What is phishing?
Phishing is the crime of deceiving people into sharing sensitive information like passwords and credit card numbers. As with real fishing, there’s more than one way to reel in a victim, but one phishing tactic is the most common. Victims receive a malicious email (malspam) or a text message that imitates (or “spoofs”) a person or organization they trust, like a coworker, a bank, or a government office. When the victim opens the email or text, they find a scary message meant to overcome their better judgement by filling them with fear. The message demands that the victim go to a website and take immediate action or risk some sort of consequence.
If users take the bait and click the link, they’re sent to an imitation of a legitimate website. From here, they’re asked to log in with their username and password credentials. If they are gullible enough to comply, the sign-on information goes to the attacker, who uses it to steal identities, pilfer bank accounts, and sell personal information on the black market.
“Phishing is the simplest kind of cyberattack and, at the same time, the most dangerous and effective.”
Unlike other kinds of online threats, phishing does not require particularly sophisticated technical expertise. In fact, according to Adam Kujawa, Director of Malwarebytes Labs, “Phishing is the simplest kind of cyberattack and, at the same time, the most dangerous and effective. That is because it attacks the most vulnerable and powerful computer on the planet: the human mind.” Phishers are not trying to exploit a technical vulnerability in your device’s operation system—they’re using “social engineering. From Windows and iPhones, to Macs and Androids, no operating system is completely safe from phishing, no matter how strong its security is. In fact, attackers often resort to phishing because they can’t find any technical vulnerabilities. Why waste time cracking through layers of security when you can trick someone into handing you the key? More often than not, the weakest link in a security system isn’t a glitch buried in computer code, it’s a human being who doesn’t double check where an email came from.
Types of phishing attacks
Despite their many varieties, the common denominator of all phishing attacks is their use of a fraudulent pretense to acquire valuables. Some major categories include:
While most phishing campaigns send mass emails to as many people as possible, spear phishing is targeted. Spear phishing attacks a specific person or organization, often with content that is tailor made for the victim or victims. It requires pre-attack reconnaissance to uncover names, job titles, email addresses, and the like. The hackers scour the Internet to match up this information with other researched knowledge about the target’s colleagues, along with the names and professional relationships of key employees in their organizations. With this, the phisher crafts a believable email.
For instance, a fraudster might spear phish an employee whose responsibilities include the ability to authorize payments. The email purports to be from an executive in the organization, commanding the employee to send a substantial payment either to the exec or to a company vendor (when in fact, the malicious payment link sends it to the attacker).
Spear phishing is a critical threat to businesses (and governments), and it costs plenty. According to a 2016 report of a survey on the subject, spear phishing was responsible for 38% of cyberattacks on participating enterprises during 2015. Plus, for the U.S. businesses involved, the average cost of spear phishing attacks per incident was $1.8 million.
“A verbose phishing email from someone claiming to be a Nigerian prince is one of the Internet’s earliest and longest-running scams.”
In this attack, criminals make a copy—or clone—of previously delivered but legitimate emails that contain either a link or an attachment. Then, the phisher replaces the links or attached files with malicious substitutions disguised as the real thing. Unsuspecting users either click the link or open the attachment, which often allows their systems to be commandeered. Then the phisher can counterfeit the victim’s identity in order to masquerade as a trusted sender to other victims in the same organization.
A verbose phishing email from someone claiming to be a Nigerian prince is one of the Internet’s earliest and longest-running scams. According to Wendy Zamora, Head of Content at Malwarebytes Labs, “The Nigerian prince phish comes from a person claiming to be a government official or member of a royal family who needs help transferring millions of dollars out of Nigeria. The email is marked as ‘urgent’ or ‘private,’ and its sender asks the recipient to provide a bank account number for safekeeping the funds.”
In a hilarious update of the classic Nigerian phishing template, British news website Anorak reported in 2016 that it received an email from a certain Dr. Bakare Tunde, who claimed to be the project manager of astronautics for Nigeria’s National Space Research and Development Agency. Dr. Tunde alleged that his cousin, Air Force Major Abacha Tunde, had been stranded on an old Soviet space station for more than 25 years. But for only $3 million, Russian space authorities could mount a flight to bring him home. All the recipients had to do was send in their bank account information in order to transfer the needed amount, for which Dr. Tunde will pay a $600,000 fee.
Incidentally, the number “419” is associated with this scam. It refers to the section of the Nigerian Criminal Code dealing with fraud, the charges, and penalties for offenders.
With phone-based phishing attempts, sometimes called voice phishing or “vishing,” the phisher calls claiming to represent your local bank, the police, or even the IRS. Next, they scare you with some sort of problem and insist you clear it up immediately by sharing your account information or paying a fine. They usually ask that you pay with a wire transfer or with prepaid cards, so they are impossible to track.
SMS phishing, or “smishing,” is vishing’s evil twin, carrying out the same kind of scam (sometimes with an embedded malicious link to click) by means of SMS texting.
How do I protect myself against phishing?
As stated previously, phishing is an equal opportunity threat, capable of showing up on desktops, laptops, tablets, and smartphones. Most Internet browsers have ways to check if a link is safe, but the first line of defense against phishing is your judgement. Train yourself to recognize the signs of phishing and try to practice safe computing whenever you check your email, read Facebook posts, or play your favorite online game.
Once again from our own Adam Kujawa, here are a few of the most important practices to keep you safe:
- Don’t open e-mails from senders you are not familiar with.
- Don’t ever click on a link inside of an e-mail unless you know exactly where it is going.
- To layer that protection, if you get an e-mail from a source you are unsure of, navigate to the provided link manually by entering the legitimate website address into your browser.
- Lookout for the digital certificate of a website.
- If you are asked to provide sensitive information, check that the URL of the page starts with “HTTPS” instead of just “HTTP.” The “S” stands for “secure.”It’s not a guarantee that a site is legitimate, but most legitimate sites use HTTPS because it’s more secure. HTTP sites, even legitimate ones, are vulnerable to hackers.
- If you suspect an e-mail isn’t legitimate, take a name or some text from the message and put it into a search engine to see if any known phishing attacks exist using the same methods.
- Mouseover the link to see if it’s a legitimate link.
As always, we recommend using some sort of anti-malware security software. Most cybersecurity tools have the ability to detect when a link or an attachment isn’t what it seems, so even if you fall for a clever phishing attempt, you won’t end up sharing your info with the wrong people.
All Malwarebytes premium security products provide robust protection against phishing. They can detect fraudulent sites and stop you from opening them, even if you’re convinced they’re legitimate.
So stay vigilant, take precautions, and look out for anything phishy.
For inquiries, email us at firstname.lastname@example.org