- Edge Networks
- July 12, 2021
In today’s world, email is one of the most used means of communication. In fact, over3.8 billionemail accounts exist today, around half of the world’s population.If you have an email account, it’s likely that you also receive emails every day. We might receive newsletters we’ve signed up for, updates on deals from our favorite stores, or personal correspondence from friends and family. However, the one email we never want to receive is a phishing scam. Though these emails usually go to our junk folder, sometimes they make their way into our inbox to confuse and frighten us.
What is Phishing?
Phishing, a play on the word “fishing,” is a type ofcyber attack. Attackers utilize email to perform this type of attack by throwing out a line via email to “fish” for your private information.
Usually, the instigators of phishing perform the process like this: they create an email that looks like it’s coming from a reputable organization or company and trick the reader into thinking that the company needs something from them. They typically look for credit card information or for the user to click on or download a malicious link or document.
Similar to fraudulent telephone calls soliciting information or money, the goal of phishing is to get some kind of information from you that hackers can use to your disadvantage.
Surprisingly, phishing “kits” are readily available to hackers around the world. These kits are typically found on thedark web and are templates used to emulate prominent companies’ emails.
What’s even more concerning is the number of phishing kits that exist (that we know of). Onestudy found that there are 62 known kit variants for Microsoft, 14 for PayPal, and 11 for Dropbox.
There are a few steps to creating a phishing kit.
- First, the legitimate website of the company people are using to phish is cloned.
- Second, the login page is altered to include a credential-stealing script.
- Third, modified files are put into a zip file to create the kit.
- Fourth, the kit is uploaded to the fraudulent website, and the files are “unzipped.”
- Finally, fraudulent emails are sent to unsuspecting people with links to the spoofed website.
The good thing is that there are ways to identify where phishing emails come from. Phishing kit analyzers can look at email addresses found in the kits and track actors down. They can even use the “from” part of the email to track multiple kits made by the same creator.
Of course, phishers always use fake names, leaving them virtually unidentifiable except by location, and thus, many successful phishing scams never find the instigator to hold them accountable.
Types of Phishing
Though all phishing has the same ultimate purpose of getting a person’s private information, there are many ways to divide these cyber attacks.
Purpose of the Attack
The first way to divide phishing into categories is by the intent or purpose of the phishing attack. Usually, phishers are trying to get the victim to do one of two things:
Give out private information:This type of phishing message seeks to trick users into giving out their important information. The kind of information they’re looking for varies, but it is commonly usernames and passwords used to get in some sort of important account or system.
The most typical version of this scheme involves receiving an email that looks like it came from a major bank. Scammers send out the message to millions of people, knowing that at least some of them will be members of that bank. The victim is supposed to click on a link that takes them to the spoofed web page of the bank created by hackers and enter their information for the attackers to exploit.
Download malware:Like many spam messages, some hackers send out emails to get the victim to infect their computer with malware.
These messages are often disguised as resumes or other information that certain staff members may need. Once opened, the attachments in the email will infect the victim’s computer with malicious code. The most common type of malicious code is ransomware, with93%of malware found to be of this type in 2017.
Target of the Attack
Another way to differentiate between types of phishing attacks is by who the phishers are trying to target.
Sometimes, these emails aren’t targeted at all; attackers simply throw out the biggest net possible and hope to catch some information. A company calledIronScalesstudied phishing emails and found that these are the most prominent sites hackers try to emulate:
- PayPal: 22%
- Microsoft: 19%
- Facebook: 15%
- eBay: 6%
- Amazon: 3%
As described before, this is a very common trick performed by phishing hackers: trying to get victims to log into spoofed versions of prominent websites and thus give out their account information for hackers to use.
However, some phishing attacks are directed at very specific people. There are a couple of types of these sort of attacks that we’ve nicknamed according to the fishing theme.
