Many cyberattacks and forms of fraud begin with stealing someone’s ID or security credentials. While fraudsters will use BIN attacks to try to hack personal information using brute force, it’s not the most common method of acquiring this information.
Instead, it’s often more straightforward for them to use a combination of psychological and technological tricks to get people to give this information up unwittingly. These tricks are colloquially known as “phishing.”
In this piece, we’ll provide a phishing definition and compare it against the meanings of similar terms. We’ll also look at variants and examples of phishing, and explain how they work. Finally, we’ll provide some suggestions on how to prevent phishing attacks at your business.
What is Phishing?
Phishing refers to a broad range of fraudulent schemes designed to trick victims into doing dangerous things they wouldn’t normally do. A phishing attack is usually aimed at stealing a victim’s identity information or other authorization credentials in order to commit some other type of fraud.
Other times, phishing is done simply as a sinister prank to infect the victim’s computers and other digital devices with malicious programs.
Spam vs. Phishing: What’s the Difference?
“Spam” refers to any sort of unsolicited mass digital communication. The difference between spam and phishing is that spam doesn’t always have the same malevolent goals as phishing does. In many cases, it’s simply meant to be annoying and inconvenient by distracting victims from more important communication.
Spam can be used to commit some forms of phishing, but only if it contains mechanisms to trick victims into revealing sensitive information or downloading malicious programs.
Spoofing vs Phishing: What’s the Difference?
“Spoofing” is the technique of making a form of communication look like it’s coming from – or going to – somewhere other than where it actually is. This can include disguising e-mail addresses, websites, IP addresses, or hyperlinks.
The difference between phishing vs. spoofing is that phishing often makes use of spoofing, but not always. Spoofing can also be used for other malicious purposes, or sometimes even for cases where it’s justifiable for a person to hide their identity.
Pharming vs Phishing: What’s the Difference?
“Pharming” is a specific type of spoofing that uses a fake but legitimate-looking website to trick people into revealing sensitive information or downloading malicious programs. An example might be a website impersonating a bank that asks users for their credit card numbers.
The difference between phishing vs. pharming is that pharming is a particular type of phishing scam. Like spoofing, pharming may be used as a technique for phishing, but not in all cases.
How Does Phishing Work?
The basic framework for how phishing works is pretty simple. It goes like this:
- A scammer sends communication to a victim with an enticing offer or a request for urgent action.
- As instructed, the victim responds with the requested sensitive information, or opens an attachment or website link contained within the communication.
- The scammer makes off with the victim’s sensitive information, or uses the attachment or linked website to download a malicious program that steals the victim’s private information.
The key to phishing scams is getting victims to act impulsively. That’s why they often deceive victims by telling them that responding to the scam is to their benefit, such as that they’ve won a lottery or received an inheritance. Or they may threaten victims with something bad happening if they don’t respond, like losing access to their email or bank accounts. They’re trying to get victims to do what the scammer wants without stopping to question if an offer or threat is actually legitimate.
Types of Phishing Attacks to Look For
Phishing attacks can come in many different varieties, each having their own different techniques and targets. Here are some of the most common types of phishing.
This is one of the most basic types of phishing attacks. A scammer sends a mass phishing email that fraudulently requests action from victims, mainly to claim a benefit or prevent some sort of consequence. The goal is to get victims to respond with sensitive information, or to open an attachment or web link that uses a malicious program or website to steal information.
A spear phishing attack targets a specific person. It involves collecting public information about the target from social networks, corporate websites, and other sources. Then the scammer uses this information to craft a phishing message with an offer or request information relevant to who the target is and/or what they do. As such, this type of phishing is more difficult to detect.
Also known as whale phishing, whaling is a specific type of spear phishing that targets key individuals or groups at businesses and other organizations. For example, it may go after members of a company’s c-suite, or involve impersonating these individuals to influence other critical corporate teams. The goal is to steal highly valuable corporate, government, or organization information in order to commit very lucrative forms of fraud.
