Phishing is a common form of cybercrime that has been around for decades. While there have been many permutations throughout the years (nobody wants your AOL passwords anymore), the basic concept remains the same.
For such a prominent tactic, it still works well enough for criminals to send off three billion phishing emails every day in hopes of catching the big one[1]! So, dust off the oars and make sure the rowboat isn’t leaking because it’s time to visit the phishing hole.
The basics of phishing
The term “phishing” refers to when cybercriminals deceive unsuspecting people to extract sensitive personal information or deploy malicious software payloads. It relates to traditional fishing in that a fisherman tricks the fish into thinking they will get a delicious meal, when in fact, they are the meal!
There are two main end goals for phishing attacks. These are:
Identity theft. In 2019, over 5% of consumers experienced some form of identity theft and suffered nearly $17 billion in losses due to it[2]. That’s more than the total GDP of Jamaica! Phishing attacks can procure the necessary information (names. addresses, social security numbers, etc.) for thieves to open fraudulent credit cards or apply for loans under their victims’ names.
Malware infection. Many phishing attempts lure unsuspecting victims into clicking a malicious link containing a virus or ransomware. Your computer could even be taken over entirely and added to a botnet to carry out DDOS attacks.
Different types of phishing
Spear phishing. These are more advanced, targeted phishing attacks. Whereas a typical phishing attempt may be mass-emailed out to millions of people hoping to snag a few victims, spear phishers strike specific companies, departments, or individuals. They send tailored messages designed to appear authoritative and legitimate. It has a much higher chance of success but takes more research to develop.
Vishing. Also known as Voice Phishing, here, the scammer calls the intended individual and poses as an authority figure. A common example is a visher calling an employee of a company as someone from IT. They try to get the employee to install “security updates,” which actually end up being malware.
It doesn’t have to be related to business, however. Another popular scenario is contacting older people as law enforcement to gain personal information for identity theft or extort payments for fake fines. Sadly, criminals go to great lengths to achieve their fraudulent intentions.
Smishing. Since spam emails are frequent and well-documented, many people have caught on to blatant email phishing attempts. That must mean the swindlers have accepted defeat, right? No way. They are always coming up with different ways to deceive. That includes smishing, where phishers utilize SMS text messaging to carry out their schemes. People think text messages are more trustworthy than emails and are therefore more likely to click a bad link.
Whaling. Whaling is a subcategory of spear phishing where the mark is a high-level executive at a company. They have access to the most confidential data, and therefore, make for attractive targets.
Clone phishing. If a hacker accesses one person’s email, they can see who they’ve emailed. Clone phishing is where the bad actor sends an email to someone that’s identical to one they’ve already received. Except, the cloned email contains a malicious link or attachment.
Signs of phishing
Strange URLs from trusted brands. Phishers disguise themselves as trusted brands. Always check to make sure the links you’re following from brand emails are legitimate. We recommend copying and pasting links into your web browser bar instead of clicking them directly. This way, you have a better idea about whether or not the link looks suspicious.
Personal information requests. Companies and government agencies usually won’t require anyone to provide personal information via email or text. Err on the side of caution and refuse any such requests. If necessary, find the organization’s legitimate contact information from their verified website and call a representative.
Urgent, time-sensitive language. Phishers sometimes utilize scare tactics to make their targets feel like they need to act or risk enormous consequences. This is especially common when the phishers pose as law enforcement or legal professionals. Never pay for “fines” or “settlements” you had no idea about previously.
Too good to be true claims. Another classic phishing strategy! We’ve all likely received an email claiming we’ve won a lottery we never participated in, or been contacted by a “Nigerian Prince” who wants to reward us with untold riches. The old adage “If it sounds too good to be true, it probably is,” applies here.
Poor grammar or spelling. Many phishing attacks originate from outside the Western world. If the recent email from your boss is riddled with spelling or grammatical errors, you need to verify it came from a legitimate sender before you reply.
High-profile phishing incidents
Phishing has higher stakes than your Grandmother paying a fake parking ticket over the phone (as unfortunate as that is.) Here are a few high-profile incidents that made national news throughout the years.
