Phishing is the umbrella term used for a type of hacking attack where the attackers seek to fool the target into doing something that either gives information away, click on a malicious link, or transfer cash into the wrong account. The name itself comes from its similarity to a fisherman throwing a baited hook into a river and hoping he gets a bit. The ‘ph’ bit at the beginning relates to a bit of hacker nostalgia: the earliest hackers were known as ‘phreakers.’ Phishing is a relatively easy and cheap method for hackers to achieve their purposes and relies on something called ‘social engineering’ – manipulating a person’s way of thinking so that they can be tricked. Although phishing is generally carried out through email, there are also other forms involving phones and social media. It is estimated that phishing accounts for 90% of all data breaches and that 135 million phishing emails are sent out every day.[i]
Surprisingly, phishing was first seen in the mid-1990s and was used against AOL users. Because it was so successful and uncomplicated in its approach, it has continued as a tool of hackers, more or less unchanged, until now. Of course, emails have now become the preferred vector, and the content has become more sophisticated than the old badly-spelled and formatted ones of before. But the psychology behind the scams remains the same, and people are still getting fooled into making bad decisions.
When people think of phishing emails, they tend to think of the sort of spam that is continually arriving in the inbox. These emails sound dodgy from the start with promises of big wins, surprise inheritances, and requests for money to help an orphan recover her lost fortune (with a big reward of course). The message itself will be full of bad grammar and spelling mistakes, and often starts with ‘Dear.’ These emails were everywhere back in the early 2000s, and are still widespread, but they have a low success rate and have been passed over by serious phishers for more sophisticated methods.
The first change towards a ‘thinking-hacker’s’ system was seen in 2003 when phishers decided it would be a good idea to purchase domains that sounded like real companies. They would choose a household name and buy a domain that looked similar but contained small, almost unnoticeable differences. For example, instead of Google.com, the hackers used G00gle.com – swapping the ‘o’s of zeros. This is known as a homograph attack or domain spoofing. Nowadays, in an attempt to look even more authentic, many of these spoof domains have SSL (secure sockets layer) certificates too, providing a false sense of security to anyone who visits them.
How Do Phishers Phish?
There are various forms of phishing, and several goals that a hacker might have. In the majority of cases, the attacker will wish to have either a financial reward or the receipt of sensitive information that may be sold on to third parties. In a few cases, the desired outcome is sabotage, especially if the bad actor is a hacktivist (hacker with some political or idealistic agenda).
One way to con people into giving out information is to entice the target to a spoofed website. Phishers can easily get hold of something called a phishing kit, which contains a web component, and anti-detection software. The web element, basically the back-end of the operation, is designed to imitate a legitimate website, such as that of a bank, Google, PayPal, or some other well-known brand. These kits, along with mailing lists, are readily available on the dark web. The emails are sent out with a spoofed email address that, at a glance, look as though they are from a genuine sender. Once the victim takes the bait and clicks on the link in the mail, they are directed to the fake page. Once again, if they are fooled into thinking that it is the official landing page of the organization that purportedly sent the email, they will then be likely to follow instructions and reveal personal information, such as passwords, usernames, and payment card details. In 2019, the top three favorite brands to spoof were PayPal, Microsoft, and Netflix.[ii] Attacks of this kind are often of the ‘spray and pray’ variety. Thousands of emails are sent out in the hope that some recipients will have an account at that bank, or that media company, and will click on the link.
Personalization: Spear Phishing to BEC
Other attacks, known as spear phishing, may be targeted towards the recipients. Targeted emails require some research on the part of the hacker about their intended victims, usually by trawling through social media sites. Despite the extra work needed, spear phishing is more profitable for a cybercriminal and is one of the most common forms of attack. A more sophisticated, and potentially very lucrative version of spear phishing is the business email compromise or BEC. In this event, the hacker picks out potential victims who work for the HR or finance department of an organization. Using knowledge gained from research, they will email the staff member, pretending to be someone higher up in authority, such as the CEO. They will then ask the member to either make a funds transfer to a particular account number or else email sensitive information. In all cases, the tone is one of urgency, hoping that the employee will comply without double-checking with their boss first. Between 2013 and 2015, Facebook and Google were conned out of more than $100 million. A hacker from Lithuania managed to convince the financial departments of both companies that he was an Asian-based company with whom they regularly traded. Once he had fooled them, he was able to send several fake invoices for several years.[iii] Phishing targeting senior management for similar purposes is known as whaling.
