What is phishing? Get a rundown on the methods here

Phishing is one of the oldest fraud methods since the invention of the internet. With the help of social engineering, cybercriminals try to make you to give out passwords, banking or payment data through phishing e-mails or malware, for example. Traditionally phishing meant opening malicious links or attachments or unwillingly downloading malware. However, modern phishing tactics can easily make you give criminals important data involuntarily.

Even before the internet, cunningly stealing data was a common part of a criminal’s bag of tricks. Shoulder surfing, i.e. spying over the shoulder, was most often used to obtain important data such as PIN codes, addresses, bank data or phone numbers.

Phishing can be seen as a further development of data theft in the internet era. As you might have guessed, phishing comes from the English word “fishing”. It’s easy to imagine phishing victims being lured in like fish with seemingly real-looking messages.

You’ve probably already received emails in your inbox in which your bank supposedly had an urgent request. Or perhaps Amazon wanted to deliver a package you never even ordered. Or you’ve received an inheritance worth millions of dollars from a previously unknown uncle. The list of phishing tactics is long and gets longer every year.

Phishing has only one goal: to obtain your data. It can be your bank information, credit card data or passwords you use for your online bank, Amazon or email accounts or website backend. The more personal and sensitive your data is, the more criminals are interested in it.

The data theft is carried out by phishing scammers persuading you to enter your personal information on fake pages. The criminals can use the stolen data to cause you financial damage, steal your identity, carry out further phishing attacks to your contacts or corrupt company data.

Phishing is also often just the first step for further attacks with malware, ransomware, adware and scareware. Phishing email attachments with macros or malicious code are also used to install malware on computers.

Like technologies and digital competences are constantly evolving, phishing swindlers are also constantly changing their procedures and methods. Traditional phishing still requires the involuntary “help” of the victim. You had to actively enter personal data or click on links and attachments. However, new phishing tactics no longer need to solely rely on your “participation”.

Common types of phishing are:

• Email phishing: Fake emails usually containing links to malicious websites or downloadable items or malware as attachments.
• Website phishing: Fake websites that trick you into entering important data or to install malware. This tactic is also called spoofing.
• Vishing: Also known as voice-fishing, vishing stands for scam calls via the telephone or otherwise scamming via voice.
• Smishing: Smishing is the use of fake SMS or messenger messages to trick you to click links, download malware or hand out sensitive data.
• Social media phishing: Phishing on social media can mean hijacking social media accounts or creating deceptively real copies of real social media accounts. The goal is again to try to steal sensitive data from followers and other users.

Common phishing strategies can be divided into targeted spear-phishing that uses social engineering, and more broad mass phishing.

Spear phishing means spying on a small target group or only a single victim. With the help of social engineering, criminals collect publicly available personal information such as email addresses, lists of friends, career paths and job titles from social media, company websites or career pages.

Criminals then generate deceptively real-looking emails that appear to be coming from your friends, colleagues, other acquaintances or banks. These emails contain a link to a professionally made fake website that asks you to enter your password, bank details or other sensitive information. Alternatively, the fake email is meant to deceive you to open malicious file attachments. Spear phishing can also be used to spy data related to a company CEO to prepare large-scale cyberattacks against companies or to steal company assets.

While sophisticated spear phishing focuses on the quality, mass phishing campaigns focus on the quantity of victims. It aims to steal as much sensitive data as possible from as many potential victims as possible.

You can often recognize mass phishing from clearly fake email addresses, redirects to dubious, unencrypted HTTP websites or URLs and bad grammar. The emails can also come from the UPS or FedEx, even though you haven’t ordered anything. You might also receive messages from Amazon or PayPal even though you don’t even own an account.

As stated previously, new phishing techniques no longer rely on the participation of the victim. Clicking on suspicious links or entering data are therefore no longer necessarily required. Opening a website or email infected with malicious code is enough to initiate a man-in-the-middle-attack.

It’s a term used when criminals are able to get between your computer and the internet to intercept your internet communication, including sensitive data. A man-in-the-middle attack is especially treacherous as it’s often difficult to detect those silent attackers lurking between your computer and Internet servers.

To recognize phishing tactics and phishing emails, look out for the following 5 signs:

1. Emails or websites that use obviously incorrect grammar or broken English
2. Emails or websites from banks or other service provides that ask you to enter personal or payment information or to verify your account
3. Email addresses from legitimate senders that don’t match the sending company’s name nor the sender’s name
4. Redirects to http websites or to suspicious URLs and the use of shortened links through a URL shortener like bit.ly
5. Emails coming from dubious addresses with odd, ad hoc requests. They can also contain suspicious file attachments such as .exe, .docx, .xlsx or ZIP and RAR archive files

Sometimes criminals manage to conduct such large-scale phishing attacks that they cause a lot of headlines. Below we’ve listed three of the most well-known ones:

The leaking of numerous emails from the American Democratic Party in 2016 is one of the best-known and most significant cases of phishing. The hacker groups Fancy Bear and Cozy Bear sent phishing emails to multiple Democratic members of congress. The emails urged the recipients to promptly change specific passwords by clicking a link. This enables the attackers to obtain login data and gain access to various email accounts of high-ranking politicians. Wikileaks later published the data, which had a significant impact on Donald Trump becoming the next President.

In 2017, hackers managed to pull off one of the most expensive phishing attacks of all time. By using phishing emails and a fake business identity they were able to steal around $100 Million from Google and Facebook. The hackers were able to succeed because the fake company they used was almost indistinguishable from a real business partner of Google and Facebook. The employees of these company giants unknowingly transferred enormous amounts of money to overseas accounts controlled by the hackers.

Sony fell victim to a spear phishing attack due to their upcoming film “The Interview”, a comedy about kidnapping the North Korean leader, Kim Jong-un. On November 24, 2014, the hacker group “Guardians of Piece” leaked a massive amount of confidential data regarding the company’s films and its employees’ personal information. The group had obtained this data via deceptive emails to many of the company’s employees. The emails seemed to come from Apple, prompting the recipient to verify their Apple IDs due to suspicious account behavior. In the end, this information enabled the hackers to install malware on every single employee’s computer. The group used the hack to stop Sony from releasing the film, that was also later withdrawn from theaters. The loss of data and infrastructure due to the phishing attack cost Sony an estimated $83 Million.

Although large corporations, institutions and governments are the prime targets for phishing attacks, individuals are also at risk becoming a victim of a cybercrime. The Cybersecurity & Infrastructure Security Agency informs and educates the American citizens as well as companies of various cybersecurity topics and threats. Also, many individual states like for example the Commonwealth of Massachusetts offer information about cybercrime.