Ukrainian Power Grid Attack. In December 2015, a spear phisher gained control of a portion of Ukraine’s power grid and caused an outage for over 225,000 people. Russian hackers were suspected to be the culprits[3].
Mia Ash. Throughout 2016-2017, a state-sponsored hacker group in Iran used the fake LinkedIn and Facebook profiles of Mia Ash to spear phish high-priority targets. Posing as a British photographer, the group friended senior employees in the region’s energy, tech, and telecommunications sectors. After lengthy conversations, “Mia” would send excel documents disguised as surveys that secretly contained malware[4].
The Walter Stephan Incident. In 2016, a major aerospace parts manufacturer, FACC, lost $47 million due to phishing. The malicious agent posed as FACC CEO, Walter Stephan, and demanded an employee transfer the enormous sum to a new account for an “acquisition project.” The project was fake, and the phisher made off with the largest known payout ever. Unsurprisingly, FACC later fired the CEO and CFO for the mishap[5].
How to prevent phishing
Never click strange links. If there’s even a passing thought of “Hmm. I wonder if I should click this,” Don’t! Hackers can compromise trusted friends and colleagues. Call and talk in person for verification if there’s a hint of fraud.
Ensure URL is https with a lock beside it. When browsing the internet, ensure the sites you visit are HTTPS (the “S” stands for “Secure”) and that there is a lock icon to the left of the web address. This means the site is safe. Stay away from websites still using the outdated HTTP protocol.
Use firewalls and antivirus software. Modern operating systems come standard with antivirus and firewall software. Use them and keep them updated to the most current versions. Hackers can breach older versions with known vulnerabilities, so it’s a good idea to activate their “auto-update” options.
Don’t put personal info online publicly. Spear phishers and whalers use readily available information found online to plan their attacks. This is why it’s important to consider everything you’re putting out to the world. Social media is a part of our lives, but being too transparent is dangerous. Find the right balance.
Block popups. Popups can be more than minor annoyances. Sometimes, ads with malware or cryptocurrency miners can sneak through and infect the devices of people who click them. Luckily, popular browsers have extensions that block all popups. Less annoyance. Less chance of a malware infection.
Secure your data
Phishing attacks won’t stop until they become ineffective. Hopefully, through education on the tactics phishers use, more people can protect themselves from identity theft and malware. Mistakes happen, however, and it’s challenging to account for all potential methods of attack. That’s why it’s vital to safeguard your data in other ways as well.
AXEL specializes in securing data at rest and in motion. Our file storage and sharing platform, AXEL Go, utilizes a system of decentralized servers to transfer your documents. This means there is no single point of failure like there is in a traditional server farm. It’s harder to pinpoint areas to attack in a decentralized system, and even if a particular node is compromised, we remove it from the system without affecting your files. Content can also be password protected using AES 256-bit encryption to provide an additional layer of security. Hackers can’t crack the encryption and thus aren’t able to access useful data. It’s the safest way to store and share your files. Visit AXEL.org today to learn more and signup for a free, full-featured account with 2GB of storage.
[1] “More Than Three Billion Fake Emails are Sent Worldwide Every Day”, Security Magazine, June 11, 2019, https://www.securitymagazine.com/articles/90345-more-than-three-billion-fake-emails-are-sent-worldwide-every-day
[2] Krista Tedder, John Buzzard, “2020 Identity Fraud Study: Genesis of the Identity Fraud Crisis”, Javelin Strategy, April 7, 2020, https://www.javelinstrategy.com/coverage-area/2020-identity-fraud-study-genesis-identity-fraud-crisis
[3] Kim Zetter, “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid”, Wired, March 3, 2016, https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/
[4] Danny Palmer, “How these fake Facebook and LinkedIn profiles tricked people into friending state-backed hackers”, ZDNet, July 27, 2017, https://www.zdnet.com/article/how-these-fake-facebook-and-linkedin-profiles-tricked-people-into-friending-state-backed-hackers/
[5] Reuters Staff, “Austria’s FACC, hit by cyber fraud, fires CEO”, Reuters, May 25, 2016, https://www.reuters.com/article/us-facc-ceo-idUSKCN0YG0ZF