If you care about your Internet security, it’s about time you start caring about phishing. We’re not going to promise not to make bad fishing jokes in this article, but the reality is not a laughing matter.
Did you know that there have been over 10,000 reported phishing scams this year alone? The number is probably even higher when you account for unreported scams. Millions of people are affected by phishing every year, from individuals to businesses.
“But I haven’t been affected!”
That may be true. Maybe you’ve been lucky enough not to fall for these scams, but you’ve still been targeted by them. As the versatility of the Internet expands, more criminals are able to exploit tech users.
The truth is, many of us are unprotected and unprepared.
In real life, would you ever tell someone your banking PIN or SSN number? No. Yet many people openly disclose this information to scammers online in phishing scams.
And it’s not just individuals either. In fact, 76% of businesses have been hit with phishing attacks since 2017. But what exactly is phishing, and what can one do to prevent it?
In this article, we will explain the following:
- What is phishing and how does it work?
- Popular forms of phishing that you need to be aware of.
- Different ways for you to protect yourself from phishing.
- Various software available to help you combat phishing attacks.
- Strategies to help you avoid phishing emails, calls, websites, and other scam tactics.
What Is Phishing?
Phishing is an easy way for cybercriminals to steal your personal information, such as credit card numbers and account passwords, even if they don’t have the skillset to hack your network and steal that information. In most cases, scammers are able to convince or coerce their victims into giving them their information willingly.
It’s extremely important you protect your personal information, especially sensitive things like your Social Security number. SSNs are nearly impossible to replace, and once a scammer has yours, they can use it indefinitely for a wide variety of crimes.
How Does It Work?
Whether you are contacted through a fraudulent email, phone call, or fake websites – phishers disguise themselves as reputable companies – like banks, social media accounts for major brands, and cell phone service providers in order to persuade customers into divulging personal information.
They are often trying to collect personal information like your address, credit card number, phone numbers, even your insurance numbers.
Generally, phishers will claim the victim is missing out on a limited-time deal or is facing a final warning that an account will be removed if he or she does not enter their login credentials.
Recently, many individuals in the US and Canada have been targeted by revenue agency scams where scammers claim the individual has unpaid tax debt. Too many people fall victim to these scams for one reason or another, usually out of fear of having broken the law.
Here Are a Few Examples of Phishing Attacks
Say you receive an email from Amazon, a site you visit frequently for your online shopping. The email is actually fake, but you don’t realize it at first. After all, it looks official with the company logo in the corner, and the tone sounds a lot like other emails you’ve received from the company. When you click the link, the page even looks like Amazon’s website. Even the checkout process is the same.
The message offers you an unbelievable discount on a laptop and offers a link to the buying page. You click the link to buy it, enter in your credit card information, and complete your order.
However, you just became a victim of a phishing attack. The product page was fake and disguised very convincingly like the real thing. Instead of placing your order, the website sent your payment info straight to a thief.
How Can You Tell This Was a Fake email?
In this case, there were three tell-tale signs.
- Once you log into your Amazon account to make the purchase, your payment method should be stored; Amazon rarely requires you to re-enter the number, unless you’re purchasing a gift card or shipping the item to someone else.
- If you look closely at the original email, it likely came from a spin-off domain with typos, extra extensions, and other things that demonstrate Amazon wasn’t the sender.
- Another sign would be the lack of links on the actual product page. Amazon is loaded with products, pages, and other content. Even if the phishers tried to make it seem legitimate, there would be no way for them to replicate that.
Famous Phishing Incidents
Phishing certainly isn’t a new cybercrime. Events like the hypothetical one above have occurred with disturbing regularity throughout the years, victimizing both individuals and entire corporations.
AOHell, the First Recorded Example
Back in early 1994, a malicious program called AOHell was developed by a Pennsylvania teenager and was intended to crack America Online (AOL) accounts. It became the first recognized tech-based example of phishing.
Among other things, the program ran on top of the AOL client, stealing passwords of several users. Hackers used the program’s credit card generator to create fake accounts, which they would then use to impersonate AOL customer service. Regular users were asked to verify their accounts for security purposes, making this arguably the earliest form of phishing.
