Phishing Attack, Types, and Various Example of Phishing Scams
In today’s article, we will learn phishing in-depth—meaning of Phishing, types of Phishing, and so on.
Meaning of Phishing:
Phishing is the attempt to steal someone else’s data or other private details with deceptive tricks. Perhaps it is the prevalent type of fraud on the Internet. Generally, Phishing usually involves fraudulent emails or web pages intended to trick the potential victim into sharing sensitive information with the fraudster behind it. Rather than using the information they obtain for themselves, many criminals sell it on the dark web, especially hackers and cybercriminals specialized in identity theft.
What is Phishing?
Many cyber threats have come and gone with advances in cybersecurity, but Phishing is still going strong. The biggest reason phishing attacks remain as prevalent as ever is a forgery, manipulation, and social engineering techniques to mislead potential victims. As a rule, phishing emails are written in an urgent (however false) tone as notifications from ISPs, digital wallets, financial institutions, and other organizations. Besides, many of them include logos and other official images.
Commonly called “phishers,” the fraudsters responsible for these attacks will ask the potential victim to provide a vital piece of personal information, be it their Social Security number, credit card details, or registration information. To add an appearance of urgency to your message, they will offer an important reason why the victim should do so. For example, they could lose access to their bank account or be banned from their social media profiles if they do not provide the required information within the required period.
Phishers build fake web pages that look real to collect the information they need. What’s more, they also have similar URLs, making it even more difficult for victims to identify that they are manufactured. According to recent statistics, more than 1.5 million new phishing pages are created each month, with an average life expectancy between three and five days per page. It’s almost 50,000 new pages every day, so it is not surprising that Phishing is the most significant cause of data breaches worldwide.
History of Phishing Attack: First Incident
America Online (AOL) was one of the largest Internet service providers in 1994-1995, with a steady increase in users. At the time, Internet security was only considered necessary at the government level, and private companies rarely invested in cybersecurity. Because of this, AOL ended up being the victim of a phishing attack.
In 1994, a hacker named “Da Chronic” created an automated application called “AOHell.” One of its features was a “CC / PW Fisher” phishing toolkit used to exploit AOL’s messaging system. By sending a direct message to other users, the hacker gained access to personal credentials. The news was like being an AOL representative, needing a password and username to verify the account. Users submitted their personal information without suspicion and became victims of the phishing attack.
The hackers soon targeted more valuable users, making threats to verify their billing information quickly; otherwise, your account will be deleted. As a result, the attackers managed to obtain the victim’s bank account and payment card details along with his AOL credentials.
Then AOL updated its cybersecurity system. New measures have been implemented to remove accounts associated with Phishing.
Data leaks and phishing advances
After the success of AOHell, Phishing became the leading hacking practice as it did not require any detailed knowledge of networks or programming. It took advantage of insufficient user knowledge about Internet security and human error and explored human psychology alongside technology.
FACC, an “Austrian manufacturer of aerospace parts,” suffered a loss of more than 40 million euros due to Phishing. An employee received an email from the company’s CEO requesting that a large sum of money be sent to an undisclosed account as part of some “takeover project.” The hackers spoofed the CEO’s email and copied a new email. The employee was a victim of the attempt and disbursed the money. If employees had adequate knowledge of cybersecurity and phishing attacks, this could have been prevented.
Both cases have something in common between them. The hacker pretended to be someone else to get what he wanted. In the past two decades, only the technologies involved have improved. that is, email spoofing software used to send emails to many users and the quality of the content generated through simple algorithms. On the other hand, cybersecurity training has not improved, and there is a lack of in-depth knowledge on the subject. Therefore, there is a lack of professionals in the field.
Social media has made it easier for hackers to create an email containing the recipients’ personal information, including their full name, home address, and password for some accounts. Before that, fake emails started with a blanket greeting, which was an indicator of the phony email.
Site cloning and site authenticity
APWG reported an increase in cloned sites in late 2019. In one of the Phish Phry, a fraudulent email (similar to the bank’s) was created and sent to users. The link redirected users to a cloned bank website. All the information entered was collected, and money was withdrawn from the accounts.
Cloned sites are removed within a day, making them difficult to track. To verify the site’s authenticity, make sure you start with HTTPS or plain HTTP, the former being legitimate. But some sites can get the SSL certificate due to weak rules.
