What is Phishing?
Phishing attacks are regularly headline news, but what is phishing, how does it affect organizations and why are cybercriminals now turning to phishing as the primary way of attacking an organization? This article explains what is phishing, the various forms of phishing attacks and how serious the threat from phishing has now become.
What is Phishing?
Phishing can take many forms, although regardless how it is performed it has one common aim. To obtain login credentials or other sensitive information by deception. Phishing is often used to obtain login credentials that can be used to gain access to business networks, bank accounts, email accounts, databases or online accounts.
Cybercriminals ‘phish’ for information in order to steal money or data, with the latter used for a multitude of fraudulent activities.
Phishing is a homophone of fishing and gets its name because cybercriminals similarly use a lure to hook their prey. With phishing, the hook takes the form of social engineering techniques that fool the victim into revealing a sensitive snippet of information or performing an action – clicking on a link in an email, opening an email attachment that has been infected with malware or responding to a request for information.
Phishing is most commonly associated with email, although phishing attacks can occur via text messages, websites or over the telephone. Some sophisticated phishing scams use a combination of media such as an email with a follow up telephone call.
Phishing has fast become the biggest threat of the computer age. Research conducted in 2016 by PhishMe, a leading provider of phishing defenses, suggests 91% of all cyberattacks start with a phishing email.
Phishing is a far easier way of gaining access to business networks than hacking. Hacking takes considerable time, effort and skill to break through an organization’s security defenses. Phishing on the other hand just needs a single email to reach an end user’s inbox and for that end user to respond. With the sophisticated social engineering techniques now being used, they often do.
Phishing may have become more popular with cybercriminals in recent years, although it uses age old techniques that have been used by confidence tricksters for many centuries. Those techniques are highly effective, and even more so when sent via email.
Types of Phishing
In its simplest form, phishing involves sending an email to a company employee requesting their login credentials. Cybercriminals use social engineering techniques to fool the email recipient into revealing sensitive information or visiting a website where their login details must be entered.
The request could be an urgent software update to protect the user from a cyberattack, with a link included in the email that directs the user to a spoofed website. Threat actors often copy the wording used on genuine websites and include branding and images associated with that company for added authenticity.
Email phishing campaigns are often sent randomly with email addresses obtained from past cyberattacks. For example, the Yahoo data breach saw close to 1 billion email addresses stolen. Those email addresses are being used in phishing campaigns involving tens of millions of emails.
Spear phishing is a more targeted form of phishing. Instead of sending emails randomly in the millions, the campaigns tend to be small with the targets well researched. The emails are personalized and often include the target’s name and other personal information such as their address or telephone number. The aim is to make it appear that the sender of the email is already known to the recipient, exploiting a preexisting connection. An example would be an email that appears to be from a bank used by the target.
Information for spear phishing attacks can come from previous data breaches, although much of the information needed for a spear phishing attack can be found on social media sites such as Facebook, Twitter and LinkedIn. Spear phishing is much more effective than random phishing campaigns and threat actors often invest considerable time on research allowing them to construct highly convincing emails.
Whaling is a form of spear phishing that targets the really big fish: CEOs and other C-suite executives. The aim of whaling is usually to obtain the login credentials of email accounts, which can be used to send spear phishing emails from within an organization. An email sent from CEO’s email account is much more likely to elicit the desired response than an email from an unknown sender. Whaling attacks are often used to get high level executives to reveal network login credentials, since those users are likely to have the highest level of network privileges.
Smishing – or SMS phishing – is a phishing attack that uses SMS messages rather than email to send lures. Smishing is often used in attacks on consumers, with the aim of obtaining banking credentials. Text messages are sent that claim to be from the target’s bank along with a link to the banking website. When users click on the link they are directed to a spoofed website where they are required to enter their banking credentials. These scams are often combined with follow up telephone calls to obtain the answers to security questions or to bypass two-factor authentication used by many banks.
Pharming is a form of phishing that does not involve an email lure, instead users are directed to a fraudulent website that mimics the site of a well-known company. This form of phishing works by redirecting a web user by changing a hosts file on the victim’s computer or exploiting a vulnerability in DNS server software. A DNS server translates a web address – google.com for example – into a unique IP address. If a DNS server can be poisoned with malware, a request for Google.com would direct the user to a phishing site with the same branding.
CEO Fraud and Business Email Compromise
Threat actors often impersonate CEOs and other C-suite executives, spoofing their email addresses to make it appear that an email request has been sent from their account. CEO fraud is most effective when a CEO or other executive’s email account has been compromised as a result of a previous spear phishing campaign or whaling attack. These scams usually involve emails to the payroll or accounts department requesting bank transfers. Since the email has come from the CEO or CFO, the bank transfer is often made as requested.
Ransomware and Malware Attacks
It has become increasingly common for cybercriminals to use phishing emails to send malware or ransomware. If an end user can be convinced to install malware such as a keylogger, all information entered via the keyboard will be sent to the attacker. This allows criminals to steal corporate secrets and gain access to a wide range of accounts.
Ransomware is malicious software that encrypts files on the targeted device and network drives preventing the user or organization from accessing those files. The attackers then send a ransom demand. If the ransom is paid, the keys to unlock the encryption will be provided. If not, the files will remain locked forever. In 2016, 93% of all phishing emails were used to spread ransomware.
How to Protect Against Phishing?
The threat from phishing is increasing and cybercriminals are now developing highly sophisticated phishing campaigns. Phishing emails are becoming much harder to distinguish from genuine emails.
To protect against phishing emails, organizations must implement technological solutions to prevent spam emails from being delivered to end users’ inboxes and also train end users how to identify phishing emails.
You can read more about how to protect against phishing in this article.