As stories of electronic fraud fill the daily news, we’re still answering the question “What is phishing?” In 2020, it continues to be one of the most prevalent attack types, so let’s look at what phishing is, why it is so successful, and what you can do to avoid becoming a victim.
What Is Phishing?
Phishing refers to any type of digital or electronic communication designed for malicious purposes. It is a type of social engineeringAny deceptive tactic designed to trick a victim into taking action or giving up private information to an attacker who uses it for fraudulent purposes. attack that uses impersonation and trickery to persuade an innocent victim to provide private information such as login credentials, bank account information, social security number, or other sensitive data. A cybercriminal’s goal is to use the information to defraud the victim in some way, whether it’s to steal money from them, take over one or more of their accounts, create new accounts in their name, or run up credit card charges. In some cases, the attacker’s ultimate goal is to take over a victim’s device using malware or to gain access (through the victim) to other valuable resources, such as an enterprise’s networks, systems, data, or intellectual property.
The two most common delivery mechanisms for phishing are email and text messages (also known as smishing, short for phishing via SMS). Phone call and voice message phishing (also known as vishing) is perhaps a lower tech version but equally effective. Websites can also contain malicious ads that, when clicked, redirect a user to a phishing websiteAn attacker-run website specifically designed to deceive visitors and prompt them to divulge private information or take a specific action (such as transferring funds).. And social media sites provide the perfect canvas for phishing lures in the form of malicious ads, contests, free offers, and quizzes (think “Which Disney character are you?”). All prompt users to either provide personal information (often answers to the same questions banks use for security purposes) or click on malicious links.
How Phishing Works
There is no great mystery behind phishing. Even though cybercriminals continually adapt their methods to changing trends (this was evident with the COVID-19 pandemic), the process is fairly predictable. Attackers choose their targets, craft a convincing lure, bait the hook, and then reel in victims. (Not surprisingly, the term “phishing” derives from traditional fishing in which an angler baits a hook with an attractive, deceptive-looking lure in hopes that a fish will bite.)
Step 1: Choose Victims
Phishing campaigns come in all shapes and sizes and vary depending on the goal of the phishing campaign. Attackers who hope to collect a slew of login credentials cast a huge net by sending the same phishing email to thousands of random email recipients. Other attackers choose spear phishing, which targets a specific industry, company, or any individual within a company, such as someone who has access and the authority to transfer money. Whaling is a more keenly focused attack that aims to draw a particular high-value victim, such as an executive or board member, into a trap because they have access to an organization’s most sensitive data.
Step 2: Create the Phishing Lure
Phishing only works if an attacker can successfully trick a would-be victim into taking action, so impersonation is the common denominator across all types of phishing. The attacker masquerades as an individual or entity the victim is likely to trust or, at least, not question. It could be a victim’s bank, employer, a co-worker, a company they regularly do business with, or an authority figure, such as a security or IT professional. Attackers also impersonate well-known brands like Microsoft or Google, an official government agency like the Social Security Administration, or create a fake persona such as an employment recruiter. It’s essential for all users to understand that the source of any email or text message can easily be faked, as can any web address (URL).
The attacker creates a convincing-looking message, sometimes by copying or cloning a legitimate one, that incorporates one or more of the following reliable social engineering techniques:
- Using fear, threats, or a sense of urgency: “Your account is 90 days past due and has been turned over to a collection agency. To avoid immediate legal action, click here…”
- Offering help to solve a problem: “Your account has been locked; click here to update your information and unlock your account.” Or “Your system has been infected by a virus. Click here to download our repair tool…”
- Notifying you of a prize or reward: “Congratulations! You’ve won an all-expense paid trip to the Bahamas! Click here to provide your social security number for identification purposes.”
- Pretending to need assistance: “This is the IT HelpDesk; I need you to verify your password so we can investigate some suspicious activity on your system.”
These are only a few examples of the most common social engineering techniques attackers use to create lures. Phishers are masters at triggering action by manipulating human emotion. It’s baffling that simply asking a victim to provide their password (as noted in the last bullet) is one of the most successful social engineering techniques phishers use.