Phishing in politics
In 2016, John Podesta, a candidate for the US presidential campaign, was the Spear Phishing victim. In Spear Phishing, the hackers target only a specific person and not all users. You received an email similar to the security alert from Google. The spoofed email contained several links that were shortened using the Bitly service. A link took you to a cloned website, and you were asked to enter your Gmail account credentials, resulting in several private emails being leaked.
In another case, in 2015, employees belonging to three power distribution companies were attacked and were victims of Spear Phishing in Ukraine. They received and opened an email containing the BlackEnergy malware. It leads to the invasion of its information systems, and the supply of electricity to its customers was interrupted. The desired result of this attack was not to obtain any personal data but to inject malware into the devices and cause severe damage.
Hackers can use Phishing to steal private information and infect devices with viruses that target poor security. Cybersecurity companies are adding more and more sites that get cloned on their blacklists. In case of data leakage, customers are informed. If people continue to click on the infected URL and open attachments from suspicious addresses, phishing attacks will remain unavoidable.
Different Types of Phishing Attack
Also known as Deceptive Phishing, traditional Phishing is an attack technique whereby the cybercriminal impersonates a brand’s identity to gain his victim’s trust to extract personal information (for example, passwords for his bank accounts).
In this phishing attack, the victim usually receives an email from a brand or company that they trust: their bank, a public administration, a company in which they have an active account (Paypal, Apple, Amazon, Post office, etc.).
In this email, it is suggested that you click on a link, perhaps to update your data, change your password, etc., that points to a URL that cloning the original one. It asks the user to enter sensitive personal information that is later captured by the attacker under any excuse.
What is a whaling phishing attack?
A Whaling phishing attack is a type of cyberattack executed to carry out a phishing attack to gain control of data. It is usually aimed at healthy, wealthy, and prominent individuals to benefit from it. Usually, the attack targets are c-suite, high profile people, and large phish, so it is also called a whale.
It is a very different attack compared to other phishing attacks, as it uses slightly advanced techniques. Here web pages and emails take place to target scamming victims with a serious and deliberate look. This attack is exceptionally executed for a specific person or organization.
A random phishing attack occurs to get username and password from social media websites or banking information reflecting standard phishing websites and email. Wherein, when cyber attackers target, they then use particular to direct the manager to target.
Whale Hunting Phishing Attack Statistics
According to FBI reports, organizations lost about $ 215 million in 2014 due to phishing attacks. According to Verizon’s DBIR, 61 phishing attacks targeted financial groups in 2016, increasing to 170 in 2017. The number of attacks doubled in 2017 and has been growing ever since.
How to prevent whaling phishing attacks?
To avoid whaling phishing attacks, you need to anticipate increasingly modern phishing campaigns. Following these tactics will also help you handle regular phishing attacks, phishing attacks, and denial of service attacks. So, here are some of the ways to prevent whaling phishing attacks and stay safe.
Know your vulnerabilities and threats
First of all, you need to know the vulnerabilities that can get you in trouble or be prone to cyberattacks. It is also essential to stay up-to-date on the types of threats that are being defended to ensure that you don’t end up falling victim to phishing attacks and whale phishing attacks. If you’re running a small business, then you need a trusted IT team dedicated to researching and gaining insight into the latest cybersecurity steps and threats. Companies can hire consultants to deal with dangerous phishing attacks.
Get the right software.
As precaution is better than cure, having the extra layer of protection is always a great idea to strengthen security. Easily avoid phishing links and infected emails from entering the system is the key. You can use powerful antivirus and encryption software, antimalware tools, and other backup programs to handle data and security.
Other better approaches
- Educate company employees on how to identify phishing emails and what is a whaling attack.
- Provide proper training or phishing awareness training to all employees on mandatory security and set cyber attackers’ pattern to attack people.
- Always check that the email address is legitimate or not.
- In case the email looks suspicious, please call and confirm the person.
- Another effective way is to mark all the emails you have received outside of your company. It is an effective way to find out the fraudulent email or infected email.
- Stay on top of your social media platforms as it is the most straightforward approach to reach people easily.
- Enable privacy restrictions to protect your privacy and personal information. It will also minimize exposure to data that can be used for scams.
- Go with 2-factor checks for your accounts.
- Lock your sensitive, emotional, and financial data.
- Enable the security tool or firewall to ensure the protection of your data.
- Track the suspicious behavior or habitual activity.
In this type of attack, the victim receives an email that again impersonates a brand’s identity and includes an attached document, a malicious file and that, once opened, infects the victim’s device.
