What Is Phishing? A Brief Guide to Recognizing and Combating Phishing Attacks

In this day and age, cybersecurity is at the forefront of operational priorities. High-profile data breaches have taught the hard-earned lesson that protecting data and personally identifiable information (PII) needs to take precedence. Among one of the most prevalent threats to organizations is phishing.

In a recent survey, 92% of businesses surveyed reported they had fallen victim to phishing attacks. This is due to the reality that these attacks rely on human error rather than the strength of your systems, and they can also be difficult to combat successfully. This article will provide an overview of phishing and will help you to understand how you can avoid these attacks.

Phishing Defined

Phishing is a type of cyberattack that uses email (traditional phishing), phone (vishing or voice phishing) or text (smishing or SMS phishing) to entice individuals into providing personal or sensitive information to cybercriminals. This information can range from passwords, credit card information and social security numbers to details about a person or an organization. Attackers pose as legitimate representatives to gain this information, which is then used to access accounts or systems. Ultimately, once in the hands of adversaries, it often leads to identity theft or significant financial loss.

How Does Phishing Work?

It is common for scammers to use various methods of communication to perpetrate phishing scams, including emails, texts and phone calls. In order to gain trust, attackers often masquerade as legitimate representatives of organizations. They will construct emails that appear genuine or make phone calls in a manner that sounds like valid requests for information.

In most cases, phishing involves human interaction and manipulation to trick victims into clicking on a malicious link or unknowingly providing information to an attacker. Often, people conducting phishing attacks attempt to impersonate tech support, banks or government organizations in order to obtain passwords and personal information.

History of Phishing

The term phishing was first used in reference to a program developed by a Pennsylvania teen known as AOHell. The program used a credit-card-stealing and password-cracking mechanism, which was used to cause disruptions for AOL. This software spawned other automated phishing software, such as the one later used by the Warez community.

The first organized phishing attacks are attributed to the Warez community, a group known for hacking and piracy. These phishing scams targeted AOL users in 1996. The Warez community infamously used an algorithm to generate random credit card numbers. When the group landed on a valid number, they were able to create real AOL accounts that they used to scam other AOL users. This was later followed by social engineering tactics when members of the group impersonated AOL employees in an attempt to gather more sensitive information.

After this phishing scam, attackers quickly moved on to email as a method for trying to gather useful intel. Phishing emails ranged in sophistication from the less-than-convincing Nigerian princes asking for financial backing to the much more convincing 2003 Mimail virus, which originated from an email claiming to be from PayPal.

The email containing the Mimail virus was fairly successful at convincing users to enter their username and password credentials. The email warned of expiring credit card information with a request to update it as soon as possible. The link took visitors to a window with PayPal’s logo, and many users entered their password and credit card information on what turned out to be a malicious website.

Today, phishing can use multiple communication methods and has evolved from low-level schemes to the sophisticated targeting of individuals and organizations. Some phishing attempts that many cybercriminals use today can be almost identical to the real company, and it takes a keen eye and knowing what to look for to successfully avoid these attempts.

Types of Phishing

Phishing can take on many different forms in order for cybercriminals to execute their schemes. Here are several variations of a phishing attack that is used to steal data:

• Angler Phishing: This cyberattack comes by way of social media. It may involve fake URLs, instant messages or profiles used to obtain sensitive data. Social profiles are also inspected by attackers for any personal information that can be used for social engineering. Read more about phishing attacks and how to identify fake URLs and email addresses.
• Clone Phishing: Clone phishing involves the exact duplication of an email to make it appear as legitimate as possible.
• Domain Spoofing: In this category of phishing, the attacker forges a company domain, which makes the email appear to be from that company. Threat actors commonly do this with large and notable business identities to dupe users into actively volunteering their information.
• Email Phishing: Phishing emails are often the first to come to mind when people hear the term phishing. Attackers send an illegitimate email asking for personal information or login credentials.
• Search Engine Phishing: Rather than sending correspondence to you to gain information, search engine fishing involves creating a website that mimics a legitimate site. Site visitors are asked to download products that are infected with malware or provide personal information in forms that go to the attacker.
• Smishing: Combine SMS with phishing, and you have the technique called smishing. With smishing, attackers send fraudulent text messages in an attempt to gather information like credit card numbers or passwords.
• Spear Phishing: Spear phishing is particularly targeted as attackers take time to gather details that they can use to present themselves as trusted entities. They then construct personalized phishing emails, including details that make it seem as though the email is coming from a friendly source.
• Whaling: A whaling attack targets the big fish, or executive-level employees. An attack of this sort often involves more sophisticated social engineering tactics and intelligence gathering to better sell the fake.
• Vishing: Combine VoIP with phishing and you get vishing. This type of phishing involves calls from a fraudulent person attempting to obtain sensitive information.