Clone phishing is a new variation of email phishing. It involves scammers copying and then modifying emails from legitimate organizations to include malicious attachments or links, or requests for sensitive information. They then re-send these emails, often claiming that they are corrections or updates to previous emails. This makes it difficult to tell that they’re phishing emails before victims give away sensitive information or download malicious programs.
Smishing (SMS Phishing)
Also known as text phishing, SMS phishing – or “smishing” – involves phishing performed through Simple Messaging Service text messages over mobile devices. The main difference between smishing and phishing is that smishing is a specific category of phishing that uses text messages, whereas phishing as a whole can utilize many other attack vectors.
Vishing (Voice Phishing)
Vishing is the use of phone calls or voicemail messages – usually involving impersonation of a trusted individual or organization – to trick victims into giving away sensitive information. As with smishing, the difference between vishing vs. phishing is simply that vishing is a category of phishing that uses a specific technique – in this case, voice communications.
Angler phishing is one of the newer phishing types. It involves scammers looking for social network users who post messages complaining about negative experiences they had with certain companies. The scammers then impersonate customer service agents from those companies and fraudulently ask for the victim’s personal information or account credentials so they can resolve the issue.
Sometimes a phishing scheme may involve directing victims to a phony website designed to look real. Once the victims land on this website, they are enticed to give up their sensitive information by the website’s legitimate-looking interface. This is also known as “pharming.”
Other phishing schemes use a URL or IP address trick to redirect victims to a website they didn’t intend to visit. For example, a piece of phishing communication may write out the address for a website the victim wants to visit, but the actual link leads the victim to a dangerous website. The website then automatically downloads a malicious program to the victim’s computer that steals their sensitive information.
Phishing Examples to Learn From
To demonstrate that not even businesses are safe from phishing, here are a series of phishing attack examples that affected some very prominent companies.
Sony Pictures Entertainment
In late 2014 and early 2015, a North Korean hacker group distributed phishing emails claiming to be from Apple to key Sony employees. Asking to confirm the employees’ Apple ID credentials, the emails instead directed them to a pharming website that captured their credentials for Sony’s systems.
This allowed the hackers to not only leak over 100 terabytes of data from Sony Pictures, but also infect and destroy Sony’s computer infrastructure with malware. The attack is estimated to have cost Sony over $100 million.
Facebook and Google
In 2013, a Lithuanian man named Evaldas Rimasauskas became the leader of a fraud ring impersonating Taiwanese company Quanta Computer. The ring forged fake contracts, letters, and invoices to send as spear phishing attacks to Facebook and Google – two large companies that were partnered with the real Quanta Computer.
Over the span of about two years, it’s estimated that the ring was able to collectively bilk Facebook and Google out of $120 million. The ring was eventually caught, and Rimasauskas ended up being sentenced to five years in prison in 2019.
In May of 2021, US fuel supply company Colonial Pipeline shut down for about a week after it suffered a ransomware attack. The attack, by a Russian hacker group called DarkSide, is thought to have been made possible by a phishing incident that stole an employee’s system access credentials.
The ransomware cost nearly $5 million to remove, but the damage was far more extensive. Colonial’s shutdown caused oil shortages for weeks along the US’s east coast, sending national oil prices skyrocketing and causing some states to declare states of emergency.
What are Common Indicators of Phishing Attempts?
Different types of phishing can be easier or more difficult to detect, based on how they work or who they target. However, most phishing communications tend to have some unusual characteristics that can indicate that they’re fake. It’s important to slow down and take a close look at suspicious communications for signs they might not be legitimate.
A common indicator of a phishing attempt could be any of the following:
- Concerns an implausible benefit or consequence: Most low-level phishing attempts involve occurrences that are “too good to be true” or are otherwise very unlikely, such as winning a lottery or having a personal website arbitrarily shut down. These phishing attempts can typically be avoided by asking if there is a legitimate reason to expect what they say actually happened or will happen.
- Emphasizes urgency or confidentiality: Remember that phishing scammers count on victims acting rashly and without asking for other perspectives. So if a message seems to put an unusual amount of weight on acting immediately or not telling anyone else what’s going on, it could be phishing.
