In this day and age, cybersecurity is at the forefront of operational priorities. High-profile data breaches have taught the hard-earned lesson that the protection of data and personally identifiable information (PII) needs to take precedence. Among one of the most prevalent threats to organizations is phishing.
Phishing scams account for nearly 80% of security incidents. Because these attacks rely on human fallibility rather than the strength of your systems, they can be difficult to combat. This overview of phishing provides a brief primer on the subject and helps to understand how you can thwart such attacks.
What is phishing? Well you don’t need a pole, but it does involve reeling in unsuspecting victims.
Phishing is a type of cyberattack that uses email, phone or text to entice individuals into providing personal or sensitive information, ranging from passwords, credit card information and social security numbers to details about a person or organization. Attackers pose as legitimate representatives to gain this information, which is then used to access accounts or systems, often leading to identity theft or significant financial loss.
Phishing scams happen over various forms of communication, notably email, text and phone. Attackers are hoping to be trusted, so they make efforts to masquerade as legitimate representatives of organizations, often constructing emails that appear genuine or making phone calls in a manner that sounds like valid requests for information.
Phishing works mostly by manipulation and relies on human interaction, with victims unknowingly clicking on a malicious link or providing information to an attacker.
Because the goal is to obtain passwords or PII, people performing phishing attacks often seek to impersonate tech support, financial institutions or government entities.
The term phishing was first used in reference to a program developed by a Pennsylvania teen known as AOHell. The program used a credit-card-stealing and password-cracking mechanism which was used to cause trouble for AOL. This software spawned other automated phishing software, such as the one later used by the Warez community.
The first organized phishing attacks are attributed to the Warez community, a group known for hacking and piracy. These phishing scams targeted AOL users in 1996.
The Warez community infamously used an algorithm to generate random credit card numbers. When the group landed on a valid number, they were able to create real AOL accounts that they used to scam other AOL users. This was later followed by social engineering tactics when members of the group impersonated AOL employees in an attempt to gather more sensitive information.
After this phishing scam, attackers quickly moved on to email as a method for trying to gather useful intel. Phishing emails ranged in sophistication from the less-than-convincing Nigerian princes asking for financial backing to the much-more convincing 2003 Mimail virus, which originated from an email claiming to be from PayPal.
The email containing the Mimail virus was fairly successful at convincing users to enter their username and password credentials. The email warned of expiring credit card information with a request to update it as soon as possible. The link took visitors to a window with PayPal’s logo, and many users entered their password and credit card information on what turned out to be a malicious website.
Today, phishing can use multiple communication methods and has evolved from low-level schemes to the sophisticated targeting of individuals and organizations.
Phishing can take on many different forms. Here are some variations of the phishing attack.
To help prevent phishing attacks, you should observe general best practices, similar to those you might undertake to avoid viruses and other malware.
First, make sure your systems are updated to help protect against known vulnerabilities. Protect devices and systems with reputable security software and firewall protection. You can also add software that watches for PII being sent over email or other insecure methods.
Since the weak link in phishing attacks is the end user, you should provide proper end-user security awareness training and educate your team on how to recognize a phishing scam. The key to protecting against phishing lies in the ability to recognize the cyberattack as illegitimate. Following are some key concepts to include in end-user training:
Remember, when it comes to thwarting a phishing attack, acting as a skeptic is a wise move.
Check out this video, where cybersecurity expert David Landsberger provides tips on how to identify fake websites and phishing emails.
Ransomware, malware, social engineering and phishing all encompass different forms of ill-intentioned cyberattacks.
While our guide acts as an introduction into the threats posed by phishing, this is by no means an exhaustive list. Phishing and the cybersecurity world change on a daily basis, and attacks are becoming increasingly sophisticated. The best way to combat cyberattacks is to stay informed about the latest attacks.
Read more about Cybersecurity.