Many cyberattacks and forms of fraud begin with stealing someone’s ID or security credentials. While fraudsters will use BIN attacks to try to hack personal information using brute force, it’s not the most common method of acquiring this information.
Instead, it’s often more straightforward for them to use a combination of psychological and technological tricks to get people to give this information up unwittingly. These tricks are colloquially known as “phishing.”
In this piece, we’ll provide a phishing definition and compare it against the meanings of similar terms. We’ll also look at variants and examples of phishing, and explain how they work. Finally, we’ll provide some suggestions on how to prevent phishing attacks at your business.
Phishing refers to a broad range of fraudulent schemes designed to trick victims into doing dangerous things they wouldn’t normally do. A phishing attack is usually aimed at stealing a victim’s identity information or other authorization credentials in order to commit some other type of fraud.
Other times, phishing is done simply as a sinister prank to infect the victim’s computers and other digital devices with malicious programs.
“Spam” refers to any sort of unsolicited mass digital communication. The difference between spam and phishing is that spam doesn’t always have the same malevolent goals as phishing does. In many cases, it’s simply meant to be annoying and inconvenient by distracting victims from more important communication.
Spam can be used to commit some forms of phishing, but only if it contains mechanisms to trick victims into revealing sensitive information or downloading malicious programs.
“Spoofing” is the technique of making a form of communication look like it’s coming from – or going to – somewhere other than where it actually is. This can include disguising e-mail addresses, websites, IP addresses, or hyperlinks.
The difference between phishing vs. spoofing is that phishing often makes use of spoofing, but not always. Spoofing can also be used for other malicious purposes, or sometimes even for cases where it’s justifiable for a person to hide their identity.
“Pharming” is a specific type of spoofing that uses a fake but legitimate-looking website to trick people into revealing sensitive information or downloading malicious programs. An example might be a website impersonating a bank that asks users for their credit card numbers.
The difference between phishing vs. pharming is that pharming is a particular type of phishing scam. Like spoofing, pharming may be used as a technique for phishing, but not in all cases.
The basic framework for how phishing works is pretty simple. It goes like this:
The key to phishing scams is getting victims to act impulsively. That’s why they often deceive victims by telling them that responding to the scam is to their benefit, such as that they’ve won a lottery or received an inheritance. Or they may threaten victims with something bad happening if they don’t respond, like losing access to their email or bank accounts. They’re trying to get victims to do what the scammer wants without stopping to question if an offer or threat is actually legitimate.
Phishing attacks can come in many different varieties, each having their own different techniques and targets. Here are some of the most common types of phishing.
This is one of the most basic types of phishing attacks. A scammer sends a mass phishing email that fraudulently requests action from victims, mainly to claim a benefit or prevent some sort of consequence. The goal is to get victims to respond with sensitive information, or to open an attachment or web link that uses a malicious program or website to steal information.
A spear phishing attack targets a specific person. It involves collecting public information about the target from social networks, corporate websites, and other sources. Then the scammer uses this information to craft a phishing message with an offer or request information relevant to who the target is and/or what they do. As such, this type of phishing is more difficult to detect.
Also known as whale phishing, whaling is a specific type of spear phishing that targets key individuals or groups at businesses and other organizations. For example, it may go after members of a company’s c-suite, or involve impersonating these individuals to influence other critical corporate teams. The goal is to steal highly valuable corporate, government, or organization information in order to commit very lucrative forms of fraud.
Clone phishing is a new variation of email phishing. It involves scammers copying and then modifying emails from legitimate organizations to include malicious attachments or links, or requests for sensitive information. They then re-send these emails, often claiming that they are corrections or updates to previous emails. This makes it difficult to tell that they’re phishing emails before victims give away sensitive information or download malicious programs.
Also known as text phishing, SMS phishing – or “smishing” – involves phishing performed through Simple Messaging Service text messages over mobile devices. The main difference between smishing and phishing is that smishing is a specific category of phishing that uses text messages, whereas phishing as a whole can utilize many other attack vectors.
Vishing is the use of phone calls or voicemail messages – usually involving impersonation of a trusted individual or organization – to trick victims into giving away sensitive information. As with smishing, the difference between vishing vs. phishing is simply that vishing is a category of phishing that uses a specific technique – in this case, voice communications.
Angler phishing is one of the newer phishing types. It involves scammers looking for social network users who post messages complaining about negative experiences they had with certain companies. The scammers then impersonate customer service agents from those companies and fraudulently ask for the victim’s personal information or account credentials so they can resolve the issue.
