What is phishing? Get a rundown on the methods here

Phishing is one of the oldest fraud methods since the invention of the internet. With the help of social en­gi­neer­ing, cy­ber­crim­i­nals try to make you to give out passwords, banking or payment data through phishing e-mails or malware, for example. Tra­di­tion­al­ly phishing meant opening malicious links or at­tach­ments or un­will­ing­ly down­load­ing malware. However, modern phishing tactics can easily make you give criminals important data in­vol­un­tar­i­ly.

Even before the internet, cunningly stealing data was a common part of a criminal’s bag of tricks. Shoulder surfing, i.e. spying over the shoulder, was most often used to obtain important data such as PIN codes, addresses, bank data or phone numbers.

Phishing can be seen as a further de­vel­op­ment of data theft in the internet era. As you might have guessed, phishing comes from the English word “fishing”. It’s easy to imagine phishing victims being lured in like fish with seemingly real-looking messages.

You’ve probably already received emails in your inbox in which your bank sup­pos­ed­ly had an urgent request. Or perhaps Amazon wanted to deliver a package you never even ordered. Or you’ve received an in­her­i­tance worth millions of dollars from a pre­vi­ous­ly unknown uncle. The list of phishing tactics is long and gets longer every year.

Phishing has only one goal: to obtain your data. It can be your bank in­for­ma­tion, credit card data or passwords you use for your online bank, Amazon or email accounts or website backend. The more personal and sensitive your data is, the more criminals are in­ter­est­ed in it.

The data theft is carried out by phishing scammers per­suad­ing you to enter your personal in­for­ma­tion on fake pages. The criminals can use the stolen data to cause you financial damage, steal your identity, carry out further phishing attacks to your contacts or corrupt company data.

Phishing is also often just the first step for further attacks with malware, ran­somware, adware and scareware. Phishing email at­tach­ments with macros or malicious code are also used to install malware on computers.

Like tech­nolo­gies and digital com­pe­tences are con­stant­ly evolving, phishing swindlers are also con­stant­ly changing their pro­ce­dures and methods. Tra­di­tion­al phishing still requires the in­vol­un­tary “help” of the victim. You had to actively enter personal data or click on links and at­tach­ments. However, new phishing tactics no longer need to solely rely on your “par­tic­i­pa­tion”.

Common types of phishing are:

• Email phishing: Fake emails usually con­tain­ing links to malicious websites or down­load­able items or malware as at­tach­ments.
• Website phishing: Fake websites that trick you into entering important data or to install malware. This tactic is also called spoofing.
• Vishing: Also known as voice-fishing, vishing stands for scam calls via the telephone or otherwise scamming via voice.
• Smishing: Smishing is the use of fake SMS or messenger messages to trick you to click links, download malware or hand out sensitive data.
• Social media phishing: Phishing on social media can mean hijacking social media accounts or creating de­cep­tive­ly real copies of real social media accounts. The goal is again to try to steal sensitive data from followers and other users.

Common phishing strate­gies can be divided into targeted spear-phishing that uses social en­gi­neer­ing, and more broad mass phishing.

Spear phishing means spying on a small target group or only a single victim. With the help of social en­gi­neer­ing, criminals collect publicly available personal in­for­ma­tion such as email addresses, lists of friends, career paths and job titles from social media, company websites or career pages.

Criminals then generate de­cep­tive­ly real-looking emails that appear to be coming from your friends, col­leagues, other ac­quain­tances or banks. These emails contain a link to a pro­fes­sion­al­ly made fake website that asks you to enter your password, bank details or other sensitive in­for­ma­tion. Al­ter­na­tive­ly, the fake email is meant to deceive you to open malicious file at­tach­ments. Spear phishing can also be used to spy data related to a company CEO to prepare large-scale cy­ber­at­tacks against companies or to steal company assets.

While so­phis­ti­cat­ed spear phishing focuses on the quality, mass phishing campaigns focus on the quantity of victims. It aims to steal as much sensitive data as possible from as many potential victims as possible.