Spear phishing:This type of phishing takes its name from the act of aiming at a very specific fish, as a fisherman does with a spear. Hackers that spear phish often use websites like LinkedIn to get information of employees of a certain company. Then, they send emails to important people such as those in the finance department to get sensitive information such as bank deposit details.
Whaling:This is a form of spear phishing aimed at the “big fish” of companies, CEOs, CFOs, etc. However, many of these types of scams also target people that are still high on the totem pole, but not as important as the chief executives, such as company board members. These scammers often target personal emails of these people and pretend to be their coworkers to get private information about the company or themselves.
Prominent Examples of Phishing
John Podesta:One of the most consequential examples of phishing would be when Hillary Clinton’s campaign chairman accidentally gave his email password to hackers.
In this case, Podesta received an email that appeared to look like someone from Ukraine had gotten the password to his Gmail account. He was directed to a link to change his password, effectively handing it over to hackers.
This demonstrates the ability of phishing to affect even the most secure of email accounts.
University of Kansas:Five employees of the University of Kansas were attacked by hackers in 2016. They gave out their direct deposit information to the attackers, and lost money because of it.
The targets of phishing attacks can effectively be anyone, from your everyday person, to a prominent political figure, to university employees.
Why Phishing Happens
Criminals often take advantage of their environment and circumstances to exploit other people. While we can’t know why exactly people decide to phish for information instead of making a positive impact on the world, we can notice trends in when and why phishing scams occur.
Worldwide crises or even personal problems give criminals and hackers the opportunity to exploit victims by throwing out their phishing bait and hoping for a bite.
In a recent article we wrote forour blogabout how to maintain the cybersecurity of remote workers, we talk about an example of how cybercriminals have used the COVID-19 pandemic to scam people through text messages, social media, phone calls, and emails to disclose personal information. According to the 2021 Data Breach Investigations Report byVerizon, Phishing has utilized COVID-19 to pump up its frequency to being present in 36% of breaches, up from 25% last year”.
How to Prevent Becoming a Victim of Phishing
The best way to learn how to identify phishing scams is to familiarize yourself with what these emails look like. You can visit the aforementioned websites that crowd-source phishing kits to learn about how hackers utilize email to attack people.
In addition to getting acquainted with phishing kits and how they work, you can do a number of things to prevent you from becoming a phishing scam statistic:
- Check the spelling of the URLs in emails, and of the email itself. A professional copywriter for email won’t make abundant mistakes as phishers sometimes do.
- Look out for redirects from the original website that take you to the spoofed one
- If you receive a strange email from a friend or family member, contact them directly instead of replying to the email
- Don’t post personal information on the internet for everyone to see, including things like birthdays and vacation plans
As with anything, the first step to preventing being part of a phishing scam is educating yourself on how these attacks work. It’s crucial to remember that phishing is just one of the cybersecurity risks we face. If you’d like to find out how your company is performing and isolate weaknesses in your cyber defenses,schedule a call with usor take our free, self-guidedIT Security Risk Assessment.
Ask an Expert: History Repeated with Another T-Mobile Data Breach
3 Skills You Need to Get Hired in Cybersecurity
The Top 3 Cybersecurity KPIs Every Business Needs to Track
6. What is a three-question quiz phishing attack? It's a phishing attack designed for end users to fill out a quiz for a “prize” which leads to stolen information from the victim.What is phishing for dummies? ›
What is Phishing? Phishing is a common scam that attempts to lure you into giving up your username, password, or other sensitive information by masquerading as someone you know and trust. This can be done by phone, but is typically done in email.What phishing is the first step in most of the big attacks against organizations also called? ›
In many cases, spear phishing attacks are used as a first step in an APT attack targeting a specific organization.How do you pass a phishing test? ›
- Train and notify employees. ...
- Engage relevant departments or managers. ...
- Create a phishing alias and/or deploy an embedded report button. ...
- Timing. ...
- Use different phishing methods. ...
- Include senior management and executives. ...
- Reporting Is critical.