If you’re curious about the specifics of the AOHell scam, check out this paper by Koceilah Rekouche.
The Nordea Bank Incident
In 2007, Swedish bank Nordea lost over 7 million kronor when phishers managed to send fraudulent emails out to bank customers, luring them to install the “haxdoor” Trojan disguised as anti-spam software.
Dubbed the biggest ever online bank heist by digital security company McAfee, Nordea customers were hit with phishing emails containing Trojan viruses by Russian data thieves for over a year. The Trojan installed a keylogger into the victims’ computers and directed them to a fake bank website where hackers intercepted the login credentials.
The thieves also managed to hide under the bank’s transaction radars by transferring tiny amounts of money at a time instead of one easily-traceable large transaction.
While the exact blame can’t be reliably placed, it is worth noting that most of the customers failed to have a running antivirus installed on their machines. Later, UK bankers were warned of a variant of the Trojan in their financial institutions soon after the original scam took place.
Operation Phish Phry
2009 saw one of the FBI’s biggest cybersecurity busts ever after $1.5 million was stolen via bank frauds by various cyber thieves located in the U.S. and Egypt.
Former Director Robert Mueller noted that phishing attempts were a new part of the digital arms race, with cybercriminals always working to stay ahead of law enforcement by taking advantage of new developments in technology. Despite the establishment of the National Cyber Investigative Joint Task Force specifically designed for these kinds of attacks, Mueller said at the time that individuals need to be responsible for their own protection against phishing.
In 2011, the U.S.’s defense suppliers when breached when security firm RSA fell victim to spear phishing due to an Adobe Flash vulnerability.
Disguised as recruitment plans for that year, the email targeted mid-level employees. Only one employee had to open the email for the phishers to gain access with a backdoor on the victim’s desktop.
The phishers then managed to bypass the SecurID two-factor authentication the company used. Yet at the same time, it’s hard not to place the blame on the employees for this one. The message that convinced them to pull the virus out of the spam folder and open the attachment only contained one line: “I forward this file to you for review. Please open and view it.”
Dyre Phishing Scam
In late 2014, a piece of malware produced by Russian hacker group Dyre resulted in millions of dollars stolen from various financial institutions. The phishers posed as tax consultants and convinced thousands of victims to download malicious executable files.
Dyre became one of the most active financial malware titles on the Internet at the time. Its list of victims included paint and materials company Sherwin-Williams, engine parts manufacturer Miba, airliners RyanAir, and several other companies throughout the U.S., the U.K., and Australia.
And it’s not hard to see why. The social engineering that went into Dyre’s development was admittedly extensive. When the victim failed to enter in his credentials into the fake phishing site, the hackers themselves called the victim through Skype, pretending to be law enforcement officers and bank employees to encourage the transfer.
Dyre ended up being part of a much larger series of funneled stolen funds throughout various bank accounts throughout the East, and while the final arrests were made in late 2015 ending the malware’s reign, the legacy of the cyberattack lives on. A new phishing malware named TrickBot was created shortly after, using the same elements from Dyre to target similar financial institutions.
The Sony Pictures Leak
2014 also saw a huge data leak from Sony. Over 100 Terabytes containing confidential internal company activities was breached, resulting in well over $100 million lost. The phishers, in this case, pretended to be colleagues of the top-level employees who opened the malicious attachments in the phishing emails.
Specifically, a fake Apple ID verification email was used in the attack. Through a combination of LinkedIn data and the Apple ID logins, the phishers managed to find passwords that matched the ones used for the Sony network.
As a final twist, North Korea was connected to the attacks. Regardless, the Sony story is a great example of why using different passwords for different online accounts is so important.
Facebook and Google
This is a huge one. Two of the world’s largest tech giants, Facebook and Google, lost $100 million in this single email scam from Lithuania. While an arrest was made, the story shows that even the most advanced tech entities are susceptible to phishing attacks.
