Threat Intelligence

Phishing Attacks: A Summary of Phishing In All Its Forms

A phishing attack is a fraudulent email pretending to be from a safe, familiar, or reliable source intended to induce the email recipient to reveal personal information such as financial information, personally identifiable information (PII), Passwords, or credit and bank account numbers to the writer.

Phishing emails often have an impersonal, awkward, unprofessional, or out-of-character tone. Many, but not all, phishing emails contain obvious typos, odd capitalization, or numbers used instead of letters. Often the purported URL address will have an obvious error in it.  An example of this will be an email from John.Smith@microsift.com.  A prompt to open an attachment or follow a link. Critically examine any email with an attachment, especially an unexpected one or one from a stranger.

Phishing emails are one of the most dangerous threats you will encounter online.  They threaten your data, your online accounts, and even your offline financial accounts.  In other words, hiding behind a simple, innocent-looking email will be a link to what appears to be an innocuous site.  Using an appearance of reputability and elements of social engineering or romance, the phisher will attempt to make you likely to fall for the scam.  It may be a romance opportunity or a check from a Nigerian prince, but you should always avoid opening or clicking on the links of any email that you are not sure is legitimate.

Types of Phishing Attacks

Now that we understand why phishing is so dangerous and why you should avoid phishing at all costs, let’s look at some of the different types of phishing attacks you may encounter.

Deceptive Phishing Attack

Deceptive phishing is the most common type of phishing attack, and it is also called traditional phishing. In this phishing technique, an attacker attempts to steal a user’s confidential personal information or login credentials. The most common of these attacks is an email that purports to be from a trusted service provider, such as McAfee, asking for a renewal. The email will ask that you send or “confirm” your personal information on a different portal and, likely, try to compromise your other accounts, such as your online banking accounts, using the same credentials the attacker stole.  Alternatively, the phishing email will contain a URL link.  It will appear to be a legitimate link (but it will be Microsift, not Microsoft).  If you click on it, it will be attached to a malware script to collect your information.

Deceptive Phishing Attack

Spear Phishing Attack

Spear phishing is an email-spoofing attack representing an attempt to gain unauthorized access to and steal PII from a targeted victim, usually to steal login credentials. In this technique, the attacker sends an email or online message text to the victim and includes some personal data such as the victim’s name, the victim’s role in the company, email address, or contact number. The reason for including this information is to gain their confidence and obtain the information the phisher needs to compromise and access the confidential data they are looking for.  A classic example of a spear phishing attack used the requirement to sign a new employee handbook to trick victims into clicking on a malicious link.

Spear Phishing Attack

Vishing

Vishing or “voice phishing” occurs when someone uses the phone to steal information.  The attacker will pretend to be a trusted friend or relative or to be calling on their behalf.  In 2019 in the United Kingdom, a vishing campaign focused on members of parliament and their staffers.  The campaign was part of an attack involving more than 20 million emails.

Angler Phishing

Angler phishing attacks use phony social media posts to get people to provide login information or download malware.  Domino’s Pizza was hit by Angler Phishing on Twitter not long ago.

CEO Phishing Fraud

CEO Fraud or Business Email Compromise (BEC) is a spear-phishing email attack usually aimed at a company’s finance or accounting department.  The attacker impersonates the recipient’s CEO. The attacker acts as a senior company executive and seeks information that will allow them to steal funds or gain access to sensitive business data. The most common form of CEO fraud involves an attacker using the name of a CEO but a different email address. The attacker tricks you into transferring money to a bank account owned by the attacker.

Clone Phishing

In clone phishing, the hacker copies a legitimate, previously delivered email.  This is used to create an almost identical (that is, cloned) email sent from a trusted organization.  The attacker sends the cloned email to the victims, and it appears to have come from the original sender.  The link or attachment in the original email is replaced with a fake email or malicious website.

Clone Phishing

Pharming

In this, an attacker installs malicious code on a personal computer or server to redirect a website’s traffic to another fake site without user consent. It aims to gain personal information such as bank accounts, credit card numbers, login credentials, or other valuable information. In a pharming attack, the hacker will change the host’s file on a victim’s computer or its domain name system (DNS). When someone requests a URL, a false address is returned, and the victim is moved to a fake vulnerable website. In 2007, a pharming attack gathered sensitive data from the customers of more than 50 financial institutions.

Smishing

Smishing is any phishing attack done through some form of texting or SMS message.  A well-known smishing attack involved texts purporting to be from American Express and requesting an emergency login.  The email led to a phony site where the users’ personal information was gathered.

Social Engineering

Social engineering attacks pressure the victim into revealing sensitive information by psychologically manipulating the victim.  Often the hacker will pretend to be from a bank and that some action is needed, or the bank will have to freeze the account.

Watering Hole Fishing

The hacker, having identified a site that a group visits frequently, will attempt to take advantage of any high-profile users and get their login credentials.  It has been relatively successful, especially regarding a vulnerability in Internet Explorer.

