Phishing is when attackers send malicious emails designed to trick people into falling for a scam. The intent is often to get users to reveal financial information, system credentials or other sensitive data.
The term “phishing” came about in the mid-1990s, when hackers began using fraudulent emails to “fish for” information from unsuspecting users. Since these early hackers were often referred to as “phreaks,” the term became known as “phishing,” with a “ph.” Phishing emails try to lure people in and get them to take the bait. And, once they are hooked, both the user and the organisation are in trouble.
Phishing is an example of social engineering: a collection of techniques that scam artists use to manipulate human psychology. Social engineering techniques include forgery, misdirection and lying—all of which can play a part in phishing attacks. On a basic level, phishing emails use social engineering to encourage users to act without thinking things through.
Why Is Phishing a Problem?
Cyber criminals use phishing because it’s easy, cheap and effective. Email addresses are easy to obtain, and emails are virtually free to send. With little effort and little cost, attackers can quickly gain access to valuable data. Those who fall for phishing scams may end up with malware infections (including ransomware), identity theft, and data loss.
The data that cybercriminals go after includes personal information—like financial account data, credit card numbers and tax and medical records—as well as sensitive business data, such as customer names and contact information, proprietary product secrets and confidential communications.
Cybercriminals also use phishing attacks to gain direct access to email, social media, and other accounts or to obtain permissions to modify and compromise connected systems, like point-of-sale terminals and order processing systems. Many of the biggest data breaches—like the headline-grabbing 2013 Target breach—start with a phishing email. Using a seemingly innocent email, cybercriminals can gain a small foothold and build on it.
How does it work?
Cybercriminals use three primary mechanisms in phishing emails to steal information: malicious web links, malicious attachments, and fraudulent data-entry forms.
Malicious Web Links
Links, also known as URLs, are common in emails in general and also in phishing emails. Malicious links will take users to impostor websites or to sites infected with malicious software, also known as malware. Malicious links can be disguised to look like trusted links and are embedded in logos and other images in an email.
Here is an example of an email received by users at Cornell University, an American college. It is a simple message that showed "Help Desk" as the name of the sender (though the email did not originate from the university’s help desk, but rather from the @connect.ust.hk domain). According to Cornell’s IT team, the link embedded in the email took clickers to a page that looked like the Office 365 login page. This phishing email attempted to steal user credentials.
These look like legitimate file attachments but are actually infected with malware that can compromise computers and the files on them. In the case of ransomware—a type of malware—all of the files on a PC could become locked and inaccessible. Or a keystroke logger could be installed to track everything a user types, including passwords. It’s also important to realise that ransomware and malware infections can spread from one PC to other networked devices, such as external hard drives, servers, and even cloud systems.
Here is an example of phishing email text shared by international shipper FedEx on its website. This email encouraged recipients to print out a copy of an attached postal receipt and take it to a FedEx location to get a parcel that could not be delivered. Unfortunately, the attachment contained a virus that infected recipients’ computers. Variations of these types of shipping scams are particularly common during the Christmas shopping season, though they are seen year-round.
Fraudulent Data Entry Forms
These emails prompt users to fill in sensitive information—such as user IDs, passwords, credit card data, and phone numbers. Once users submit that information, it can be used by cybercriminals for their personal gain.
Here is an example of a fake landing page shared on the gov.uk website. After clicking on a link in a phishing email, users are routed to this fraudulent page that appears to be part of the HMRC tax collection agency. Users are told they are eligible for a refund but must complete the form. This type of personal information can be used by cybercriminals for a number of fraudulent activities, including identity theft.
It’s important to recognise the consequences of falling for a phishing attack, either at home or at work. Here are just a few of the problems that can arise from falling for a phishing email:
In Your Personal Life
- Money stolen from bank accounts
- Fraudulent charges on credit cards
- Tax returns filed in a person’s name
- Loans and mortgages opened in a person’s name
- Lost access to photos, videos, files, and other important documents
- Fake social media posts made in a person’s accounts
- Loss of corporate funds
- Exposed personal information of customers and co-workers
- Outsiders can access to confidential communications, files, and systems
- Files become locked and inaccessible
- Damage to employer's reputation
How can I protect against Phishing Attacks?
User education around signs to look for when an email looks or feels suspicious definitely helps to reduce successful compromises. However, since user behaviour is not predictable, typically security solution-driven phishing detection is critical.
Some email gateway reputation-based solutions do have the ability to catch and classify phishing emails based on the known bad reputation of the embedded URLs. What gets missed by these solutions are often well-crafted phishing messages with URLs from compromised legitimate websites that don’t have a bad reputation at the time of delivery of email.
The most effective systems identify suspicious emails based on anomalytics, which looks for unusual patterns in traffic to identify suspicious emails, then rewrites the embedded URL and maintains a constant watch on the URL for in-page exploits and downloads.
Phishing poses a huge threat to individuals and businesses. The following phishing statistics offer some sense of the prevalence and seriousness of phishing attacks:
Phishing attacks were reported in 2016 – a 65% increase from 2015 (Source: The Anti-Phishing Working Group)
of U.S. survey respondents have fallen victim to a phishing scam (Source: Verizon’s 2017 Data Breach Investigations Report)
of working adults do not understand what phishing is (Source: Wombat Security’s 2017 User Risk Report)
of phishing victims will click a dangerous attachment again (Source: Verizon’s 2017 Data Breach Investigations Report)
Anti-Phishing Training Suite
Proofpoint customers have used Anti-Phishing Training Suite and Continuous Training Methodology to reduce successful phishing attacks and malware infections by up to 90%. This unique, four-step Assess, Educate, Reinforce, and Measure approach can be the foundation of any organisation’s phishing awareness training program.