Antimalware software
- Gateway email filter
- Web security gateway
- Spam filters
- Browsers that alert users of fraudulent websites
- Enforce 2FA
- Single sign-on
- Password managers
- Email content redaction
Additionally your organization's mail servers should use at least one email authentication standard to verify inbound email such as:
- Sender Policy Framework (SPF): Reduces the amount of unsolicited email spam
- DomainKeys Identified Mail (DKIM): Enables users to block all messages except those that have been cryptographically signed
- Domain-based Message Authentication, Reporting and Conformance (DMARC): Specifies both SPF and DKIM be in use for inbound email and provides a framework for using those protocols to block unsolicited emails more effectively.
How to Report Phishing
If you have received a phishing email or text message you should report it.
In the United States, you can forward phishing emails to the FTC at email@example.com and to the Anti-Phishing Working Group (APWG) at firstname.lastname@example.org.
For text messages, forward it to SPAM (7726).
Then report the phishing attack to the FTC at ftc.gov/complaint.