Phishing is a kind of cybercrime where the attacker disguises oneself as a reputed and trusted entity or person in an email, telephone or other communication channels. The attacker tricks the victim into believing false messages and eventually lures the latter to disclose sensitive information.
Phishing is one of the oldest kinds of cyber attacks, and, to date, it remains one of the most dangerous cyber threats. Cyber crooks are continuously devising newer phishing techniques and adopting a sophisticated approach to lure victims.
The information stolen through phishing is used by the cyber crooks in different fraudulent and criminal activities. They may use it to access the target users’ devices and cause damage to their data as well as reputation.
Phishing is an easy method for hackers to collect confidential user data. It is much simpler for them in luring someone to click a malicious link or download an infected attachment than breaking through the security system of any device.
In this article, we will discuss how the term phishing originated, what are its types, how to combat it and some popular phishing scams that have occurred previously. So, let’s begin.
What is the history behind phishing attack?
The term phishing was coined by a renowned hacker and spammer Khan C Smith in the 1990s. It is pronounced like “fish” or “fishing”.
An angler throws a hook into the water and waits for the fish to bite it and get trapped. Similarly, the attacker sends a false message and waits for the victim to get trapped in it. In this way, the term “phishing” arose.
The ‘ph’ part of the term is often said to have been inspired by another word called “phreaking” which is also a form of hacking.
The term phishing originated when cybercriminals were busy tricking the AOL users in giving up their login credentials.
In 1995, a program AOHell was launched where the attacker acted as an AOL staff member and sent an instant message to a target victim.
It asked the victim to disclose his password.
To convince the target, the message often included imperatives like “Verify your account” or “Confirm billing information.”
Once the victim discloses the confidential information, the attacker uses it in fraudulent or criminal purposes.
With time, various kinds of phishing methods have emerged and are still being applied online. Some of them are discussed below.
What are the different types of phishing?
Some of the prevalent types of phishing are being discussed here.
Phishing attacks targeted at specific individuals or organizations are called spear phishing.
In this type of attack, the attacker gathers information of the target user and uses them in their messages to increase the chance of success in attacking the victim.
Spear phishing when directed to senior officials and higher executives of an organization is called whaling attack.
The cybercriminals collect detailed information about the particular executive and use them to represent the message authentically.
The officials targeted are mostly the ones related to finance and payment issues. The attackers pose as an employee and send a message ordering the victim for a large transaction to a vendor.
In reality, the payment would be sent to the attacker.
In pharming, a user is redirected to a malicious website from a legitimate one.
The cybercrook lures the user to provide his login credentials for logging on to the site. Pharming depends on DNS cache poisoning.
In clone phishing, a duplicate or clone of a previously delivered legitimate email is made, and one or more links or attachments of the original email are replaced in the clone email with malicious links or malware attachments.
Since the duplicate email is almost identical to the original email, users often click the former and get attacked.
Voice phishing is the phishing attack that occurs over voice communication media like VoIP (Voice Over Internet Protocol) or POTS (Plain Old Telephone Service). It is also known as vishing.
In this kind of attack, the cybercriminal uses speech synthesis software and leaves a false voice message, like for example, messages notifying the user about suspicious activity in his bank account.
The attacker instructs the user to respond to a telephone number with his details which in reality is a malicious phone number, and the attacker records the sensitive user data as soon as the victim responds.
The attackers play with the psychology of the target users and tempt them to click infected links or malware attachments.
They impact the mindset of the users by realistically displaying fake messages or images and lure the users to believe them and respond according to the wish of the attackers.
It is another mobile device based phishing attack. The attacker sends fake messages to the users, tempting them to download malware attachments or click infected links, and eventually leading them to reveal their login credentials, passwords, etc.
This method is also called SMShing or SMishing.
There are several other techniques like website forgery, link manipulation, tabnabbing, evil twins, etc. which are used by the cybercrooks to stash away sensitive user data.
Link manipulation is when users click links posing as legitimate ones, but in reality, they are malicious and lead to fraudulent websites.
When multiple tabs are opened, a user may fall prey to tabnabbing. Here, the user is silently redirected to an infected website, or a malicious web page stealthily loads in one of the open tabs.
