Cyber Attack Guide – Phishing
The concept of phishing finds its way back in the 1980s, and the term has been in broad circulation since the 90s. You’d think the online community would have learned how to deal with one of the oldest forms of cybercrime by now. Unfortunately, you’d be wrong.
Phishing continues to be an active threat that costs businesses and individual users millions of dollars every year. Today, we are going to take a closer look at what phishing is and what we can do to prevent it.
Table of Contents:
- The State of Cybersecurity
- What is Phishing?
- How Does Phishing Work?
- Types of Phishing
- What to Do In Case of a Phishing Attack?
- The Role of Your Hosting Provider
The State of Cybersecurity
People underestimate phishing as a threat partly because it’s been around for around three decades and partly because they believe they are far too clever to fall for the scams.
The cold hard facts, however, suggest otherwise.
In its Internet Crime Report for 2020, the FBI’s Internet Crime Complaint Center singled out phishing scams as the most prevalent form of cybercrime registered throughout the year. In total, the Federal Bureau of Investigation recorded over 240 thousand phishing incidents, costing victims more than $54 million.
This being only the reported incidents in the US, the actual figures are probably much, much higher worldwide.
The online world seems far from fixing the phishing problem.
Let’s see why.
What is Phishing?
Phishing is the act of tricking computer users into giving away sensitive information, like login credentials, payment details, and corporate data. Traditionally, phishing has been associated with emails, though recent variations of the scam use other mediums of communications as well.
The thing that differentiates phishing from data theft is that criminals don’t take the information forcefully. Instead, they use a wide range of techniques to convince the victim to give it away themselves.
Here’s how they do it.
How Does Phishing Work?
Modern-day phishing attacks come through various communication channels. They vary in both sophistication and modus operandi. One thing they all have in common, though, is social engineering.
Let’s use a traditional email phishing attack to describe how scammers usually trick people into disclosing sensitive data.
The first step is making you open the actual email.
A phisher will try to impersonate an individual or an organization you likely have something in common with. The options for criminals are pretty much limitless – if they do enough reconnaissance, they can pretend to be anyone, from a high school friend to a service provider you may be using.
You wouldn’t open any email that lands in your inbox, so the phishers often use email spoofing to fool you into thinking the message comes from a source you recognize.
Sophisticated phishers go above and beyond to make sure the message looks as legitimate as possible. If they’re impersonating your bank – they’ll put the right logos in the right places. They’ll use the correct fonts, and if they’ve really done their homework – may even address you by your real name instead of starting the message with a generic “Dear Customer…”.
Usually, the message tells you there’s a problem you need to address. The attack’s success depends on you not spotting the red flags. That’s why, more often than not, the email is designed to give you a sense of urgency.
For example, a phishing attack may try to fool you into thinking the payment method you use with a particular provider has expired, and if you don’t provide valid data in a short period of time – you may be facing issues.
Phishing emails often try to convince you there’s been a security accident. For example, your bank may be telling you that it has spotted an unusual transaction coming out of your account, urging you to log into the institution’s online system and change your credentials. By using a hidden redirect, you will actually be submitting your payment details straight into the scammer’s hands.
Phishing attacks sometimes try to fool you into thinking you’ve won an amazing prize. You know, those “Congratulations, you are the XXXXth visitor” type of flashing ads.
The phishing scenarios are pretty much endless, but the thing they all have in common is a link that redirects you to a login form or a page requesting your personal details.
At this stage, the phisher’s efforts can quickly be undone if you’re not convinced the URL is fake. That’s why the criminals put a lot of effort into making their phishing pages look as legitimate as possible.
The phishing pages’ level of sophistication varies a lot. Some of them display a blank screen after entering your login credentials, which can tip you off. Others redirect you to the original vendor’s site, and you can even find some that would automatically log you into your account.
Security experts have observed advanced phishing operations that can even target temporary two-factor authentication codes and use them to compromise your account pretty much instantly.
Types of Phishing
As mentioned, phishing has evolved a lot over the years and has taken many shapes and forms.
For example, the term Vishing is now used to describe scams similar to the traditional phishing emails but carried out over the phone. In a typical vishing setup, criminals spoof your bank’s phone number and use a text-to-speech service to tell you there’s a problem with your bank account.
You are urged to call a different phone number and get in touch with the bank’s representative, who’ll help you resolve the issue. If you follow the instructions, you will indeed speak to a real person, supposedly to verify your identity.
They’ll have nothing to do with your bank, though.
Smishing is another form of phishing. It’s short for SMS phishing and is exactly what it says on the label. This time, the medium of choice is text messages, and criminals repeatedly use phone number spoofing and automated tools to make the attack more efficient.
Traditionally, SMS messages would urge you to call a phone number or contact an email. However, the ubiquity of internet-connected smartphones means that attackers can now include fraudulent links in text messages.
Communication channels aside, there are several other categories of phishing attacks.
Bulk phishing is a spray-and-pray type of attack in which the hackers take a long list of email addresses and send out a large number of identical phishing messages. In most cases, these attacks are not particularly sophisticated, and the criminals usually hope to hit the most gullible among the huge pool of potential victims.
