Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. The information is then used to access important accounts and can result in identity theft and financial loss. Phishing is the process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters. Emails claiming to be from popular social web sites, banks, auction sites, or IT administrators are commonly used to lure the unsuspecting public. It’s a form of criminally fraudulent social engineering.
Phishing scams account for nearly 80% of security incidents. Since these attacks rely on human fallibility rather than the strength of your systems, they can be difficult to combat. This overview of phishing provides an introduction to phishing and social engineering, and helps to understand how you can avoid such attacks and protect your business and employees.
What is Phishing?
Phishing is the crime of deceiving people into sharing sensitive information such as passwords, or payment information. Much like real fishing, there are multiple ways to reel a victim into sharing information that they otherwise would not share. Targets are typically contacted by email, phone, text, or over social media.
The first phishing lawsuit was filed in 2004 against a Californian teenager who created the imitation of the website “America Online” (AOL). With this fake website, he was able to gain sensitive information from users and access the credit card details to withdraw money from their accounts. AOL's popularity started to attract tech-savy people who had less than pure intentions. From the beginning, hackers and those who traded pirated software used AOL's messenger to communicate with one another. This community was referred to as the "warez community". It was this community that eventually made the first moves to conduct mass phishing attacks.
One of the first way in which phishers conducted attacks was by stealing users' passwords and using algorithms to create randomized credit card numbers. While lucky hits were few and far between, they were able to strike the jackpot often enough to cause a lot of damage to unsuspecting victims. The random credit card numbers were used to open AOL accounts. Those accounts were then used to spam other users and for a wide range of other things. Special programs like "AOHell" were used to simplify the process. This was put to an end by AOL in 1995, when the company created security measures to prevent the successful use of randomly generated credit card numbers.
With their random credit card number generating scheme shut down, phishers created what would become a very common and enduring set of techniques. Through the AOL instant messenger and email systems, they would send messages to users while posing as AOL employees. Those messages would request users to verify their accounts or to confirm their billing information. More often than not, people fell for the ruse. After all, nothing like it had ever been seen before online. The problem only intensified when phishers set up AIM accounts. AIM accounts could not be “punished” by the AOL TOS department. Eventually, AOL was forced to include warnings on its email and instant messenger clients to keep people from providing sensitive information through these phishing methods.
In many ways, phishing has not changed too much since the AOL days. In the early 2000s, cyber criminals started to get smarter with their tricks. Phishers began to register domains that looked like legitimate sites such as eBay if you weren't paying attention. As these were the early days of the Internet, users did not have the education to be on the lookout for fake websites. The cyber criminals went on to use email worm programs to send out spoofed emails to PayPal and eBay customers. Those customers were led to spoofed sites and asked to update their credit card details and other identifying information for the criminals to steal.
By the beginning of 2004, phishers were riding a huge wave of success that included attacks on banking sites and their customers. Popup windows were starting to be used to acquire information from victims. Between May 2004 and May 2005, about 1.2 million users in the U.S. suffered losses caused by phishing, totaling approximately $929 million. It's estimated that organizations lose about $2 billion per year to phishing. Phishing is officially recognized as a fully organized part of the black market. Specialized software emerges on a global scale that can handle phishing payments, which in turn outsources a huge risk. The software is implemented into phishing campaigns by organized crime gangs.
As cryptocurrencies like Bitcoin began to gain traction, cybercriminals immediately saw the value of the secure, anonymous transactions. In September of 2013, Cryptolocker ransomware infected 250,000 personal computers, making it the first cryptographic malware spread by downloads from a compromised website and/or sent to victims in the form of two different phishing emails. The first email had a Zip archive attachment that claimed to be a customer complaint and targeted businesses, the second had a malicious link with a message regarding a problem clearing a check and targeted the general public. Once clicked, Cryptolocker scrambles and locks files on the computer and demands the owner make a payment in exchange for the key to unlock and decrypt the files. Since then, ransomware attacks have went on to become one of the most feared attacks for organizations small and large.