2018 World Cup
Relatively recently, the Federal Trade Commission released this statement regarding phishing attempts during the 2018 World Cup in Russia. The scam claimed the victim won tickets to the World Cup through a lottery and prompted them to enter in personal information to claim the prize.
At the same time, a handful of rental scams were reported as well. Cybercriminals stole the email addresses of genuine landlords in Russia and offered ridiculously low prices for their properties during the sporting event. Once a “lucky buyer” accepted the offer, his or her credit card information stolen.
The 6 Common Types of Phishing
With the rise of things like the Internet of Things (IoT), smartphones, and social media, the number of opportunities for phishing has grown considerably. Attacks can now affect more than just banking. PayPal, eBay, and Amazon accounts have all reported incidents of phishing attempts on unsuspecting customers.
Some common phishing tactics include:
- An email claiming you won a major prize or are at risk of losing access to your account. The message will prompt you to provide your login credentials or payment information to follow through with the prompt.
- A phone call. There have been reports of fake Microsoft employees offering technical support for Windows machines. Once the victim gives the phisher access to his or her machine, the victim’s data is compromised.
- A fake website. One of the most common types of phishing involves a fake website made to look like a real login page, such as the one to your Yahoo! email account. Phishers can gain a lot from accessing a victim’s email.
But those are just the means to phishing. The types of methods employed by expert phishers can include the following:
Deceptive phishing is the most well-known form of lure. This strategy involves impersonating a legitimate business’s website to steal data. It takes a phisher with strong knowledge in social engineering to pull this tactic off effectively.
Also known as “CEO Fraud,” whaling occurs when a top executive at a company has his identity compromised. The phisher then orders employees to send funds to a separate account.
Whaling can also affect other high-profile individuals such as celebrities and politicians. Plus, given its focused nature, whaling can be difficult to detect since many departments never have contact with company executives.
Phishing kits are basically collections of software utilities you download. Once installed, these tools can launch large phishing campaigns and send mass emails to spread the phishing attempts.
Some phishers can personalize the fraudulent messages they send you to make them more believable. These might contain your name, workplace, and phone number gathered through websites like LinkedIn. In fact, 95% of all attacks on enterprise networks are the result of spear phishing.
By its very nature, spear phishing is almost always used in whaling attempts and can involve impersonation of acquaintances and use of data from the victim’s social media sites, such as Twitter and Facebook.
Pharming programs work through a bit of DNS trickery and automatically redirect your web browser to a malicious site even if you input the correct URL to a genuine site.
Pharming was the culprit in a 2005 hijack of New York Internet service provider Panix, in which the website was redirected to another unrelated website in Australia. No losses were recorded, but the outcome demonstrated how dangerous pharming can be.
To fight back against pharming, make sure you only enter login information and personal data on URLs beginning with “https,” which denotes a secured connection.
Pretending to be the login page for a major online service like Google Drive, for instance, is a common and effective tactic. Utilizing two-factor authentication can greatly reduce your chances of becoming a victim as every login will require a second form of authentication to legitimize the login.
Common Phishing Lures
There are many methods phishers have developed to lure you into submitting your private data. Knowing what to look out for puts you in a better position to detect and overcome these types of attacks.
Threats of Deactivation
You receive an email from your bank threatening to shut down your account unless you verify your credit card information on their website immediately. In this example, the link they give you will lead to a fake site.
“Too Good To Be True” Scams
A common tactic is the “Nigerian prince” email scam. Written in a poor, almost comical style, the extravagant story promises great riches should the victim send payment information.
As many of the stories go, the fake prince’s fortune has been locked behind a paywall. The scammer begs you to send money in order to restore access to this vast fortune, promising to pay you back many times over should you help.
While it may seem ridiculous, the silliness of the message is intentional, as only the most gullible will fall for the trick.
Fake FBI Arrests
A phisher wants you to act on impulse, and what gets you worried more than the threat of being arrested? In the U.S., phishers might send fake emails, or even calls from the FBI or IRS, threatening arrests for random crimes like tax evasion or music piracy.
