Phishing

What is Phishing?

Phishing is a method that hackers employ to collect personal data using deceptive websites and emails. The goal is to trick the victim into believing that a message, a website, or an attachment is something they want or need.

Hackers use deception to trick employees into clicking phishing emails. For instance, they create emails masquerading as requests from banks, additional information from vendors, or an urgent note from a colleague or manager.

Key Takeaways

  • Phishing is an attack method that uses deceptive emails and websites to steal confidential information
  • In phishing, an attacker masquerades as a trusted entity, such as a real person or business that the victim knows
  • More than 75 percent of all recent breaches involved phishing
  • Hackers have access to bundled kits with resources and tools that make phishing easy and effective
  • Cybercriminals increasingly use phishing attacks during a pandemic to lure desperate victims

History of Phishing

Phishing is one of the oldest cyberattack types, dating back to the 1990s. It is still one of the most prevalent and successful attack methods in use today. Hackers are devising more clever messages and advanced techniques to launch sophisticated phishing attacks.

Phishing comes from the word “phish,” which is pronounced like it is spelled. The name comes from the “fishing” analogy that entails using a baited hook to trick a target. In this case, cybercriminals send phishing emails hoping you will fall on their trick.

Real-World Phishing Examples

A 2019 Verizon Data Breach Investigations Report indicates that more than a third of all recent breaches involved phishing.

Some real-world examples of phishing tricks include:

  • Deactivation scares – a deactivation notice lures victims into reacting quickly without scrutinizing the email or URLs
  • Look-alike sites – cybercriminals create phony websites that are difficult to detect
  • Advanced fee fraud – this phishing trick, also known as the Nigerian scam, involve someone oversea offering a share in a large sum of money or payment if you help the sender to transfer the funds out of their country
  • Tech support scam – hackers masquerade as reputable organizations like Microsoft by sending emails containing official-looking contacts. If you respond, a technician will request you to install remote access for troubleshooting. The scammers easily take control of your system

In 2016, hackers used phishing to trick Hillary Clinton’s campaign chair, John Podesta, into sharing his Gmail password.

Several successful phishing attempts led to an attack in which criminals released intimate photos of several celebrities to the public.

Bundled Kits Make Phishing Effective Today

The availability of phishing kits is making it easy for attackers to launch their phishing campaigns. Cybercriminals have access to a bundled kit with phishing resources and tools to launch attacks from a remote server.

Phishing kits and target’s mailing lists are available on the dark web. Some sites like PhishTank and OpenPhish run crowd-sourced phishing kits lists.

An attacker installs the kit on a server and sends emails to potential victims.

Phishing Increases During a Crisis – COVID 19 Case

As mentioned, cybercriminals leverage deception and create a sense of urgency to succeed in a phishing campaign. Crises like the coronavirus pandemic offer an opportunity for hackers to trick victims into falling for phishing baits.

A pandemic pushes people to the edge. They are desperately looking for information from companies, governments, research organizations, and other relevant authorities. People will undoubtedly open emails from these bodies during a pandemic, without much scrutiny.

The frequency of phishing threats has risen considerably since the onset of COVID-19. Companies are experiencing an average of 1,185 attacks each month.

COVID-19-themed phishing emails include:

  • Fabricated notices from the CDC, World Health Organizations (WHO), state health departments, and other health organizations
  • Fake updates from organizations with procedures to address the coronavirus disease
  • Phony websites containing maps and statistics
  • Emails with links and information about protecting yourself and community
  • Illegitimate links to charitable appeals to help victims

Preventing Phishing Attacks

You can take these steps to mitigate phishing attacks:

  • Be on the lookout to detect misspelled URLs in emails before you click or share sensitive information
  • Watch out for any URL redirects to avoid sharing information on identical but phishing websites
  • Make a habit of typing the correct URL directly on the browser bar instead of clicking the link on emails
  • Contact the source through a different channel (SMS, phone call) if you receive suspicious emails with attachments and links
  • Avoid sharing personal information like physical address, vacation plans, birthday, phone number, and email address on social media
  • Ignore emails offering money from Nigeria or any other country

Organizations can implement these measures to prevent phishing threats:

  • Install tools and policies to monitor and analyze web traffic
  • Sandbox inbound emails and assess the safety of external links
  • Conduct regular cybersecurity awareness training
  • Simulate phishing attacks to determine cybersecurity awareness gaps for employees