For almost as long as there have been emails, there have been phishing lures, scams and hacks, baiting the unsuspecting into taking disastrous actions.
So old is this hacking technique that it may seem a wonder that cybercriminals still resort to it as much as they do. Indeed, there are many much more sophisticated techniques that maliciously-minded attackers have at their disposal in order to wreak havoc on the web waves. But the fact remains that phishing still works, is still effective, and is in fact one of the simplest methods of cyberattack for a cybercriminal to learn and deploy.
But what is it?
What Is Phishing and How Does it Work?
Phishing is a form of cyber fraud. What happens is that an attacker poses as a reputable entity – perhaps as a bank, insurance or credit card company – and uses these false credentials in order to extract sensitive information from the victim.
Typically, a phishing scam will arrive via an email or instant message. Contained within the message will be a link or an attachment. If it’s a link, the victim will be directed to a website where they will either be tricked into divulging sensitive data – such as passwords or banking information – or else the website will begin to install malicious software (malware) on the victim’s machine. If it’s an attachment, then this will most likely contain the malware itself.
Why Phishing Is the Number 1 Delivery Method of Malware
Phishing is so popular because it’s so easy. You don’t need to be a genius hacker in order to start phishing – you just need an email address and access to malware (which is alarmingly easy to come by on the Dark Web).
As such, it’s no surprise, then, that Phishing is the number 1 delivery method of malware. Indeed, phishing is on the rise. The Anti-Phishing Working Group (APWG) has recently released its Q2 2016 report, in which it is revealed that phishing activity has reached an all-time high.
(Image source: APWG.org)
Types of Phishing to Be Aware Of
There is more than one type of phishing attack. Although the end-goal is always the same, there are variations in the tactics involved.
Spear-phishing refers to a targeted phishing attack. Whereas normal phishing involves casting the net wide, as it were, by sending thousands of duplicate emails out to thousands of potential victims in the hope that a certain percentage will ‘bite’, spear-phishing involves personalisation.
Spear-phishing emails and messages will address the victim by name, and the most effective ones will appear to know a few personal details. A lot of this information can be freely and easily gleaned from social media – these days we all like to give our good selves away on our favourite social networks, and therein lies the danger.
For example, you may have recently made a purchase from, say, a shoe shop, and have turned to Facebook to express your delight at the new pumps you’ve been sporting at the weekend. An attacker might take note of this, quickly set up a fake account, and then send you a message.
“Hey Bob! So glad you’re enjoying your new kicks! We thought we’d say thank you by giving you a 20% discount on your next purchase. Just follow this link to claim your coupon code [link.to.malicious.website]. Have a great day!!”
Spear phishing attacks are also rife amongst businesses and professionals. These don’t tend to be by random hackers, but by serious cybercriminals out to gain access to extremely sensitive and valuable databases that might contain customer records, trade secrets, or even military and government information.
Essentially, whaling is a form of spear phishing, though one that exclusively targets high-profile and high-worth individuals. When we talk about whaling, we’re talking about spear phishing attacks that target politicians or other government officials, corporate executives and celebrities.
Again, the method of attack remains the same. The whaling message will be highly-personalised, and include the victim’s name, job title, and normally a host of other information that is all quite readily gleaned from the internet.
This type of phishing gets its name from the bait that’s used, and is prevalent in both spear phishing and whaling. What happens is that a previously delivered email is intercepted, cloned, and then resent to the victim in almost identical form – the only difference being that a malicious link or attachment has been added. To allay suspicions, the cloned email may claim to be an updated version of the original, and will come from an email address that upon first glance appears to be identical, though closer scrutiny would reveal minor alterations.
Types of Phishing Lure
Email subjects and attachments come in many forms. Here are 3 that you need to be aware of.
With the rise of VoIP and hosted PBX, voicemails are now just as likely to end up in your inbox as on your phone. We don’t tend to associate voicemail with malware, however, and attackers exploit this by sending voicemail attachments that in fact contain nothing but malware.
When a message is flagged up as being “Urgent”, caution is easily thrown to the wind – especially in corporate environments when time is money. Beware, therefore, of any emails that claim to require your “urgent” attention.
This is an attack that involves a message explaining that your account has been compromised, and you need to follow the link below to reset your password or reactivate your account. A security alert plays on the emotions, and can make you act quickly. As always, caution must be exercised.
If you’re concerned that your business or organisation may not be currently equipped to deal with the threats from phishing, then please get in touch with us here at Tupelo Technology. We have the expertise and a range of IT security solutions that can help you keep your business safe.