A common form of malware-based Phishing is, for example, posing as a service company that informs us that it is sending us our latest invoice by mail, in the form of a PDF document. This type of attack encourages the user to click on a link. The link usually points to download a file to our computer and, once opened, infects it.
What is Spear Phishing?
While in the two previous cases, we are talking about a type of indiscriminate attack (typically, it includes thousands or millions of shipments). In the case of Spear Phishing, we are talking about a personalized kind of attack. The cybercriminal sets his sights on a specific person, usually targeting critical positions in the company of interest.
In this sense, he is usually informed of his name, position in the company, his presence in social networks, etc. The usual objective in this type of attack is not motivated by the economic motive but rather by accessing certain confidential company information types. Along with email, this type of attack has been detected in all kinds of social networks.
What is voice phishing or vishing?
Voice phishing or vishing is a technique to steal personal data very similar to classic Phishing, but in this case, the victims verbally provide their data via a phone call. In this fraud, the interlocutor is made to believe that the call he is receiving corresponds to a bank or legitimate company and asks for information such as name, address, passwords, to which our elders respond delighted by the personalized treatment provided by their trusted entity.
They usually seek to generate fear in the victim, speed, tell them that a problem has arisen, and solve it as soon as possible before the situation worsens.
How does this new online scam work?
In some cases, the victim first receives a text message or email informing them that someone has made a fraudulent purchase with their card. In that message appears the victim’s card number and a helpline to solve the problem. When the scammed person calls, a person posing as someone from the bank asks for information such as the ID or account number. With all this data, scammers can impersonate the victim.
Other times, vishing and Phishing techniques are combined. In this case, the victim receives a call where the scammer notified him of a problem in the service account and is asked for the email address. A fake link is then sent to you in the email to fix the problem. In that link, the access data to the service in question are requested, putting information in the scammers’ hands that allows them to access personal accounts.
A type of scam on the rise
According to the email management company Mimecast, this fraudulent practice is on the rise, and more and more sophisticated techniques are being used. Partly due to the development of artificial intelligence, which increasingly offers more convincing voice messages.
How to avoid being a victim of voice phishing?
It’s the best way to avoid falling into the trap to check that it is the real company before giving any information. You should never provide personal information via email or phone call.
A bank or company will never contact a customer and ask for sensitive information in these ways. You should avoid or interrupt communication at the moment and contact the business in question to report what happened and notify them.
Besides all this you can follow certain recommendations:
- Distrust calls that denote a certain urgency from the interlocutor.
- Ask the interlocutor for details that verify who he claims to be. For example, if they call you due to a credit card problem, ask them for the card’s last digits.
- Ask for a contact number and name to call back if he is reluctant, suspect.
- Do not trust calls that offer tempting offers.
- Do not access websites from links attached in messages or emails.
But above all, the most important thing is to train and educate the most vulnerable groups to make responsible and safe use of the Internet while being up-to-date with the new risks that arise every day.
What is smishing: SMS + Phishing?
Smishing uses deception methods through SMS or text messaging for mobile users’ personal information and fraudulent use. The phishing difference is how the scam is done; in Phishing, it is through email, and in smishing, it is done with SMS. It is not a new phenomenon, because it first appeared in 2008, but now it has increased thanks to messaging applications such as WhatsApp.
What are the most common forms of smishing?
Generally, these messages’ objective is to obtain confidential information, such as passwords or bank details, but sometimes also to sell non-existent products or “infect” the mobile. To achieve this, they send an SMS to the user with an irresistible promotion, the possibility of winning a prize, or only notice from a courier company or a bank.
If the message is clicked, the user is directed to a fraudulent web page that either imitates the original to steal their bank details or passwords, either contains malicious code to install some malware, or tricks the user into installing one.
It is also common to send messages asking to call a telephone number with a special rate or to subscribe to a premium SMS service that involves an additional cost.
How can you avoid fraud?
The Bank of Spain gives a series of recommendations to avoid falling into smishing fraud:
- Be wary of messages from unknown and misspelled senders in English or that appear to be an inadequate translation from English. Also, of the promotions or messages of companies or services that you have not used previously.
- Never provide the information the message asks for when it comes to personal data.
- Do not click on the links or download attachments.
- Block the text messages that you consider spam not to receive anymore.
- Verify the sender, as they often impersonate a known contact or company. If you have questions about the message, do a quick search on the Internet with its content to discover if it is a scam or write to your contact through another channel (an email, another messaging app) or call them to confirm that the message is theirs.
- You should also avoid storing passwords or banking information unencrypted on your phones, such as in contact or the notes app.