Requests for personal information, generic greetings or lack of greetings, misspellings, unofficial "from" email addresses, unfamiliar webpages, and misleading hyperlinks are the most common indicators of a phishing attack.What are 2 common types of phishing? ›
- Spear Phishing. Spear phishing involves targeting a specific individual in an organization to try to steal their login credentials. ...
- Vishing. ...
- Email Phishing. ...
- HTTPS Phishing. ...
- Pharming. ...
- Pop-up Phishing. ...
- Evil Twin Phishing. ...
- Watering Hole Phishing.
An email from PayPal arrives telling the victim that their account has been compromised and will be deactivated unless they confirm their credit card details. The link in the phishing email takes the victim to a fake PayPal website, and the stolen credit card information is used to commit further crimes.What is the difference between phishing and phishing? ›
Spear phishing is a specific and targeted attack on one or a select number of victims, while regular phishing attempts to scam masses of people. In spear phishing, scammers often use social engineering and spoofed emails to target specific individuals in an organization.What are the 5 P's to help you identify a phishing attempt? ›
- Fraudsters PRETEND to be from a known organization. ...
- Fraudsters say there's a PROBLEM. ...
- Fraudsters PRESSURE you to act immediately. ...
- Fraudsters tell you to PAY in a specific way. ...
- Fraudsters ask you to claim a PRIZE.
- Invoice phishing. ...
- Payment/delivery scam. ...
- Tax-themed phishing scams. ...
- Downloads. ...
- Phishing emails that deliver other threats. ...
- Spear phishing. ...
- Whaling. ...
- Business email compromise.
Never provide your personal information in response to an unsolicited request, whether it is over the phone or over the Internet. Emails and Internet pages created by phishers may look exactly like the real thing. They may even have a fake padlock icon that ordinarily is used to denote a secure site.What 3 things must you do if you receive an unexpected email? ›
- Do not open it. ...
- Delete it immediately to prevent yourself from accidentally opening the message in the future.
- Do not download any attachments accompanying the message. ...
- Never click links that appear in the message.
KnowBe4's 2022 Phishing By Industry Benchmarking Report Reveals that 32.4% of Untrained End Users Will Fail a Phishing Test.What do phishing attempts look like? ›
In a phishing scam, you might receive an email that appears to be from a legitimate business and is asking you to update or verify your personal information by replying to the email or visiting a website. The web address might look similar to one you've used before.What are the 7 red flags of phishing? ›
- 1 Urgent or threatening language. ...
- 2 Requests for sensitive information. ...
- 3 Anything too good to be true. ...
- 4 Unexpected emails. ...
- 5 Information mismatches. ...
- 6 Suspicious attachments. ...
- 7 Unprofessional design.
Email and website spoofing. 2. Malicious links and attachments. 3. Urgent subjects and text lures.What are the 4 ways to avoid phishing? ›
- Protect your computer by using security software. ...
- Protect your cell phone by setting software to update automatically. ...
- Protect your accounts by using multi-factor authentication. ...
- Protect your data by backing it up.
Modern thieves may use spyware programs, such as “key loggers,” system monitors, and trojans to send keystrokes or pictures of your computer's monitor to the thieves in the hope of snagging account numbers, passwords, Social Security numbers, or other confidential information that can be used to steal from you or ...What is phishing in its most basic form? ›
Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message.What is an example of a suspicious link? ›
You can spot a suspicious link if the destination address doesn't match the context of the rest of the email. For example, if you receive an email from Netflix, you would expect the link to direct you towards an address that begins 'netflix.com'.
Fend Off Phishing : Learn how more than 90% of all cyber attacks begin with phishing. Find out how attackers leverage phishing attacks to gain access to protected systems, hosts, and networks. Discover how technology can be used to mitigate phishing attacks and train users to better recognize phishing emails.What is the first line of defense phishing? ›
Your employees should be considered as your first line of defence when it comes to phishing attacks.Why is it called phishing? ›
Some say the term phishing got influences from the word fishing. Analogous to fishing, phishing is also a technique to “fish” for usernames, passwords, and other sensitive information, from a “sea” of users. Hackers generally use the letter “ph” instead of “f” and therefore initially they were known as phreaks.What methods do phishers use? ›
- Spear Phishing and Whaling. ...