In the evil twins method, a phisher creates a fake wireless network which looks like a legitimate network available at public places like airport, cafe or malls.
Whenever a user logs on to this network, the attacker gathers the user’s password, credit card details, etc.
How to prevent phishing attacks?
To prevent oneself from being attacked by phishers, one has to be highly aware and alert about one’s online activities. One should be careful while opening attachments or clicking links in emails, visiting websites or downloading softwares.
Other tactics that can save you from phishing attacks are mentioned below.
Use of filters
Use of gateway email filter can block mass targeted phishing emails. In this way, the number of phishing emails delivered to the users is decreased.
Also, the use of spam filters can detect spam emails as well as assess the origin of the message, its appearance and the software used to generate it.
Use of email authentication standard
There should be at least one email authentication standard to conclude that the inbound email is verified. For example, the Sender Policy Framework (SPF) protocol helps to reduce unsolicited emails.
DomainKeys Identified Mail (DKIM) protocol allows users to block messages except for the ones which are cryptographically signed.
Another protocol called Domain-based Message Authentication, Reporting and Conformance (DMARC) states that both SPF and DKIM must be in use. DMARC protocol handles phishing emails more effectively.
Browser settings should be changed to block malicious or fake websites. Browser possesses a list of fake websites, and it blocks such sites or shows an alert message when you try to access them. The settings should be made in a way that only trusted websites could open.
Monitoring systems and a CAPTCHA system
Banks and companies have monitoring systems to identify phishing emails. Users can also report any act of phishing against a website, and legal action is taken against them by the corresponding organization.
Employees should be given security awareness training to detect the risks.
Users must change their passwords periodically and never use the same password for multiple accounts. Some sites provide a CAPTCHA system to offer additional security protection.
Web security gateway
It offers an extra layer of defense to protect oneself from phishing attacks. Web security gateway checks a requested URL against a database of suspected malicious links and blocks the user from accessing it if it is found dangerous.
There are many other resources available on the Internet that aid in fighting against phishing. For example, the Anti-Phishing Working Group Inc. and the OnGuardOnline.gov site of the federal government provide suggestions regarding identifying, avoiding and reporting phishing attacks.
Wombat Security Technologies’ Anti-Phishing Training Suite or PhishMe are interactive security awareness training-aids which train employees to combat phishing.
Websites like FraudWatch International and MillerSmiles publish the recent phishing email subject lines that are spreading across the internet.
Some popular phishing attacks
Phishing is in vogue since the 1990s. Some of the attacks that have occurred in the past are mentioned here.
- In July 2017, phishing emails were sent to more than 3000 small companies, stating a forthcoming delivery by United Parcel Services (UPS) which was accompanied by a package tracking link. On clicking the link, the corresponding system got affected with malware and virus.
- In the W-2 phishing scam, attackers sent emails as if they were from high officials of an organization. These fake emails asked for login details and passwords of different users for tax-related purposes. In this way, more than 1.2 lac people had their personal data compromised.
- In the Google Docs Hack, over 3 million workers worldwide were asked to stop work when hackers sent out fake email invitations to edit documents on Google Docs. On opening the invitation, the user was taken to a third-party app that allowed hackers to access Gmail accounts of the victims.
- In the Amazon Prime Day Phishing attack, hackers sent fake deals through messages to Amazon customers. When a customer tried to purchase a deal, the transaction did not complete, but the customer details entered in the process were stolen.
Phishing is a kind of cyber threat and is one of the oldest types of cyber attacks which remain a massive risk for the users.
It is a technique where the attacker poses as a legitimate person or as a part of a legal organization and lures the target user to give in his personal details like login credentials, bank account details, passwords, etc.
The cybercriminal then misuses these pieces of information in different fraudulent, criminal or extortion purposes.
The attackers play with the psychology of the users and tempt them to compromise their sensitive data, thus violating their privacy.
Phishers can attack through infected links or malware attachments in emails, fake text messages or threatening phone calls. They may target an individual or an entire organization.
To combat phishing, you must be highly aware of your online activities. Be careful while clicking links or opening attachments.
You can also visit trusted websites that provide advice on dealing with phishing, and also check your browser settings to block malicious sites.