Phishing is when attackers send malicious emails designed to trick people into falling for a scam. The intent is often to get users to reveal financial information, system credentials or other sensitive data.
Phishing is an example of social engineering: a collection of techniques that scam artists use to manipulate human psychology. Social engineering techniques include forgery, misdirection and lying—all of which can play a part in phishing attacks. On a basic level, phishing emails use social engineering to encourage users to act without thinking things through.
History of Phishing
The term “phishing” came about in the mid-1990s, when hackers began using fraudulent emails to “fish for” information from unsuspecting users. Since these early hackers were often referred to as “phreaks,” the term became known as “phishing,” with a “ph.” Phishing emails try to lure people in and get them to take the bait. And, once they are hooked, both the user and the organization are in trouble.
Like many common threats, the history of phishing starts in the 1990s. When AOL was a popular content system with internet access, attackers used phishing and instant messaging to masquerade as AOL employees to trick users into divulging their credentials to hijack accounts.
In the 2000s, attackers turned to bank accounts. Phishing emails were used to trick users into divulging their bank account credentials. The emails contained a link to a malicious site that looked like the official banking site, but the domain was a similar variation of the official domain name (e.g., paypai.com instead of paypal.com). Later, attackers went for other accounts such as eBay and Google to use the hijacked credentials to steal money, commit fraud, or spam other users.
Why Is Phishing a Problem?
Cyber criminals use phishing emails because it’s easy, cheap and effective. Email addresses are easy to obtain, and emails are virtually free to send. With little effort and little cost, attackers can quickly gain access to valuable data. Those who fall for phishing scams may end up with malware infections (including ransomware), identity theft, and data loss.
The data that cybercriminals go after includes personal identifiable information (PII)—like financial account data, credit card numbers and tax and medical records—as well as sensitive business data, such as customer names and contact information, proprietary product secrets and confidential communications.
Cybercriminals also use phishing attacks to gain direct access to email, social media, and other accounts or to obtain permissions to modify and compromise connected systems, like point-of-sale terminals and order processing systems. Many of the biggest data breaches—like the headline-grabbing 2013 Target breach—start with a phishing email. Using a seemingly innocent email, cybercriminals can gain a small foothold and build on it.
What Does a Phishing Email Look Like?
Attackers prey on fear and a sense of urgency. It’s common for attackers to tell users that their account is restricted or will be suspended if the targeted user does not respond to the email. Fear gets targeted users to ignore common warning signs and forget their phishing education. Even administrators and security experts fall for phishing occasionally.
Usually, a phishing email is sent to as many people as possible, so the greeting is generic.
In the above message, the user’s name is not mentioned, and the sense of urgency is meant to use fear in an effort to trick users into opening the attachment.
The attachment could be a web page, a shell script (e.g., PowerShell), or a Microsoft Office document with a malicious macro. The macro and scripts can be used to download malware or trick users into divulging their account credentials.
Attackers register domains that look similar to the official one, or they will occasionally use generic providers such as Gmail. Spoofed senders are possible with email protocols, but most recipient servers use email security that detects spoofed email headers. When users receive emails, the messages might use the official company logo, but the sender address would not include the official company domain. Sender address is just one warning sign, but it should not be the only thing used to determine legitimacy of a message.
Primary Mechanisms Used in Phishing Emails
Cybercriminals use three primary mechanisms in phishing emails to steal information: malicious web links, malicious attachments, and fraudulent data-entry forms.
Malicious Web Links
Links, also known as URLs, are common in emails in general and also in phishing emails. Malicious links will take users to impostor websites or to sites infected with malicious software, also known as malware. Malicious links can be disguised to look like trusted links and are embedded in logos and other images in an email.
Here is an example of an email received by users at Cornell University, an American college. It is a simple message that showed "Help Desk" as the name of the sender (though the email did not originate from the university’s help desk, but rather from the @connect.ust.hk domain). According to Cornell’s IT team, the link embedded in the email took clickers to a page that looked like the Office 365 login page. This phishing email attempted to steal user credentials.
These look like legitimate file attachments but are actually infected with malware that can compromise computers and the files on them. In the case of ransomware—a type of malware—all of the files on a PC could become locked and inaccessible. Or a keystroke logger could be installed to track everything a user types, including passwords. It’s also important to realize that ransomware and malware infections can spread from one PC to other networked devices, such as external hard drives, servers, and even cloud systems.
Here is an example of phishing email text shared by international shipper FedEx on its website. This email encouraged recipients to print out a copy of an attached postal receipt and take it to a FedEx location to get a parcel that could not be delivered. Unfortunately, the attachment contained a virus that infected recipients’ computers. Variations of these types of shipping scams are particularly common during the Christmas shopping season, though they are seen year-round.
Fraudulent Data Entry Forms
These emails prompt users to fill in sensitive information—such as user IDs, passwords, credit card data, and phone numbers. Once users submit that information, it can be used by cybercriminals for their personal gain.
Here is an example of a fake landing page shared on the gov.uk website. After clicking on a link in a phishing email, users are routed to this fraudulent page that appears to be part of the HMRC tax collection agency. Users are told they are eligible for a refund but must complete the form. This type of personal information can be used by cybercriminals for a number of fraudulent activities, including identity theft.
Common Phishing Subject Lines
The subject on an email determines if a user will open the message. In a phishing attack, a subject line will play on user fears and a sense of urgency.