How To Prevent and Protect Against Phishing

To help prevent phishing attacks, you should observe general best practices, similar to those you might undertake to avoid viruses and other malware.

First, make sure your systems are updated to help protect against known vulnerabilities. Protect devices and systems with reputable security software and firewall protection. You can also add software that watches for PII being sent over email or other insecure methods.

Since the weak link in phishing attacks is the end user, you should provide proper end-user security awareness training and educate your team on how to recognize a phishing scam. The key to protecting against phishing lies in the ability to recognize the cyberattack as illegitimate.

Here are some key concepts to include in end-user training:

• Instruct users to choose strong passwords and be wary of posting personal details on social media. Information like birth dates, addresses and phone numbers are valuable to an attacker.
• If there are any suspicions about an email or social post, report the email or communication to the IT team to have them examine the situation more in-depth to determine if it is a phishing scheme.
• Only open attachments from a vetted and trusted source. When in doubt, communicate with the alleged sender directly. If the sender is non-responsive or vague about the context, it might be best to assume it was a phishing attempt and report it directly to the IT and/or the security team.
• Note any language differences in messaging or emails that vary from legitimate organizational communications.
• Never give away personal information in an email or unsolicited call. For instance, financial institutions will never call and ask for login credentials or account info because they already have it.
• Inspect emails for typos and inaccurate grammar. This is usually a dead giveaway of less sophisticated phishing scams.
• Don’t supply personal information via email or text.
• Beware of urgent or time-sensitive warnings. Phishing attacks often prompt action by pretending to be urgent. For example, receiving a fake email from your bank asking you to update your information now! Your financial institution often will not email or call you directly unless it is necessary.
• Verify emails and other correspondence by contacting the organization directly. If you think something is fishy (okay, bad pun), a phone call can quickly identify a legitimate call from a fake one.

Remember, when it comes to protecting yourself from a phishing attack, acting skeptical is often a wise move to better protect against these schemes.

What’s the Difference Between Ransomware, Malware, Social Engineering and Phishing?

Ransomware, malware, social engineering and phishing all encompass different forms of malicious threats to consumers and companies:

• Malware is a general term formed by the words “malicious” and “software” that describes different types of software intended to compromise systems, obtain sensitive data or gain unsanctioned access to a network.
• Ransomware is a category of malware where attackers use various methods to encrypt your data, make it inaccessible or bar you from entry to a particular system or device. Attackers then demand a ransom in exchange for reinstating your access.
• Social Engineering is a tactic used by cybercriminals to extract sensitive details by way of human manipulation. With social engineering, hackers connect with users while pretending to represent a legitimate organization and seek to ascertain critical information such as account numbers or passwords.
• Phishing is a form of social engineering that involves communication via email, phone or text requesting a user take action, such as navigating to a fake website. In both phishing and social engineering attacks, the collected information is used in order to gain unauthorized access to protected accounts or data.

The information in this guide serves as an introduction to the threats posed by phishing, but it is far from comprehensive. Phishing and the cybersecurity world change on a daily basis, with attacks becoming increasingly more sophisticated and more challenging to identify. The best way to combat cyberattacks is to stay informed about the latest attacks and increase security awareness among consumers and your employees from being a victim of a phishing scheme.

Read more about IT Career Center, Cybersecurity.