- Contains suspicious attachments or links: Phishing scammers often hide malware inside attachments to messages, or include links to dangerous websites in the message. A URL may look like it goes to a legitimate website, but the actual link may not, so be sure to check it before clicking it.
- Deals with personal or financial information: Phishing is meant to steal personal or financial credentials in order to commit fraud. That means if a message asks for either of these types of information (or for changes to be made to them), be cautious. Many organizations have policies where they will never ask about these types of information over certain communication channels.
- Is from an unrecognized contact source: Many phishing attempts will come from email addresses, phone numbers, or marketplace accounts that resemble legitimate ones. However, there are usually some syntax oddities that give them away as fake. Again, many organizations have guidelines on how to identify official communications from them.
- Looks unprofessional: This is another common giveaway for low-level phishing attempts. They may mimic official communications at first glance, but a closer inspection can reveal several obvious spelling and grammatical mistakes. They also often contain impersonal greetings such as “Hi there” or “Dear friend”.
- Arrives under unusual circumstances: Another way to assess messages for phishing is from a behavioral standpoint. A person or business can compare when a message was sent, and where it was sent from, with the times of day and locations they typically receive messages. Something out of the ordinary here may indicate phishing.
- Requests bizarre transactions: Some phishing attempts will ask for strange deals that may be used for fraud or money laundering. An example would be buying gift cards in bulk, or paying for something over the phone by revealing gift card codes. Double-check that these requests actually came from whoever asked for them, or ask why the deal couldn’t be done in a more efficient way. Discrepancies may point to a phishing attempt.
Now that we’ve covered how to identify phishing emails and other forms of phishing communications, we’ll look at some phishing prevention techniques.
How to Identify and Prevent Phishing
Like many forms of cybercrime, phishing has multiple different attack vectors, with more emerging every day. So it’s tough to find any simple “one size fits all” anti-phishing solutions for either individuals or businesses. Instead, it’s best to apply a layered approach to preventing phishing that includes techniques like these.
Create standards for official communication
Many businesses include, as part of their policies, the types of communication they will never use to ask customers for personal or financial information. They also often publicly demonstrate how to tell if communications or products are officially from them or not. Being transparent about these sorts of things helps customers protect themselves against phishing attempts.
Allow customers, employees, and others to report phishing
Phishing often involves scammers impersonating an organization or its representatives. This allows them to leverage trust in that organization in order to trick people into doing what they want. So businesses should have phishing reporting systems in place so they can be made aware of attempts to impersonate them, warn customers about these attempts, and take action against the perpetrators.
Teach both customers and employees about phishing detection
Remember that phishing doesn’t always target random people. Variants such as whaling phishing will purposely go after members of organizations in order to steal valuable information for committing large-scale fraud.
So it’s important to teach not only customers but also employees, about phishing protection techniques. Better yet, set up dummy phishing attempts and send them to employees to test them. If they can’t identify these attacks, then they likely require additional training.
Make use of anti-phishing software
There are plenty of software tools that help avoid phishing. Spam filters will take care of most emails and texts that constitute low-level phishing attempts. Some browser add-ons can identify or even block illegitimate websites that may be used for phishing. Other general security software, such as firewalls, antivirus, and program updates, can also be helpful.
Best of all, many of these anti-phishing tools are free, so there’s little reason not to use them.
Enable multi-factor authentication on key accounts
Multi-factor authentication (MFA) requires multiple forms of identity verification when someone tries to access an account or platform. That way, if someone’s authentication credentials are stolen by phishing, a scammer may need access to a specific other account or device in order to use that information to commit fraud. So MFA acts as a backup in case a phishing attempt is successful.
Don’t Let Phishers Get Far with Unit21
One last thing you should do, as a business, is have a plan to deal with a successful phishing attempt. Part of that should include a suspicious activity monitoring system to check for someone potentially trying to take advantage of phishing to commit further fraud.
To see how this and other tools from Unit21 can help fight phishing, schedule a demo with us.