- Clone Phishing. ...
- Link Manipulation. ...
- Filter Evasion. ...
- Website Forgery. ...
- Covert Redirect. ...
- Social Engineering. ...
- Voice Phishing.
Phishing can be conducted via a text message, social media, or by phone, but the term 'phishing' is mainly used to describe attacks that arrive by email. Phishing emails can reach millions of users directly, and hide amongst the huge number of benign emails that busy users receive.Why are phishing attacks successful? ›
Phishing is an effective and dangerous cybercrime because it relies on people's inherent trust in the internet. The idea that criminals would be able to fool you into giving up private information is hard for most people to believe, which makes it easy for even well-meaning people to fall victim to a phishing attack.Who is most vulnerable to phishing? ›
Our results suggest that women are more susceptible than men to phishing and participants between the ages of 18 and 25 are more susceptible to phishing than other age groups.Who targeted the most for phishing? ›
During the third quarter of 2022, 23 percent of phishing attacks worldwide were directed toward financial institutions. On top of that, web-based software services and webmail accounted for 17 percent of attacks making these two the highest-targeted industries regarding phishing during the examined quarter.Which email is most likely phishing? ›
- The fake invoice scam.
- Email account upgrade scam.
- Advance-fee scam.
- Google Docs scam.
- PayPal Scam.
- Message from HR scam.
- Dropbox scam.
- The council tax scam.
Ransomware is a type of malware identified by specified data or systems being held captive by attackers until a form of payment or ransom is provided. Phishing is online scam enticing users to share private information using deceitful or misleading tactics.
If the computer you are using was provided to you by your employer or is used for work, do not try to fix your computer yourself and do not turn the computer off. You may cause more harm than good and you could destroy valuable evidence that can be used for an investigation.Is phishing just email? ›
SMS phishing -- or smishing -- attacks work in much the same way as an email attack; presenting the victim with a fraudulent offer or fake warning as an incentive to click through to a malicious URL.Who are the most common victims of phishing? ›
Over 48% of emails sent in 2022 were spam. Over a fifth of phishing emails originate from Russia. Millennials and Gen-Z internet users are most likely to fall victim to phishing attacks.What are three phishing examples? ›
A fraudulent SMS, social media message, voice mail, or other in-app message asks the recipient to update their account details, change their password, or tell them their account has been violated. The message includes a link used to steal the victim's personal information or install malware on the mobile device.What is phishing multiple choice questions? ›
Explanation: Phishing is an internet scam done by cyber-criminals where the user is convinced digitally to provide confidential information.What are the 2 most common types of phishing attacks? ›
- Email Phishing. Phishing emails top this list as one of the oldest and most commonly used types of phishing attacks. ...
- Spear Phishing. ...
- Whaling. ...
- Business Email Compromise (BEC) ...
- Voice Phishing. ...
- HTTPS Phishing. ...
- Clone Phishing. ...
- SMS Phishing.
Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message.What is the most common used method for phishing? ›
Using the most common phishing technique, the same email is sent to millions of users with a request to fill in personal details. These details will be used by the phishers for their illegal activities.
Often phishers are targeting an enterprise and a selected group at an office (staff, management, executives) that is responsible for a project or service.What is the weakest link for security? ›
A human being is still the weakest link in cyber security. Whether it's a disgruntled employee, an overconfident employee, or an employee with a lack of knowledge, it's always the human element. And this is why most cyber security breaches are due to human error.
Phishing is when attackers send malicious emails designed to trick people into falling for a scam. Typically, the intent is to get users to reveal financial information, system credentials or other sensitive data.