Whaling

Whaling is a common type of phishing attack that attempts to steal sensitive information from a company, such as financial information or personal information about employees. Whaling attacks generally target senior management or other individuals that hold power in companies, such as the CEO, CFO, or other executives who have significant access to sensitive data. Because of the breadth and depth of their data access, a successful whaling attack can result in the release of a vast amount of sensitive data.

Website Phishing

A phishing website is a cyberattack that tries to steal sensitive information such as login credentials or other confidential data. The hacker tricks you into believing you’ve gone to a legitimate website. Also sometimes called email phishing, the attacker sends an email that looks legit, hoping to trick you into responding or clicking on a malware link.  A famous example involved using LinkedIn to gather contact information for Sony employees, eventually resulting in the theft of over 100 terabytes of data.

Website Spoofing

In a website spoofing attack, the hacker creates a fake website that looks legitimate. When the victim uses the site to log in to an account, confidential data is collected by the attacker.

Malware Phishing

In a malware phishing attack, the hacker places malware in an email account or a link that will direct any user to a malicious site.  The malware will automatically download to the victim’s computer and exploit any security vulnerabilities when the victim accesses the malicious site.

Pop-Up Phishing

This technique uses pop-ups about a problem with your computer’s security or some other issue to trick you into clicking on an embedded link.  You are then instructed to download a file that is, in fact, malware or to call a support center where a very persuasive hacker will work to get your personal data.

Evil Twin Phishing

Evil Twin uses a false WiFi network that looks legit.  Anytime someone logs into it and enters sensitive information, the hacker captures that data.  The Russian military has recently been accused of operating an Evil Twin Phishing expedition.

Domain Spoofing

Domain spoofing, occurs when a hacker imitates a company’s domain using email or a fake website to lure people into entering sensitive information. To prevent domain spoofing, users should double-check the source of every link and email. An attacker executes a domain spoofing attack by creating a fraudulent domain that looks like a real site. When users enter the site and enter any information, it is sent straight to hackers who can use it or sell it to someone else.

Image Phishing

Image phishing uses images with malicious files embedded in them that will help a hacker steal account info or infect the victim’s computer. Hackers have used images to hide malicious code written in JavaScript inside images and HTML files. When someone clicks on an image, malware will be downloaded onto their computer and could be used to phish for their personal information.

Search Engine Phishing

A search engine phishing attack involves an attacker making fake products that look attractive. When these pop up in a search engine, the target is asked to enter sensitive information before purchasing.  The information then goes to a hacker. In 2020, Google said they found 25 billion spam pages every day, like the one put up by hackers pretending to be from the travel company Booking.com. An ad would pop up in users’ search results that looked like it was from booking.com and included the site’s address and the kind of wording users would expect from an actual ad by the company. After users clicked, they were prompted to enter sensitive login information that was then transmitted to hackers.

How to Prevent Phishing

The short answer, of course, is that you can’t 100 percent prevent phishing.  What you can do, however, is to modify your behavior in ways that will make it less likely that you personally will become a phishing victim.  The first thing to do is to view every email and text with some level of suspicion.  For most of them, you can give a slight suspicion, just making sure you know the sender’s name if you should and that the URL and company name is spelled correctly. A higher level of suspicion is required for anything with a link.  Also, assume that a link is wrong until you know it is not.  Don’t mindlessly click on any links you receive.  Likewise, don’t download any file you weren’t expecting and don’t know the source—the same thing with attachments.  Don’t open anything you didn’t expect to get, and make sure it’s really from that trusted source.

Watch out for shortened links, especially when you see them on social media.  Hackers use them frequently to make you think you’re going to a legit site when you aren’t.  Hover your mouse over any web link you get in an email to see if you’re being sent to where you think you are. The site mentioned in the text should be the same as the text you see when you hover.  These links can take you to a site where your personal data will be gathered, or they can infect your device with malware.

If you take a moment, most phishing emails are relatively easy to recognize.  They have lots of typos and misspellings and are not very well written.  And, if there is a greeting, it’s going to be something generic, like “Dear Client.”  Some of these errors are designed to get past spam filters, and some are because criminals aren’t always the sharpest knife in the drawer.

Be wary of any email asking you to do something urgently or stressing about an emergency.  Occasionally the email may be legit – your financial institution may need you to change your password immediately because of a breach.  But, generally, there will be signs of phishing.  If the email discusses fines or your account being closed, contact the company separately from the email via a trusted channel and find out what’s happening.

Avoid unsecured websites.  Try whenever possible to use a site whose URL begins with HTTPS.  Also, avoid free WiFi in public places.  It is not secure, and any personal information will be available to anyone else on that WiFi.

The hackers are creative and mostly ahead.  But, using caution and going a bit slowly can take you a long way toward avoiding falling for a phishing attack.

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start