You can often recognize mass phishing from clearly fake email addresses, redirects to dubious, un­en­crypt­ed HTTP websites or URLs and bad grammar. The emails can also come from the UPS or FedEx, even though you haven’t ordered anything. You might also receive messages from Amazon or PayPal even though you don’t even own an account.

As stated pre­vi­ous­ly, new phishing tech­niques no longer rely on the par­tic­i­pa­tion of the victim. Clicking on sus­pi­cious links or entering data are therefore no longer nec­es­sar­i­ly required. Opening a website or email infected with malicious code is enough to initiate a man-in-the-middle-attack.

It’s a term used when criminals are able to get between your computer and the internet to intercept your internet com­mu­ni­ca­tion, including sensitive data. A man-in-the-middle attack is es­pe­cial­ly treach­er­ous as it’s often difficult to detect those silent attackers lurking between your computer and Internet servers.

To recognize phishing tactics and phishing emails, look out for the following 5 signs:

1. Emails or websites that use obviously incorrect grammar or broken English
2. Emails or websites from banks or other service provides that ask you to enter personal or payment in­for­ma­tion or to verify your account
3. Email addresses from le­git­i­mate senders that don’t match the sending company’s name nor the sender’s name
4. Redirects to http websites or to sus­pi­cious URLs and the use of shortened links through a URL shortener like bit.ly
5. Emails coming from dubious addresses with odd, ad hoc requests. They can also contain sus­pi­cious file at­tach­ments such as .exe, .docx, .xlsx or ZIP and RAR archive files

Sometimes criminals manage to conduct such large-scale phishing attacks that they cause a lot of headlines. Below we’ve listed three of the most well-known ones:

The leaking of numerous emails from the American De­mo­c­ra­t­ic Party in 2016 is one of the best-known and most sig­nif­i­cant cases of phishing. The hacker groups Fancy Bear and Cozy Bear sent phishing emails to multiple De­mo­c­ra­t­ic members of congress. The emails urged the re­cip­i­ents to promptly change specific passwords by clicking a link. This enables the attackers to obtain login data and gain access to various email accounts of high-ranking politi­cians. Wikileaks later published the data, which had a sig­nif­i­cant impact on Donald Trump becoming the next President.

In 2017, hackers managed to pull off one of the most expensive phishing attacks of all time. By using phishing emails and a fake business identity they were able to steal around $100 Million from Google and Facebook. The hackers were able to succeed because the fake company they used was almost in­dis­tin­guish­able from a real business partner of Google and Facebook. The employees of these company giants un­know­ing­ly trans­ferred enormous amounts of money to overseas accounts con­trolled by the hackers.

Sony fell victim to a spear phishing attack due to their upcoming film “The Interview”, a comedy about kid­nap­ping the North Korean leader, Kim Jong-un. On November 24, 2014, the hacker group “Guardians of Piece” leaked a massive amount of con­fi­den­tial data regarding the company’s films and its employees’ personal in­for­ma­tion. The group had obtained this data via deceptive emails to many of the company’s employees. The emails seemed to come from Apple, prompting the recipient to verify their Apple IDs due to sus­pi­cious account behavior. In the end, this in­for­ma­tion enabled the hackers to install malware on every single employee’s computer. The group used the hack to stop Sony from releasing the film, that was also later withdrawn from theaters. The loss of data and in­fra­struc­ture due to the phishing attack cost Sony an estimated $83 Million.

Although large cor­po­ra­tions, in­sti­tu­tions and gov­ern­ments are the prime targets for phishing attacks, in­di­vid­u­als are also at risk becoming a victim of a cy­ber­crime. The Cy­ber­se­cu­ri­ty & In­fra­struc­ture Security Agency informs and educates the American citizens as well as companies of various cy­ber­se­cu­ri­ty topics and threats. Also, many in­di­vid­ual states like for example the Com­mon­wealth of Mass­a­chu­setts offer in­for­ma­tion about cy­ber­crime.