- Customize the security options with secure passwords and double verification systems, both for mobile phones and electronic banking.
- Remember that authority of a bank will never ask you to provide your access codes or your card details via SMS.
What to do if you victimized by smishing?
If you think that you have been the victim of a fraudulent message despite taking all the precautions, the first thing you should do is contact the financial institution to block the operation.
Second, you must change the password to access electronic banking or the information you have provided. Above all, you must report the fraud to the Police, Civil Guard, or the courts, providing the relevant evidence.
Cybercriminals manage to position a malicious page in this type of attack, which clones the original, better positioned within the main search engines’ algorithm.
In this way, when a search is carried out, the original one is below the infected one in the ranking of search engines such as Google or Bing. Challenging to achieve for large companies, this type of attack successfully impersonates less known companies to the general public and usually targets particular niches.
Impersonation of the CEO or impostor CEO
Impostor CEO is One of the most widespread phishing attacks that have become in recent times. In this case, the attacker impersonates the CEO of a company, often impersonating their email address.
Then write an email to specific profiles of the company requesting that one particular type of information be sent to him or make a financial transfer to a specific account.
What is Pharming?
More sophisticated than the previous ones, in Pharming, cybercriminals access a company’s host files or its domain name system. As a result, URL requests return a bogus address, and communications are directed to a fake website. Users enter their credentials or confidential information in it without knowing that cybercriminals control it.
Here are ten tips on how to identify a phishing email.
Tip 1: Don’t trust the display name.
A widely used phishing tactic among cybercriminals is spoofing the display name of an email. Studies show that nearly half of all email threats spoofed brand display names.
Here’s how it works: If a scammer wanted to forge the hypothetical brand name ‘My Bank,’ the email might look like this:
Since My Bank does not own the “secure.com” domain, DMARC will not block this email on behalf of My Bank, even if My Bank has set its DMARC policy for mybank.com to reject messages that cannot be authenticated. Once sent, this fraudulent email appears legitimate because most users’ inboxes only present the display name. Don’t trust the display name. Check the email address: (From 🙂 header, and if it looks suspicious, don’t open the email.
Tip 2: Look, but don’t click.
Hover over any embedded link in the body of the email. Don’t click on the link if it seems weird. It’s not necessary to test the link.
Tip 4: Analyze the greeting.
Is the email addressed to a “Valued Customer?” Vague. If so, beware: legitimate businesses often use a personal greeting with your first and last name.
Tip 5: Do not submit any Personal Information.
Legitimate banks and other companies will never request personal credentials via email. You should not send them.
Tip 6: Aware of Urgent or Threatening Language in the email subject.
Urgency or fear is a prevalent and widespread phishing tactic. Beware of subject lines claiming that “your account has been suspended,” or your account had an “unauthorized login attempt.”
Tip 7: Check the signature.
The lack of details about the signer or how they can contact a company suggests a phish. Legitimate companies always provide contact information to their clients.
Tip 8: Don’t click on attachments.
Including malicious attachments that contain viruses and malware is a common phishing tactic. Malware can damage your computer files, steal your passwords, or spy on you without your knowledge. Don’t open any email attachments you weren’t expecting.
Tip 9: Don’t trust the header of the email address.
Scammers not only spoof marks in the display name but also fake marks in the email address header. Almost 30% of more than 760,000 email threats spoofed branding somewhere in the email address header, and more than two-thirds spoofed the mark on the email domain alone.
Tip 10: Don’t believe everything you see.
Criminals are extremely good at what they do. Just because an email has brand logos, language, and a valid email address does not mean it is legitimate. Be skeptical about your emails – if it looks even suspicious, don’t open them.
Common Characteristics of Phishing Emails
Impersonating messages use all kinds of ingenious arguments related to the entity’s security or the advancement of some administrative procedure to justify the need to provide your data. Among the frequent excuses we find:
- Problems of a technical nature.
- Recent detections of fraud and urgent increase in the level of security.
- New security recommendations for fraud prevention.
- Changes in the entity’s security policy.
- Promotion of new products.
- Unexpected prizes, gifts, or financial income.
- Abnormal access or use of your account.
- Imminent deactivation of the service.
- False job offers.
Besides, the fraudulent email will force the user to decide almost immediately, warning of negative consequences such as denying access to the corresponding service or paying a monetary fine.
Although scammers continually refine their techniques, fraudulent messages are generally generated through automated tools that integrate translation features and thesaurus and often have spelling mistakes and grammatical errors.