Phishing refers to the act of trying to steal someone’s sensitive information by tricking them to believe something is authentic.
This is a technique that is often used by Internet fraudsters looking to drain online bank accounts and payment wallets. In some cases, the scheme is ran by someone with the knowledge to use the details they obtain for the purpose of identity theft.
In any event, phishing is a SERIOUS threat!
If you think of phishing as a harmless threat, think again. One of the biggest security breaches of all time was the Target database breach. This started with the phishing of a subcontractor’s account, which later gave the hacker more privileged access.
The Truth About Phishing
There are over 150-million phishing messages that get sent every single day.
Just over 1 in 10 make it through the various security blocks and into the end recipient’s inbox. Around half of the messages that get delivered are eventually opened. It’s estimated that around 80,000 people not only open the message, but also follow the instructions and get their information stolen.
The statistics are alarming, but by now you should be aware of phishing risks. Everyone with an e-mail account will have experienced their fair share of attempts over the years. Somehow criminals manage to get their hands on extensive mailing lists. You cannot stop the messages from coming in, but you can learn how to decipher the good from the bad.
How Does a Phishing Attack Work?
In most cases, it starts out with an e-mail message that leads you to a fake login page. This could be done to grab information for your bank, Facebook, or even PayPal account. Regardless, the message will likely read with a sense of urgency to influence impulsive actions.
For example, the attacker might pretend to be PayPal contacting you about a hacker that logged into your account. You might feel inclined to follow their link and change your password for security reasons; if you fall for their phishing login page, your credentials will get stolen.
The particular approach comes down to the type of phishing method the attacker uses.
Basic phishing: The act of trying to steal specific credentials or information by impersonating a trusted business or person.
Clone phishing: The act of copying a legitimate message’s contents (images and text) but modifying it with a phishing attachment or link.
In-session phishing: The act of attempting to phish a user during an active browsing session, by hijacking the current session and presenting the phishing login or webpage.
Spear phishing: The act of targeting specific individuals with phishing techniques to get privileged access and to maximize on the fraud.
Whaling: The act of spear phishing top individuals in a company, which often involves impersonating another company or a federal agency (ex. the FBI).
How to Detect a Phishing Website
To thwart a phishing attempt, you must be able to identify such malicious websites. The most obvious way is by examining the domain URL for abnormalities. Once you focus in on the actual domain and it’s extension, it should be clear as to whether the website is legitimate or not. Further, you can inspect the site’s SSL certification and view the page source to get a better idea on whether it contains fraudulence.
There are many ad-blocker style programs that defend against phishing attacks. They work by keeping track of a list of phishing websites and blocking access to them. As a result, you will not fall for a phishing attempt that links to any of the listed phishing websites. OpenDNS’s paid service ‘Phishtank’ does exactly this, but you could always find your own list to filter through Adblock Plus or a similar (free) protection service.
Considering the source is also very important. Regardless of the website, think about how you got there; did you enter the URL or click a link? If you arrived after clicking a link, how do you know the source is trusted? If it came from an e-mail message, a whole lot more needs to be considered.
For phishing links in e-mail messages, the main thing to look out for is the sender’s e-mail address. This information gets spoofed, but you will always be able to identify it. In GMail, hover over the name of the sender and wait for a little screen to pop up with the actual sender’s e-mail address. For most other e-mail services, it should be as simple as looking at the sender mail text.
How to Prevent Phishing Attacks
Common sense is your best friend. Take the time to look around the page you land on for signs of it being a phishing attempt. In most cases, you will be able to spot at least one or two obvious red flags. Watch out for these signs and avoiding opening the message if any are present.
Signs of a Phishing Message
- The e-mail address of the sender is different from what the company tends to use,
- Any links are masked or shortened instead of placed directly in the message,
- There is an attachment even though there’s no reason for one to exist,
- A direct request for you to ‘change’ or give your sensitive information, or,
- A low Sender Score ranking.
Beware: You are putting yourself at risk by even opening a phishing e-mail message. It’s possible for the sender to investigate your IP address’s activity and find your other online accounts. Further, you could also install malware or other malicious software without knowing it if you go to the infected website.
Once you get there, you will be presented with a near-replica of the impersonated webpage. How convincing the website is will boil down to the person behind it. Some will have sketchy images, improper wording, and invalid scripts. Others are custom coded and designed to perfection, leaving only the referencing message and the website’s URL as potential evidence of a phishing attempt.
Major Phishing Attacks in Recent History
There is no shortage of cases where hundreds of thousands (and even millions!) of Americans had their information stolen through phishing attacks. Yet, each of the large-scale cases below are worth mentioning on their own.
This is a type of ransomware, which refers to any ‘virus’ that includes a ransom for removal. It started out as a phishing attack against larger businesses. Once accounts were breached, the attacker(s) had an easy way to lure more victims. The victims would have their computers infected and files locked up until they paid the ransom, which made up for over $18 million in extortion payments across hundreds of thousands of victims.
The sensitive information, including credit card details, of over 100-million Americans was compromised as a result of Home Depot’s website getting hacked. While the specifics have not been disclosed, this security breach was the result of a phishing attack. After the crime, the stolen information was subsequently placed for sale on various black market forums.
ICANN is the Internet Corporation for Assigned Names and Numbers, which is a private corporation that oversees the entire domain registration system. The corporation got targeted in a ‘spear phishing’ attack, which is a technique that’s used in more than 9 in 10 phishing attempts. It started with employee e-mail accounts getting hacked, but lead to other systems getting compromised. For a period of time, the intruder had access to the Centralized Zone Data System containing usernames, encrypted passwords, mailing information and more.
After one of the company’s sub-contractors had their account phished, the intruder managed to gain access to over 110-million American’s credit card information. This lead to the firing of not only IT security staff, but also the company’s CEO at the time, Tony Fisher. The result of the 2013 security breach was endless liability for Target, and a renewed debate on whether a company should be held responsible for such an attack.
Similar Attacks to Phishing
Phishing is the most common type of online phishing attack. Yet, there are still many other attacks that are similar in nature. Some examples include SMiShing and vishing attacks.
Here’s a better look at those …
SMiShing: The act of attempting to phish information through SMS messages. This could be done by requesting sensitive information in a response or by sending the recipient to a website. It’s a popular alternative to standard phishing attacks as almost everyone has a cell phone, and the majority of smartphone users open their messages without so much as a second thought. This method is not a serious threat right now, but watch out so it does not catch you off guard.
Vishing: The act of attempting to phish information through a voice call. In most cases, this involves the fraudster impersonating a company employee. For example, they might pretend to be your credit card provider in an attempt to steal your credit card numbers. This method sometimes works as the caller has the chance to build rapport over the phone; you can easily avoid by requesting to call back and continue the conversation.