Table of Contents
Phishing is a form of cybercrime, where an attacker poses as a legitimate institution and uses their fraudulent authority to lure information from their target. In this article, we go through some of the most common phishing schemes and attack methods and give you advice on how to detect phishing attempts.
How does Phishing work?
The most common type of phishing is the attacker approaching their target, usually by email, posing as a legitimate company and through this, attempting to pry personal information or login information from the target. The emails often rely on invoking a sense of alarm or (ironically), loss of security. The phishing attack could be a pretend message from your “bank” or a place where you keep your information, such as Google Drive. The phishers can tell you there has been a breach in information, and will ask you to log in through their website to ensure “you are you”, or to change your password. This site is then a fake website, only used to gain the targets’ login details for said instances, such as the bank or their Google account.
It could also be that the phishing email is camouflaged as a routine password change or updating one’s information. For example, you could receive an email from a software you use, telling you that your subscription is running out, asking you to continue the subscription by entering your credit card details. The party asking for your credit card detail is a scammer, who will use your credit card information.
The phishing email could also “warn” you that your password to a software or application is getting out of date, and they will ask you to create a new password. As you add in your old and new password, the phishers gain access to your old (aka, real) password in the software or program and use this to log in and gain your private information.
Most phishing attacks still come via email, but they aren’t the only medium for phishing attacks anymore. They can also occur via instant messages, social media or even search engine ads, such as Google Ads. What all of the scams have in common is that they include a link to a website, which then tries to get you to give away your login credentials to a specific website, or to surrender your private data such as social security details or bank card number.
Phishing Scams to Avoid
Spear phishing refers to a more personalized form of phishing. In spear phishing attacks, the hacker seeks to find out as much as they can about you – your name, company, position, number, anything they can find. They then use this information to their advantage to pretend to be someone you know and trust, to get you to perform the requests the attacker asks for.
Whaling is a type of phishing attack, targeted specifically to those in high positions of power in a company. This usually means a CEO, a CFO or some other senior-level manager who has access to or knowledge of company sensitive data. The term “whaling” refers to the fact that the targets are the “big fishes” in the phishing pool. Whaling attacks are usually especially well thought of and have the objective of gaining sensitive company data for the phisher’s financial gain. Whaling attacks have usually been planned for a long time and they are highly personalized and very elaborate.
Phishing and pharming are different ways of manipulating targets on the internet. The object of phishing is to get the target to give their information to a fake website. Pharming includes modifying DNS entries, which means that when the user enters a web address, they will be directed to the wrong website. This means that a DNS server which is responsible for translating the website address into the real IP address is changed, and the website traffic is redirected to another site. Pharming attacks occur due to vulnerabilities in DNS server software, and a pharming attack can be difficult to detect. The best way to detect a possible pharming attack is to raise alarm if a usual website looks significantly different than it used before. Pharming attacks may affect many people at once, so if you encounter a pharming attack, you should always notify of it forward. Even major companies such as Snapchat have fallen victims of pharming attacks.
Spoofing refers to the scammer posing as someone else, to get the target to perform a specific action. Many phishing attacks thus use spoofing – a phisher may pose as someone from your IT department, asking you to go to a website and re-confirm your login details for your computer. This site is then a fake website, and the phisher has gained access to your login details without you knowing anything was wrong. Many phishers then use spoofing as a method of manipulation, but not all spoofing attacks are necessarily phishing. A spoofing attack could be for example a hacker posing as your coworker and asking you to download a file, but this file is actually a trojan or a piece of ransomware used to hurt you or your company. However, as the method is not to get you to give away your private details, it is not a phishing attack, but another type of cybercrime.
Vishing is the phone counterpart of phishing, meaning that scammers call the targets to solicit information. Vishers pose as a legitimate entity and ask you for your personal information, using different methods of manipulation or “social engineering [link]”. Be very wary of giving any private information away over the phone, especially if the phone number is blocked or you don’t recognize the area code or number. If possible, ask for the number you can call back, and check it from the source they claim to be, or call the party’s customer service and ask if they need to contact you. If you have received an email providing a specific number and asking you to call it, you can Google the name or forward the email to the instance the email’s sender claims to be from, and ask if the email is legitimate.
Phishing Attacks: Warning Signs
A phishing website (or a spoofed website) usually tries to appear at least somewhat legitimate. It may be devised to look like an existing legitimate website, and mimic for example your bank’s or health care center’s website. The website is created so you would give away your login credentials or other private information. You are most likely to receive a link to this website via email or an instant message, but you could land into the page by mistyping a URL or clicking the wrong website in your search bar. The first thing is then to be wary of the sender of the email or instant message and make sure you know the sender, or that the sender is whom they claim to be.
How to Spot a Phishing Website
If you do click on a link in an email, do not log in with your credentials on anything if you have any doubts. Phishing scams and scammers are becoming very sophisticated, and the phishing websites may strike a very real resemblance to the website they are trying to mimic, and the website might use the correct colors, typefaces, and fonts to make the targets unalarmed. There might even be hyperlinks to the real website’s included in the email you received to make you believe you have received the email from an authoritative source. There are a few things you can do to investigate if you are on a phishing website.
Phishing Website Warning Signs
Phishing Protection Is About Continuous Training
Accidentally opening a phishing email or a phishing website is not the end of the world. Unless you give the website your login credentials or other private information, there isn’t much the scammers can do. If you accidentally download an attachment in an email or download something from a webpage, there is a chance your computer might get infected with malware, such as a computer virus or a spyware, which will track your internet activities on your computer. Your antivirus software should protect you against this type of malware – it is, in fact, the human-assisted malware that is much more difficult to protect against. This is because phishing attempts rely on people’s unawareness of these type of social engineering attacks, and results to people willingly giving away their information.
This is why the best way to protect yourself and your company against phishing is training yourself, your coworkers and your employees about what phishing attacks are, what they look like and what warning signs there are. Phishers rely on people not being educated and alert against them, and paying constant attention and training against the evolving ways of phishers is the best way to keep you safe from the attacks your antivirus software cannot protect you against, meaning, the attacks which take advantage of human vulnerabilities.