The most common phishing technique by far is email. The same email is sent to millions of users with a request to fill in personal details. These details will be used by the phishers for their illegal activities. Most of the messages have an urgent note which requires the user to enter credentials to update account information, change details, or verify accounts. Sometimes, they may be asked to fill out a form to access a new service through a link which is provided in the email. Some phishing scams involve search engines where the user is directed to products sites which may offer low cost products or services. When the user tries to buy the product by entering the credit card details, it’s collected by the phishing site. There are many fake bank websites offering credit cards or loans to users at a low rate that are actually phishing sites.
Phishing scams involving malware require it to be run on the user’s computer. The malware is usually attached to the email sent to the user by the phishers. Once you click on the link, the malware will start functioning. Sometimes, the malware may also be attached to downloadable files.
Malvertising is malicious advertising that contains active scripts designed to download malware or force unwanted content onto your computer. Exploits in Adobe PDF and Flash are the most common methods used in malvertisements.
A Trojan horse is a type of malware designed to mislead the user with an action that looks legitimate, but actually allows unauthorized access to the user account to collect credentials through the local machine. The acquired information is then transmitted to cybercriminals. Link manipulation is the technique in which the phisher sends a link to a malicious website. When the user clicks on the deceptive link, it opens up the phisher’s website instead of the website mentioned in the link. Hovering the mouse over the link to view the actual address stops users from falling for link manipulation.
In session hijacking, the phisher exploits the web session control mechanism to steal information from the user. In a simple session hacking procedure known as session sniffing, the phisher can use a sniffer to intercept relevant information so that he or she can access the Web server illegally.
Recognize & Avoid Phishing Scams
Unlike other kinds of online threats, phishing does not require particularly sophisticated technical expertise. In fact, according to Adam Kujawa, Director of Malwarebytes Labs, “Phishing is the simplest kind of cyberattack and, at the same time, the most dangerous and effective. That is because it attacks the most vulnerable and powerful computer on the planet: the human mind.” Phishers aren't looking for technical vulnerabilities - they're utilizing social engineering to trick their victims. From Windows, to Mac, to iPhone, to Android, no device is safe from phishing, no matter how much security you think you have in place. Attackers will often resort to phishing attacks because there are no technical vulnerabilities to exploit. There's no need to waste time trying to get through multiple layers of security when you can simply trick someone into handing over their information. The weakest link in a security system is not a vulnerability or glitch - rather the human behind the keyboard.
The above graphic outlines 22 social engineering red flags to be aware of that are commonly seen in phishing emails.
In order to protect your organization from social engineering and phishing scams, it is imperative to train employees on current threats, and what to look out for:
Is it too good to be true? Many phishing emails have eye-catching offers or statements designed to immediately grab your attention. As an example, some phishing emails may claim you have won a free device, or money. If it seems too good to be true, it likely is!
Sense of Urgency - A common tactic among cyber criminals is to get you to act fast, without critically thinking. The deal may be for a limited time. Your account will be suspended unless you update personal details immediately. When in doubt, go to the site directly, and never by clicking the link in an email or message.
Hyperlinks - Links are not always what they appear to be. Hover over the link and verify the URL that the link will you take you to. Phishers will often insert links to their own sites to gather information. For example, a hyperlink that looks like Bank of America could actually be taking you to "www.bankoffamerica.com".
Attachments: If you get an attachment in an email you were not expecting, do not open it! A popular method to distribute malware via phishing is through attachments. They often contain payloads like ransomware or other viruses. The only file type that is always safe to click on is a .txt file.
Unusual Sender - Make sure to check the emails that are coming into your inbox. Phishers are using emails that look like a real person to trick victims into sending sensitive information.
Are you concerned about email security? How phishing scams might impact your business? Contact us today and let's chat about how to improve your security. We offer simple and effective solutions including Office 355, email and network security, and staff training in order to to harden your security to give you peace of mind, allowing you to spend more time focusing on business tasks.