Rest assured, the government will never send communication like this simply through an email and certainly won’t request funds with it. This type of lure tends to come bundled with ransomware as well, so avoid opening them at all costs.
Fraudulent Tech Support
Fake 1-800 numbers are easier to obtain than you think. These types of phishers will offer to inspect your machine for malware, pretend to find it, and send in a software package to help you “fix” it.
The irony is these scammers who offer to clean your computer actually infect it with malware, keyloggers, and other phishing tools to extract your personal information.
Remember, a random tech support agent from a large corporation will never call you unless you have contacted them first.
Text Message Phishing
Even our cell phones aren’t safe anymore. SMS phishing solicits personal information through text messages in the same way an email or website phishing does, with the added concern of being unexpected.
SMS Phishing can also result in vishing, or voice phishing.
Hunting the Job Hunters
Phishers may sometimes post phony job offers on the Internet, primarily targeting teenagers who don’t know what they’re doing. Hired hands are employed to help in money laundering operations. While they sometimes do get paid like a real job, they’re also at a risk of criminal charges as a result.
Search Engine Viruses
Search engine viruses are essentially a Trojan with a strong standing in the search engine results. A virus might be advertised as the perfect solution to a technical problem you might be facing. SEO optimization plays a big role in ensuring the site shows up in your search.
Once you download and install the Trojan, relieved you finally fixed your technical problems, the malicious code takes over and your problems only get worse.
While not a direct form of phishing, SWATting can be a dangerous consequence. SWATting occurs when the phisher steals the victim’s phone number and calls in a fake bomb threat.
Emergency or not, having a SWAT team around your house is a stressful and dangerous experience, and in some cases, it can even be deadly, as SWAT teams are trained to treat every operation with maximum severity. Thankfully, modern law enforcement is now aware of SWATting attempts and usually know how to handle it.
How to Protect Yourself from Phishing
Phishing is clearly a serious issue every online user must address, but it still begs the question: “What can I do to protect myself and my business from a phishing attack?”
Knowing the problem exists is the first step to fighting back. Careless Internet surfing can leave you vulnerable to phishing attacks. It’s important to conduct training sessions with employees to help them identify phishing scenarios, such as the ones mentioned above.
Among the lessons taught, get your workers to build good browsing habits, such as:
- Double-check every link
- Never download unknown and untrusted attachments
- Always use different passwords for different accounts
- Change passwords routinely
- Ignore requests for file transfers, account transfers, or divulged passwords, even if they come from within the company
- Verify all of the requests verbally before complying
Your computer, when configured correctly, can even protect itself. As a basic checklist, ensure that you have the following installed on every client machine:
- Email spam filters, especially ones that look for suspicious links and unverified attachments
- Antivirus solutions with security updates
- Web filters to block out malicious websites (usually these are built-in to antivirus programs)
- Anti-phishing toolbars and browser extensions that display the reputation of a website before you click the link
- A firewall
- Pop-up blockers
- An up-to-date web browser supporting all the modern security features
As a business, you can take a few steps to prepare yourself in case a phishing attack breaches your servers. While ramping up your digital security with Microsoft’s Advanced Threat Analytics for your Windows-based machines is an option, you can also consider third-party cybersecurity insurance. Decide on your needs based on how much you are willing to spend and how much you expect to save by protecting yourself.
Other Miscellaneous Tips
- Disable HTML emails if possible. Text-only emails cannot launch malware directly.
- Encrypt your company’s sensitive data and communications
- Check your bank account’s activity routinely for suspicious charges
How to Avoid Phishing Emails
Like many types of phishing attacks, you can’t prevent some malicious emails from entering your inbox. They’re common junk mail. You certainly can, however, learn to recognize what’s right from wrong and what to do when you’re at risk.
What They Look Like
Phishing emails might…
- Contain hyperlinks to suspicious websites with unrecognizable URLs.
- Contain attachments with ransomware, malware, and other viruses. Most file types can carry these viruses with the exception of the plain text file (.txt). Even Excel spreadsheets can contain malicious macros and code.