Another tactic is to attach a fake invoice or job-seeker’s resumé along with the email. These attachments are usually .zip files or Microsoft Office documents that contain malicious code. Once they are opened, the malware becomes installed and activated, often without the staff member realizing it. The types of malware released, which could be ransomware, scraperware, or spyware, will have severe consequences for the organization. According to PhishInsight, phishing emails are responsible for 94% of ransomware attacks on companies.[iv]
Phishing is not limited to emails or websites: there are also two other methods used to con people into giving away their information:
Also known as voice phishing or phone phishing. Although it takes place over the phone, it follows similar manipulative methods to the emails. The attacker will often claim to be from the target’s bank, tax office, or other financial institution, and will go on to cause a sense of worry by claiming that they have noticed something wrong on the account and need to check personal information urgently. The victim is usually so concerned that they often comply with the caller and compromise themselves. There are invariably many cultural variations of this. For instance, in Japan, the elderly has been victim of a type of phone-based scam where the perpetrator would call upon older Japanese men and women impersonating that they are their grandchildren or a friend of a family member. The basic premise is the same: During these calls the elderly Japanese discovers that a family member is in trouble and needs help immediately, usually in the form of a payment. Known as “ore ore sagi,” (“hey, it’s me-scam”), scammers use every form of deception and prey on vulnerabilities.
This is done using SMS, or text, alerts, and is on the increase. As with the other types of phishing, it usually contains a message that requires an urgent response. This response is what costs the victim the theft of passwords or payment card details.
Everyone is a potential victim when it comes to phishing. From individuals at home to large corporations, cybercriminals are not fussy about where they make their money. To make matters worse, phishing is becoming more sophisticated as technology improves, and hackers become more business-like. There are already cases of deep-fake audio being used in vishing, and it won’t be long before deep fake videos impersonating CEOs are also being used. In part two we will look at how cybercriminals use human nature to bait their hooks.
[i] ‘The Ultimate Guide to Phishing,’ MetaCompliance, accessed at https://www.metacompliance.com/resources/ultimate-guide-to-phishing/
[ii] Josh Fruhlinger, ‘What is Phishing? How This Cyberattack Works and how to Prevent it,’ CSO Online, 11/22/2019, accessed at https://www.csoonline.com/article/2117843/what-is-phishing-how-this-cyber-attack-works-and-how-to-prevent-it.html
[iii] Casey Crane, ‘The Dirty Dozen, The 12 Most Expensive Phishing Attacks in History,’ The SSL Store, 06/07/2019, accessed at https://www.thesslstore.com/blog/the-dirty-dozen-the-12-most-costly-phishing-attack-examples/
[iv] PhishInsight, accessed at https://phishinsight.trendmicro.com/en/
Saya University is on a global mission to ensure every employee in the world has access to the tools that will heighten cybersecurity knowledge. When a company is serious about protecting its organization against cyber-attacks, it will invest in cybersecurity learning for all its employees. With over 7 billion people on planet earth, we have a lot of work to do. Our multi-language e-Learning platform offers the world’s most cutting edge knowledge in cybersecurity, data privacy and compliance all in one place. Curating and producing relevant content, our learning platform will begin in Los Angeles and Tokyo, expanding into Asia Pacific (APAC), Latin America (LATAM) and Africa. Join the movement. Our 3rd Cybersecurity Awareness & Diversity Summit will take place in Japan in 2020. (The Tokyo Summit)