What is Phishing and How Does it Work?
Table of Contents
- By David Lukic
- Nov 12, 2020
Phishing scams have become a major enterprise in the world of cybercriminals. Most likely, you have heard the word phishing attacks brandished around, but you do know what it means? Well, you should because you just may be the next victim.
Phishing Scam Definition
Phishing attacks are defined as any fraud carried out via email, text, social media, or through an app. It is also one of the easiest ways that criminals steal information or identity. Scammers often target low-level employees to gain access to a large corporation’s files. These attacks rely on human error to bypass business’s complex cybersecurity systems.
Unfortunately, because phishing scams are so easy and the victims are ignorant of the dangers, millions of dollars are lost every year to these types of scams.
Not all attacks are as simple as sending out a stock, pre-made email. Phishing strategies are varied. Scammers go as far as investigating specific targets for spear phishing attacks and even creating fake websites! Experts claim that 1.4 million new malicious websites show up on the web each month.
How Does Phishing Work?
According to Verizon’s Investigations Report, one-third of all data breaches were the result of phishing email. Unfortunately, that percentage is much higher (78%) for other types of cyberattacks. The idea behind the name phishing comes from “fishing” where you cast a line and hope for a bite. Crooks initiating phishing attack campaigns are getting more sophisticated and harder to catch all the time. They use social engineering tactics to scare and dupe innocent victims into giving away personal information that they would never do if they weren’t panicked.
A phishing attack campaign works by the cybercriminal picking a target group. It might be the customers of a well-known bank. They then troll the dark web and purchase or barter for a list of customers. They then design an email using the bank’s own logos, colors, fonts, and sometimes even text from a legitimate bank email and design a fake message. They typically imply a threat of “closing your account” or claiming there has been a data breach of some sort. They hope to panic you into clicking the link and not thinking. Once you do, you are taken to a “spoofed” website, which looks like the bank’s but is not. You are then asked to enter your account credentials or other financial information, and unfortunately, because it wasn’t the bank, the cooks now have your login or bank information.
Another objective is sometimes rather than take you to a website, clicking the link in the email infects your computer with trojan virus or worm. These can be devastating and take control of your computer and network, steal your files and information, spy on you, lock your computer until you pay a ransom, or steal your identity and open up lines of credit in your name. There are many different nefarious goals for these types of attacks.
Most disturbingly is that some hackers even sell “phishing kits” on the dark web so that even non-technical crooks can use them to pull off phishing scams successfully. Some even come complete with a video and typed instructions. Often the developer will take a cut of the proceeds.
List of the Top Companies Used in Phishing Emails
Phishers’ Favorites came up with a list of the top companies that are used by cybercriminals to trick victims into believing they are real. They will spoof email addresses from them, obfuscate links and copy graphics and design elements to make the messages look very real. The top companies faked are:
Bank of America.
Many of these are companies you probably use. Therefore, you may be included in a customer list somewhere on the dark web and be a target. Watch out carefully for emails that come from these sources. The places you should be most wary of are unsolicited links from social media or financial services.
In 2021, 35 percent of impersonated businesses came from the financial sector. Money is the number one cause of stress for Americans according to the American Psychological Association (APA). This stress makes people much more likely to respond hastily to threats or “special offers” in phishing emails.
Social media is another favorite for phishing. Facebook ranked as the number one most impersonated page in 2021, with social media as a whole making up 24 percent of total fake websites.
Evaluate if they sound suspicious or not and ask yourself a few questions before reacting.
- Do they have an urgency to them?
- Are they threatening to close or suspend your account?
- Did they alert you to a prize for winning something when you didn’t enter any contest?
- Does the email demand that you take some action “immediately?”
If so, they are probably phishing scam attempts, and you should be wary. Phishing email attempts have one of two objectives; either steal your information for identity theft or install malware on your device to do even more harm later.
Types of Phishing Attacks
The scary thing about phishing attacks is that they're easy to fall for, even if you know they're coming. Scammers use a wide range of tactics to get past your guard. They play on negative emotions like fear, stress, and laziness to help their attack succeed.
Attacks vary from poorly written emails to in-depth impersonations of upper management. However, all end with lost personal data or a compromised reputation. Here are the most common strategies that criminals use to trick their targets.
Email phishing is a popular choice for cybercriminals. It's performed by individual hackers and large organizations alike. The attack starts with buying or stealing a list of email addresses and sending out messages informing people of an emergency.
A link is typically provided that leads to a fake website or automatically downloads malware onto the device. Additionally, these emails will include a time-sensitive element to scare targets into making a hasty decision. Some examples used in most phishing emails include threatening bank or medical fees.