- Present a sense of urgency, such as a great deal on a product or a giveaway/lottery to call you to action.
- Refer to you as a “valued customer” without mentioning your name. Phishers, after all, don’t know who you are.
- Contain spelling and grammatical errors.
- Have a strange sent time, such as 4 AM on a Sunday.
- Have an irrelevant or weird subject line.
- Be sent by addresses you aren’t familiar with, though keep in mind thieves can sometimes forge the identity of your coworkers to deliver a more potent phishing email. Check whether your acquaintances seem out of character in their emails.
How to Prevent Them
- Spam filters are the most obvious solution. These usually come with most email clients and work by assessing the origin of the message and analyzing its content for spam-like characteristics. They aren’t 100% reliable and sometimes give false positives but are still worth using.
- Check the URL for any hyperlinks and determine whether or not the site it leads to is fraudulent.
- Never open attachments if you suspect a phishing email.
- Don’t click links in emails. At most, copy and paste the web address into your address bar.
- Simply be smart. Major organizations will never ask for your personal information directly through an email. They will more likely than not offer some form of verification in the email itself too, such as an account number.
- When in doubt, verify with the organization contacting you to ensure the communication is genuine.
How to Avoid Phishing Calls
Voice phishing, also known as “vishing,” is a phishing attack via telephones and Voice-over-IP services.
What They Sound Like
Vishing can take many forms, but some common examples are:
- Fake charities advertising a fake organization website.
- Fake calls from the government and IRS demanding action to prevent a major fine or arrest.
- Fake calls claiming to offer tech support and requesting access to your machine.
How to Prevent Them
- Ask the caller if he or she knows your name. Vishers are not likely to.
- Know that your bank will never ask for sensitive information such as your Social Security Number, PIN, or password over the phone.
- Don’t be afraid to ask for verification that the call is not fraudulent. Legitimate businesses are happy to do so.
How to Avoid Phishing Websites
And finally, you have the usual fake websites masquerading as a genuine online service. Most of the time, a phishing email might direct you to one of these.
What They Look Like
Malicious websites designed for phishing can be hard to identify sometimes, as attackers have become good at emulating the appearance and functionality of real sites. However, a key giveaway is the URL. Phishing sites may use a slightly different web address containing a small mistake.
PayPal is a commonly masked URL as the lowercase L could be replaced with an uppercase I. Look for these subtle clues before you engage with the site.
How to Prevent Them
- Enable your web browser’s built-in protection settings. Many modern browsers will automatically block suspected phishing sites from opening.
- Report any phishing sites to the organization affected, such as your bank.
- If a website is asking for login credentials or sensitive information, ensure the site is legitimate.
- Contact the company beforehand to verify directly
- Make sure the URL is both correct and contains the “https” heading denoting a secured connection
- Use two-factor authentication whenever you can
- Phishing is a cybercrime when someone pretending to be a trustworthy entity solicits sensitive information from an unsuspecting user.
- Phishing is a common problem that has cost millions of dollars in damages to companies and individuals.
- Installing the right web filters, spam filters, and antiviruses can help make your machine phishing-proof.
- Good browsing habits and general education about the phishing threat are your best line of defense, especially for businesses.
- Make sure you and your employees understand how to combat phishing by email, phone, and websites.
- Phishing emails may contain malicious attachments and links to fraudulent websites.
- Phishing phone calls may direct you to provide your information to seal a deal, avoid criminal charges, or provide fake support.
- Phishing websites may masquerade as a real login or buying page and steal your credentials or credit card information.
Stop Phishing from the Onset
There are many phishing scams out there, and as we’ve learned, they target more than just the average Internet user. There are plenty of easy steps to take to lower your chances of losing your data to phishers. Remember, phishing attacks are evolving too, so ongoing security awareness training for all employees in your company will help you stay up-to-date on the latest best practices.
A little awareness now can save you a lifetime of battling debt collection agencies and identity theft after phishers stole your SSN, credit card info, and other personal information.