We discuss phishing for the second post in our Social Engineering Know-how blog series. We would help you understand what phishing is, how it hoodwinks the targets, and spot the differences between phishing, spear-phishing, and whale phishing through the blog. Besides, we would also tell you the measures for detecting and avoiding any such trickeries.
Cybercriminals usually prefer various unusual off-track routes to penetrate and gain control over the networks while flying under the radar.
And most of such deceiving methods involve phishing as the primary intrusion method.
Phishing in the cybercrime dictionary is synonymous with real-life fishing techniques and involves an identical concept of using bait to ensnare the targets for gaining control over the marks. Widespread phishing attacks mainly include tricks such as free online offers, massive discounts, awards, fraudulent anti-virus, scareware pop-ups, fake software/service installation messages, fake websites, and impersonated emails.
A phishing attack usually gets executed via an email message or a phone call explaining a fake lottery prize, spoofed service or service message, or something similar. The bait involved in these phishing messages/emails comes via a shortened URL link or attachments under the guise of something relevant to tempt the victim to click on it.
Phishing is one of the most infamous social engineering methods to execute various cyberattacks. However, unlike malware, phishing banks on human errors and seldom notices tracking software.
While usual phishing attacks don’t specifically target any person or enterprise, spear phishing attackers observe and monitor the target’s internet behavior for some time to execute a more personalized attack.
There is also the concept of ‘Whale Phishing,’ wherein attacks get targeted at wealthy or powerful individuals.
Phishing attacks usually eyes sensitive financial data of the victims’ such as online banking/email/social media credentials, credit card details, insurance data, or retrieve Personally Identifiable Information (PII) such as Full name, Gender, Mother’s maiden name, favorite city or any such sensitive data which gets commonly used as an extra security measure in online banking and services.
Phishing scams have been around since the 90s. The first recorded campaign happened in 1996 when Khan C. Smith impersonated the America Online (AOL) website to loot tens and hundreds of personal and credit card information of the victims via emails and social messenger.
To get an overview of how scary phishing could be, we would explain a few notorious phishing attacks that happened over the past decade.
Between 2013 and 2015, a Lithuanian hacker duped both Google and Facebook through a sophisticated invoice phishing scam. As a result, both companies lost more than $100 million.
Crelan Bank, one of the most prominent Belgian banks, got victimized via CEO fraud phishing. The attack was executed via a legitimate-looking email from the impersonated bank CEO. It reads, “Please process a wire transfer payment of $250,000 and code to admin expenses by COB today.”
Following the instruction, the recipient CFO transferred the amount resulting in a $75.8 million fraud.
In 2017 con artists developed 12 fake websites of original construction companies and swindled around $11.8 million from MacEwan University, Canada.
Link Manipulation: a notorious Phishing method
Cybercriminals use umpteen phishing techniques to execute their malice. And the most popular method for running modern phishing schemes is link manipulation,
In link manipulation attacks, the threat actors email the victim loaded with malicious links. These dubious links usually re-direct the victim’s internet traffic to a malicious website instead of the mentioned one to do the damage.
However, many modern commercially available cybersecurity solutions offer email filters and phishing protection, filtering out such suspicious links. As an act of disguise, the cyber thugs embed legitimate URL links and/or contacts inside the phishing emails.
Modern phishing emails also come with many techniques, such as re-directing the browser to a legitimate webpage after retrieving the credentials or using official logos with changed HTML attributes to bypass the anti-phishing filters.
How to spot a phishing attack
Detecting phishing mail is a complicated task. Cybercriminals use many techniques to hide the commonly visible symptoms of phishing mail. However, spotting down a phishing attack is not a strenuous effort unless you skip paying attention to detail. Here go a few common signs you should look for to spot a scam:
- Pay close attention to the senders’ email id and the subject line. As the rule of thumb, the senders’ address should match the brand name, e.g., a person called ABC working in XYZ Computing should have an email id like ABC@XYZ.com.
- Threatening or dramatic language is also a common trait of phishing messages. Official emails usually refrain from any such tones.
- If you find anything suspicious about any URL, check the security certificate of that website.
- While entering a password or credit card information, pay close attention to the entire website. If you find anything fishy about it, stop clicking or sharing it with others.
- Never blindly download any attachment, especially if you don’t need it.
- Download no email attachments from an unacquainted person. Cybercriminals nowadays send malicious Active X or Macro-enabled files as attachments for compromising anyone’s security.
- Attackers always try to create a sense of urgency to compel the target to take action immediately. For example, it could tempt you to take advantage of a special discount from any e-commerce website or offers to avoid a late payment fee.
- Make transactions only on trusted websites. Also, share credit card details only on reputed payment gateways.
- You should be cautious about any site that asks you to enter the login credentials of your social media accounts.
Beyond the email
Besides phishing attacks, we’re now seeing emerging social engineering techniques via voice (known as ‘vishing’ or voice phishing) and text messages (‘SMShing’).
Every day, our researchers at K7 Labs spot tens and a hundred such instances of newly found phishing attacks on social media through impersonated LinkedIn InMails or messages on Facebook, WhatsApp, or Telegram Messengers.
We will discuss both the Vishing and SMShing in our next blog post. Till then, stay safe.