These mass-release emails are relatively easy to identify as scams. They're often filled with grammatical errors and are sent from an unfamiliar email. Keeping a cool head will let you avoid most phishing attacks.
Unlike standard email phishing, spear phishing attacks are tailored to individuals and can be very difficult to recognize. Scammers will dig up specific facts about a person and use that information as leverage. Some go as far as looking through their target's trash for details.
Knowing information like someone's name, job, or bank raises a scammer's credibility. It makes the victim much more likely to believe any of the scammer's warnings or threats.
Messages will address the target by name and mix truth with lies. They'll impersonate an actual bank or direct work superior. This is much more effective than using an identity the target isn't connected to and can easily recognize as fake.
Whaling, as its name implies, targets big game. These phishing attacks focus on scamming a company's chief executives.
Criminals include personal information about the business and write the email in standard "business language." This adds to the email's legitimacy, as phishing attacks are generally crude and unprofessional.
A common tactic is to imitate a CEO or a similarly high position and ask upper management to perform a task. The request can be anything from checking a website to transferring funds to the criminal's private account.
Recently, whaling scams have started accompanying emails with phone calls. This tactic puts the target through a real-world interaction and makes them more accepting of the original email.
While traditional phishing is performed through email, "smishing" uses short message services (SMS). However, the end goal is the same, with the hacker trying to coax personal or professional information from their target.
Smishing attempts to contact targets under the name of a legitimate organization. Frequently used examples include banks and medical practices. COVID-19 took advantage of the stress caused by the pandemic to manipulate people further.
These attacks aren't restricted to text messages anymore. The rise of social messaging apps like Facebook Messenger and WhatsApp gives scammers even more avenues to attack.
Famous Phishing Caused Data Breaches
Businesses have a moral and professional responsibility to report a data breach. Individuals whose data is compromised must take measures to prevent criminals from stealing their identities. The larger the data breach, the greater the cost and the damage to a company's reputation.
The following are two of the most impactful data breaches to date. Both were highly trusted companies at the time that fell victim to phishing attacks.
The Yahoo Data Breach (2013)
The most extensive data breach caused by phishing was the attack on Yahoo in 2013. The company heavily downplayed the amount of lost data, and the full extent of damages was only discovered when it was bought out by Verizon three years later.
The breach originated from a spear-phishing email that leaked information on all three billion Yahoo accounts. Previously, Yahoo estimated that only 500 million accounts had been compromised.
Pilfered information included names, date of birth, passwords, and security question answers. Yahoo's encryptions were weak and offered little protection to the details of stolen accounts. These details could be easily used to steal the data from other accounts created by the same user.
The Anthem Medical Data Breach (2015)
In early 2015, Anthem had the information of roughly 80 million members compromised through phishing. This attack stole personal details, including:
- ID Numbers
- Social Security Numbers
- Contact Information
- Income Data
- And more
One of Anthem's database administrators noticed unfamiliar login attempts using his credentials. Upon his report, the company shut off access and performed a password reset on all employees.
Although the company only had 37 million active users at the time, possible victims included any enrollee all the way back to 2004. This breach demonstrated the risk to individual data, even if they hadn't interacted with the company for many years.
The most frightening aspect is that old members may not see the notification that their data was lost. The communication might not reach them if they applied with an abandoned email or phone number. Similar situations occurred when Myspace, an old social media powerhouse, lost data on 360 million accounts in mid-2013.
How to Protect Yourself Against Phishing Attacks
Data phishing attacks are one of the biggest problems facing our digital age. However, if you keep a cool head, arm yourself with information, and follow the tips below, you should stay safe.
NEVER click a link in an email, no matter how legitimate it appears to be. Visit the website by going to the URL in a new browser window or calling your bank or company directly to check if you think there might be a problem.
Do not download attachments, software, or apps from anywhere except trusted developers/sources.
Don’t give out personal information, especially online, when asked for it. Most banks or other companies will not require you to provide the information which they already have.
Do not be lured in by the panicked email. Look for errors in grammar, misspellings, and hold your mouse over links. Even though links can be masked, most criminals don’t even bother. If you see a long link that clearly doesn’t match up with the sender, delete it.
Check the “sent” email address. Again, if it doesn’t match up or looks suspicious, contact your bank or the company and ask them about it.
Be especially cautious of emails alerting you that you have won a prize. If it sounds too good to be true, it probably is.
Watch out for short URLs in emails, they could indicate a fake.
Install antivirus software on your computer that also protects against data phishing attempts. Run deep scans often.
If you believe your account may have been hacked, change your password at the company that you received the fake message from; their customer lists may have been breached. Also, make sure to make the password strong and different from your other passwords. That way, they won’t breach all your accounts.
Symantec estimates about 135 million phishing emails go out per day! So, be careful and watch your back and your inbox.