Sometimes a phishing scheme may involve directing victims to a phony website designed to look real. Once the victims land on this website, they are enticed to give up their sensitive information by the website’s legitimate-looking interface. This is also known as “pharming.”
Other phishing schemes use a URL or IP address trick to redirect victims to a website they didn’t intend to visit. For example, a piece of phishing communication may write out the address for a website the victim wants to visit, but the actual link leads the victim to a dangerous website. The website then automatically downloads a malicious program to the victim’s computer that steals their sensitive information.
To demonstrate that not even businesses are safe from phishing, here are a series of phishing attack examples that affected some very prominent companies.
In late 2014 and early 2015, a North Korean hacker group distributed phishing emails claiming to be from Apple to key Sony employees. Asking to confirm the employees’ Apple ID credentials, the emails instead directed them to a pharming website that captured their credentials for Sony’s systems.
This allowed the hackers to not only leak over 100 terabytes of data from Sony Pictures, but also infect and destroy Sony’s computer infrastructure with malware. The attack is estimated to have cost Sony over $100 million.
In 2013, a Lithuanian man named Evaldas Rimasauskas became the leader of a fraud ring impersonating Taiwanese company Quanta Computer. The ring forged fake contracts, letters, and invoices to send as spear phishing attacks to Facebook and Google – two large companies that were partnered with the real Quanta Computer.
Over the span of about two years, it’s estimated that the ring was able to collectively bilk Facebook and Google out of $120 million. The ring was eventually caught, and Rimasauskas ended up being sentenced to five years in prison in 2019.
In May of 2021, US fuel supply company Colonial Pipeline shut down for about a week after it suffered a ransomware attack. The attack, by a Russian hacker group called DarkSide, is thought to have been made possible by a phishing incident that stole an employee’s system access credentials.
The ransomware cost nearly $5 million to remove, but the damage was far more extensive. Colonial’s shutdown caused oil shortages for weeks along the US’s east coast, sending national oil prices skyrocketing and causing some states to declare states of emergency.
Different types of phishing can be easier or more difficult to detect, based on how they work or who they target. However, most phishing communications tend to have some unusual characteristics that can indicate that they’re fake. It’s important to slow down and take a close look at suspicious communications for signs they might not be legitimate.
A common indicator of a phishing attempt could be any of the following:
Now that we’ve covered how to identify phishing emails and other forms of phishing communications, we’ll look at some phishing prevention techniques.
Like many forms of cybercrime, phishing has multiple different attack vectors, with more emerging every day. So it’s tough to find any simple “one size fits all” anti-phishing solutions for either individuals or businesses. Instead, it’s best to apply a layered approach to preventing phishing that includes techniques like these.
Many businesses include, as part of their policies, the types of communication they will never use to ask customers for personal or financial information. They also often publicly demonstrate how to tell if communications or products are officially from them or not. Being transparent about these sorts of things helps customers protect themselves against phishing attempts.
Phishing often involves scammers impersonating an organization or its representatives. This allows them to leverage trust in that organization in order to trick people into doing what they want. So businesses should have phishing reporting systems in place so they can be made aware of attempts to impersonate them, warn customers about these attempts, and take action against the perpetrators.
Remember that phishing doesn’t always target random people. Variants such as whaling phishing will purposely go after members of organizations in order to steal valuable information for committing large-scale fraud.
So it’s important to teach not only customers but also employees, about phishing protection techniques. Better yet, set up dummy phishing attempts and send them to employees to test them. If they can’t identify these attacks, then they likely require additional training.
There are plenty of software tools that help avoid phishing. Spam filters will take care of most emails and texts that constitute low-level phishing attempts. Some browser add-ons can identify or even block illegitimate websites that may be used for phishing. Other general security software, such as firewalls, antivirus, and program updates, can also be helpful.
Best of all, many of these anti-phishing tools are free, so there’s little reason not to use them.
Multi-factor authentication (MFA) requires multiple forms of identity verification when someone tries to access an account or platform. That way, if someone’s authentication credentials are stolen by phishing, a scammer may need access to a specific other account or device in order to use that information to commit fraud. So MFA acts as a backup in case a phishing attempt is successful.
One last thing you should do, as a business, is have a plan to deal with a successful phishing attempt. Part of that should include a suspicious activity monitoring system to check for someone potentially trying to take advantage of phishing to commit further fraud.
To see how this and other tools from Unit21 can help fight phishing, schedule a demo with us.