What is Phishing?
Phishing is a type of cyber attack where scammers create fraudulent emails or websites that appear to be from a legitimate source, in an attempt to deceive users into revealing their sensitive information such as passwords, credit card details, or personal data.
The goal of phishing attacks is to steal personal or financial information and use it for fraudulent purposes such as identity theft or financial fraud.
Dissecting Phishing
Phishing originated from two significant events. The first was the "Nigerian Prince" scam in the 1980s, where scammers lured individuals with the promise of substantial financial gain in return for a small investment through letters or faxes.
The second event occurred in the mid-1990s when hackers used fraudulent emails posing as AOL's billing department to obtain AOL account information. This incident led to the coining of the term "phishing," which is derived from "fishing," where bait is cast into a body of water in the hopes of catching a fish, and in this case, catching unsuspecting individuals.
Techniques Used in Phishing
Phishing is a process that can take various forms depending on the attacker's objectives. A combination of one of the several common techniques are typically employed in phishing attacks, which can include:
- Social Engineering: Scammers use a range of tactics to manipulate the victim's emotions and convince them to take a specific action or provide sensitive information. For example, they may use urgent language to create a sense of panic or fear, or they may create a sense of curiosity by promising exclusive access to certain information or offers. Social engineering tactics are often used in conjunction with other phishing techniques, such as email phishing or website forgery.
- Link Manipulation: Scammers will often alter the URL of a legitimate website or create a fake website that closely resembles a legitimate one. They may also use link shortening services or obfuscation techniques to hide the true destination of a link. Link manipulation can be executed through various mediums, such as email, social media, or messaging apps.
- Filter Evasion: To bypass spam filters or email security measures, scammers may use techniques such as misspelled domain names, avoiding spam trigger words, or using image-based emails. They may also use other messaging platforms like social media or messaging apps to avoid email security measures altogether.
- Website Forgery: Scammers create fake websites that closely resemble legitimate ones, often by replicating the design and layout of the legitimate website. They may use social engineering tactics or email phishing to direct victims to these fake websites, such as by sending a fake email that appears to be from a legitimate company with a link to the fake website.
- Malware Delivery: Scammers use phishing emails or messages to deliver malware to a victim's computer or device. This can be done through various methods, such as through an email attachment or by directing the victim to a website that contains malware.
- Business Email Compromise: This technique involves compromising a legitimate email account to send phishing emails that appear to be from the victim's trusted contacts. The emails may contain requests for sensitive information or funds transfers, which the victim may unwittingly provide. The attacker gains access to the victim's email account and then uses it to send phishing emails to other employees or contacts within the organization, making the emails appear to be from a trusted source
Phishing Types
Often used as a starting point for multichannel cyberattacks, different types of phishing have been developed to have distinct features designed to target specific groups and/or obtain specific types of information. These can include:
- Email phishing: Scammers send fraudulent emails that appear to be from a legitimate source, such as a bank, social media platform, or government agency. These emails often ask the recipient to provide personal or financial information, or to click on a link or download an attachment.
- Spear phishing: Scammers create customized emails that are tailored to the interests and preferences of the victim. Spear phishing attacks are often directed at high-profile individuals, such as executives or government officials, and can be highly effective in tricking victims into revealing their information.
- Whaling: It specifically targets high-level executives or employees in an organization, such as CEOs or CFOs. Whaling attacks often use sophisticated social engineering tactics to convince victims to transfer funds or provide sensitive information.
- Smishing: Scammers send text messages to deceive victims. Smishing attacks often involve a message that appears to be from a legitimate source, such as a bank or government agency, and asks the recipient to provide personal or financial information.
- Vishing: Vishing attacks often involve a caller that poses as a legitimate source, such as a bank or government agency, and asks the recipient to provide personal or financial information.
- Clone phishing: Creating a fake website that appears to be a legitimate site, such as a banking or e-commerce website. Clone phishing attacks often use emails that claim to be from the legitimate site, and ask the recipient to click on a link to update their account information.
- Malware-based phishing: Using malware, such as a virus or Trojan, to steal information from a victim's computer or device. Malware-based phishing attacks often involve a phishing email or website that installs the malware on the victim's device.
- Page hijacking: Scammers taking over a legitimate website's page by exploiting vulnerabilities in the website's security. The attacker replaces the original content with their own malicious content, which can contain malware or fraudulent information.