Phishing is a type of cybercrime which has become more and more common in recent years. It involves an attacker, or “phisher”, posing as a legitimate organisation and contacting their targets through social media, email, telephone, or text message. The goal of the criminal is to convince the individual that they are really from the organisation which they are spoofing, such that the target is fooled into accidentally giving them sensitive information such as usernames, passwords, or credit card details. This data is collected either by an attachment containing malware or via a fake website to which the victim is directed in the email.
Once the attacker has been given the sensitive information, they use it to commit identity theft. They may also use the information directly to withdraw money from the victim’s accounts and transfer it to fake bank accounts of their own, which they can then access.
How do phishers contact their victims?
The most common way that scammers contact their victims is by email. Some phishing emails are clearly fake; they are poorly written, ask for personal information very directly and contain no obvious indicators that they are from a legitimate company. However, as public awareness of scams increases, phishers have become more creative with their emails. Their operation relies on their emails being difficult to distinguish from well-known companies, so they will often include logos, signature graphics, and background data collected from internet searches of their victim to fool them into thinking they are being contacted by the real corporation.
Although less common, “vishing” (voice phishing) and “smishing” (SMS phishing) are two alternative phishing strategies. Vishing involves phishing over the telephone, with the phisher pretending to be an operator from the legitimate company. SMS phishing involves the scammer sending fraudulent text messages to their victim, in an analogous way to email phishing.
What do the emails look like?
The emails are nearly identical to those of the legitimate organisation. However, there may be small details that indicate they are fakes, such as spelling and grammar errors. Most companies will address their emails to you as “Dear [username]”, whereas scammers will often write “To our valued customer” or some other generic opening.
The cybercriminals will often try to instil a sense of urgency in their email. They will claim that unless the victim logs into their account immediately, it will be shut down, or something similar. They will then direct the victim to login through a hyperlink embedded in the email, which in reality leads to a fake website the scammer has themselves created.
How to prevent phishing
The easiest way to avoid being a victim of phishing due to link manipulation is not to follow the link embedded in an email. Simply search for the website in question in a new tab, and login through that website. If there really is something wrong with your account, you shall be informed when you login. Using the appropriate email filters will also help prevent these emails from reaching your inbox in the first place.
The Most Common Phishing Techniques
Classic phishing attacks involve sending mass emails to as many people as possible and hoping that even a small proportion of them fall for the attack. However, there are many other ways which phishers can fool their targets to unwittingly hand over their private information. As technology becomes more advanced, so too do the techniques that cybercriminals use. Here we detail some of the common phishing techniques, some of which are very well-known, others which are quite niche. Knowledge of what these techniques look like is a good way of ensuring safety online.
Spear phishing is much like the classic phishing attack, except targeted to specific individuals or organisations. The hacker may have searched through social media and the internet to find personal information that can be incorporated into the email to make it seem more believable and increase their chances of success. Whale phishing is a subset of spear phishing; it specifically targets an individual high-up in a company, such as an executive.
In session hijacking, the phisher exploits the web session control mechanism to gain unauthorised access to a web session and use it to gather information from their victim. The most simple of session hijacking attacks, the scammer users a procedure known as “session sniffing”, in which the phisher can use a sniffer to intercept relevant information so that they can access the web server illegally.
This involves the phisher changing the content of a reliable website. This often redirects the user to a page outside of the legitimate website where they are asked to enter their personal information, which the phisher then uses for malicious reasons.
The malware is often sent to a user through an attachment in an email. Once the victim downloads the attachment, the malware begins to run on their computer. The malware then collects data on the user’s computer, which can then be accessed by the scammer. Similar to malware, ransomware is software that denies the user access to their device, or certain files on the device, until a ransom has been paid to the scammer.
Malware may be installed via malicious advertising (“malvertising”), which exploits Adobe PDF or Flash to install the malware on the computer.
This is a very common way in which phishers trick their victims into giving them private information. The phisher sends a link, often via email, to a fake website. When the user clicks on the link, they are told to login as normal. When they input their login details, the phisher collects them, and uses them to commit identity theft. The fake website looks extremely similar to the real website and may only differ in URL. Hovering the mouse over the hypertext in the email will expose the link as a fake.
Keyloggers is a type of malware designed such that it logs inputs from the keyboard of the victim’s computer. The phisher then receives this information, from which they can pick out login details. Some high-security websites will try to avoid this type of attack by using mouse clicks to make entries of usernames and passwords through a virtual keyboard.
As phishing has become more sophisticated in recent years, so too have the techniques which have been developed to counter the attacks. Many organisations have been set up, both by government organisations and private individuals, to try to prevent attacks and to help those who have fallen victim to scammers.
The most common way these organisations try to help potential victims is by arming them with knowledge as to what the most recent scams look like. They often spread messages on what the latest emails look like on social media, and by raising awareness, they hope to prevent people from accidentally giving the phishers the information they want. This can prove to be very effective; knowledge of the Google Docs phishing attack in 2017 quickly spread on social media, which helped in it being shut down relatively shortly after it started.
As well as alerting potential victims to the latest scams, these organisations train people to look for the generic signs of a fraudulent email. Many people know the signs of basic phishing emails; they are poorly written, ask for personal information very directly and contain no obvious indicators that they are from a legitimate company. These organisations teach the public that in recent years, phishers have become more creative with their emails. Their operation relies on their emails being difficult to distinguish from well-known companies, so they will often include logos, signature graphics, and background data collected from internet searches of their victim to fool them into thinking they are being contacted by the real corporation.
According to several anti-phishing authorities, nearly all legitimate emails companies address their customers by name or by username. A common way to spot phishing emails is if a generic opening is used, such as “Dear PayPal customer”. Furthermore, legitimate emails will be sent from the company’s real email address, such as @paypal.com. Fake emails may be sent from a similar email address, such as [email protected]. Carefully checking the sender’s email address can help discern fake emails from real emails.
Therefore, users are advised not to follow links in the email, but instead open a new tab and search for the website independently. By logging in through this route, the user can see if there is something really wrong with their account, as they will be alerted on login.
Internet service providers (ISPs) have also deployed anti-phishing techniques. Gmail has “report scam” and “report phishing” options on the drop-down options list when the email is opened. Similarly, Outlook’s email service has a “report phishing” button on its page. If the scam email came from a Yahoo! account, then it must be forwarded on to [email protected] for further investigation. The ISP has the power to close the account from which the email was sent, thus locking the phisher out of their operation.
Organisations that are often spoofed, such as PayPal or Google, have also taken steps to help protect their customers against malevolent scammers. Many companies have action plans ready in anticipation of the event that they are spoofed by scammers. They have the capability to warn their customers or client list about the scam. The company may put notices on their website, social media pages, or even tell local news outlets to raise awareness and prevent their customers from falling victim to fraud.
- Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
- Blog2022.12.13What are the Common Security Weaknesses of Cloud Based Networks?
- Blog2022.10.12Vulnerability management with Wazuh open source XDR
- Blog2022.08.29Deception Technologies: Improving Incident Detection and Response by Alex Vakulov
- Blog2022.08.25Exploring the Heightened Importance of Cybersecurity in Mobile App Development by Jeff Kalwerisky