This is the most common type of phishing.
Spear phishing is a targeted attack. Instead of hoping to hit as many users as possible, hackers aim their emails at a particular person. Spear phishing is more common in the corporate environment.
Stealing the target’s data is usually the first step toward infiltrating their entire network and causing a lot more havoc. The stakes are higher, and phishers tend to put a lot more thought and preparation into the attack.
Clone phishing is another form of sophisticated phishing. It usually starts with a compromised email account. The hackers rummage through its Sent folder and look for an outgoing message that contains a link.
They then make a copy of it (or clone it), swap the legitimate link for a malicious one, and send it again to the recipient, spoofing the sender’s address. Likely, the attacker will also make slight modifications and tell the victim the second email is an update of the first message.
The general idea is to raise as little suspicion as possible.
Whaling is spear phishing aimed at company executives (i.e., CEOs or CFOs). Successful whaling attacks are incredibly sophisticated and cause a lot of damage because high-ranking corporate officers have pretty much unlimited access to the company network.
The techniques whale phishers use aren’t massively different, but the whole setup is based on thorough research and a more advanced level of social engineering.
What to Do In Case of a Phishing Attack?
The more experienced among you have probably read hundreds of tips and tricks on avoiding falling victim to a phishing scam. Still, statistics reveal that not a whole lot of people stick to the experts’ advice.
To best fend off phishing attacks, you need to develop certain habits that will help you spot the red flags and avoid falling into the criminals’ social engineering traps.
Here are some of them:
- Treat unexpected correspondence with caution – If an email is coming from a completely unknown address or a service provider you’ve never used, it’s best not to open the message at all.
- Double-check the sender’s address – Email and phone number spoofing are common practices among phishers, so checking the sender’s address can’t guarantee 100% protection. Nevertheless, it’s good to know where the email is coming from.
- Don’t let the use of threatening or urgent language get to you – Phishing attacks are successful because users act without thinking. This is what the attackers want, and some of the main weapons in their arsenal are deceptions that create an urge to act on a whim.
- Look out for poor spelling and grammar – The phishing landscape is full of attackers who haven’t been paying much attention during grammar classes. When it comes to sophisticated attacks, spelling and formatting errors are much less common, but they can be a dead giveaway in bulk phishing campaigns launched by novice wannabe hackers.
- Be suspicious of requests for too much personal information – Requests for detailed sensitive information should always raise a red flag, especially when they come via email, SMS, or phone call.
- Never click on suspicious links – Links in emails should be treated with suspicion as a general rule. Be very careful to double-check every URL before you click on it, and if you see something that’s not right – make sure you leave it alone.
- Double-check URLs before you click on them – Sometimes, links may be placed under a button or a piece of text. You can still check out the URL without clicking it by hovering over with your mouse on a desktop or laptop computer or touching and holding it on a mobile device.
- Report phishing emails – Hackers compromise entire servers to facilitate their phishing scams, and often, the owners of the hacked accounts are completely oblivious to what’s going on.
The Role of Your Hosting Provider
One of your hosting provider’s main responsibilities is to make sure its servers aren’t used for malicious purposes. This includes doing everything in their power to stop phishing attacks.
Often, attackers don’t have the budget to register a domain name and set up a hosting account.
Instead, they use compromised websites to host the fake login forms. Hosts should be on a constant lookout for this sort of behavior and remove phishing pages from their servers as soon as they are detected. That way, even if users fall for the scam, the only thing they’ll see after they follow the link will be a 404 error.
Hosting companies also need to act on reports regarding their customers’ outgoing email communication. If all hosting providers have properly enforced anti-phishing policies, we stand a better chance of keeping this sort of activity to a minimum.
Finally, ScalaHosting is glad to offer customers robust spam filters that can stop most of the spam and phishing emails before they reach your email account.
Although it’s been around for a long time, phishing continues to be a very successful business for cybercriminals. Part of this is due to the fact that pulling off a phishing attack doesn’t require a vast set of technical skills or a massive budget. Phishing is accessible to a broad range of cybercriminals, and the attacks are quite common.
However, it must also be said that phishers put more thought into their operations than they used to.
Underestimating the threat is not a very good idea.
What are the most common signs of a phishing email?
If an email purports to be from a service provider but comes from a generic email address (e.g., an @gmail.com address), there’s almost certainly something wrong. Grammar and spelling errors are another tell-tale sign of a phishing attack, and if the email is telling you to click on a link as a matter of urgency, you need to proceed with extra caution.
What should I do if I receive a phishing email?
Occasionally, criminals may use malware alongside their phishing attacks, so if you see a suspicious email in your inbox – it’s best to delete it without opening it. If you know where it’s coming from and think the sender may have been hacked, try to inform them or their hosting provider.
This may be the best way to put an end to the attack before it causes any harm.
Why do I keep getting phishing emails?
Generally speaking, there are two options: you either present a lucrative target for the phishers, or your email address has ended up on a list that criminals use in their bulk attacks. Either way, you have little choice but to be extra careful with the contents of your inbox and employ a more robust spam filter.
ScalaHosting – Cyber Attack Guide – Phishing