It’s common for attackers to use messages involving problems with accounts, shipments, bank details, and financial transactions. Shipping messages are common during the holidays, because most people are expecting a delivery. If a user does not notice that the domain in the sender address is not legitimate, the user could be tricked into clicking the link and divulging sensitive data.
Types of Phishing Attacks
Phishing has evolved into more than simple credential and data theft. The way an attacker lays out a campaign depends on the type of phishing. Types of phishing include:
- Spear phishing: these email messages are sent to specific people within an organization, usually high-privilege account holders.
- Link manipulation: messages contain a link to a malicious site that looks like the official business.
- CEO fraud: these messages are sent mainly to financial people to trick them into believing that the CEO or other executive is asking them to transfer money.
- Content injection: an attacker who can inject malicious content into an official site will trick users into accessing the site to show them a malicious popup or redirect them to a phishing website.
- Malware: users tricked into clicking a link or opening an attachment might download malware onto their devices.
- Smishing: using SMS messages, attackers trick users into accessing malicious sites from their smartphones.
- Vishing: attackers use voice-changing software to leave a message telling targeted victims that they must call a number where they can be scammed.
- “Evil Twin” Wi-Fi: spoofing free Wi-Fi, attackers trick users into connecting to a malicious hotspot so that they can perform man-in-the-middle exploits.
Real-World Phishing Examples
The way an attacker carries out a phishing campaign depends on their goals. For businesses, it’s common for attackers to use fake invoices to trick the accounts payable department to send money. In this attack, the sender is not important. Many vendors use personal email accounts to do business.
The button in this example opens a web page with a fraudulent Google authentication form. The page attempts to scam targeted victims into entering their Google credentials so that attackers can steal accounts.
Another method attackers use is to pretend that they are internal technical support. The technical support email asks users to install a messaging system, an application with hidden malware, or run a script that will download ransomware. Users should be on the lookout for these types of emails and report them to administrators.
What Is a Phishing Kit?
Because phishing is effective, attackers use phishing kits to simplify the setup. It’s the backend components of a phishing campaign. The kit comprises the web server, elements of the website (e.g., images and layout of the official website), and storage used to collect user credentials. Another component is registered domains. Criminals register dozens of domains to use with phishing email messages to switch quickly when spam filters detect them as malicious. By having dozens of domains, criminals can change the domain in the phishing URL and resend messages to additional targets.
A phishing kit is also designed to avoid detection. The backend scripts will block large blocks of IP addresses belonging to security researchers and antivirus organizations such as McAfee, Google, Symantec, and Kaspersky so that they cannot find phishing domains. Domains used in phishing will look like a legitimate harmless site to security researchers, but it will display phishing content to a targeted user.
Where It Happens
It’s important to recognize the consequences of falling for a phishing attack, either at home or at work. Here are just a few of the problems that can arise from falling for a phishing email:
In Your Personal Life
- Money stolen from bank accounts
- Fraudulent charges on credit cards
- Tax returns filed in a person’s name
- Loans and mortgages opened in a person’s name
- Lost access to photos, videos, files, and other important documents
- Fake social media posts made in a person’s accounts
- Loss of corporate funds
- Exposed personal information of customers and co-workers
- Outsiders can access to confidential communications, files, and systems
- Files become locked and inaccessible
- Damage to employer's reputation
- Financial fines from compliance violations
- Loss in company value
- Reduced investor confidence
- Interruption of revenue-impacting productivity
Phishing & Remote Working
The pandemic shifted the way most organizations and employees work. Remote work became the standard, so corporate devices and personal devices existed at the user’s workplace. This change in work environment gave attackers an advantage. Users don’t have enterprise-level cybersecurity at home, so email security is less effective, giving attackers a higher chance of a successful phishing campaign.
Because employees now work from home, it’s more important for organizations to train them for phishing awareness. Impersonation of executives and official vendors increased after the pandemic. Since employees still need access to corporate systems, an attacker can target any at-home employee to gain remote access to the environment. Administrators were forced to quickly set up remote access, so cybersecurity of the environment was pushed aside to allow convenience. This forced urgency gave attackers vulnerabilities that could be exploited, and many of these vulnerabilities were human errors.
Combine poor cybersecurity with users connecting with their own devices, and attackers had numerous advantages. Phishing increased across the globe. Google reported a 350% surge in phishing websites in the beginning of 2020 after pandemic lockdowns.
Most Targeted Industries
The goal of most phishing is financial gain, so attackers mainly target specific industries. The target could be the entire organization or its individual users. The top targeted industries include:
- Online stores (ecommerce)
- Social media
- Banks and other financial institutes
- Payment systems (merchant card processors)
- IT companies
- Telecommunication companies
- Delivery companies
Most Impersonated Brands
To trick as many people as possible, attackers use well-known brands. Well-known brands will incite trust in recipients, which will increase the chance that the attack will be successful. Any common brand can be used in phishing, but a few common ones are:
- Wells Fargo
- Bank of America
Phishing protection is an important security measure companies can take to prevent phishing attacks on their employees and organization. Security awareness training and education around signs to look for when an email looks or feels suspicious definitely helps to reduce successful compromises. However, since user behavior is not predictable, typically security solution-driven phishing detection is critical.
Education expanded into real-world examples and exercises will help users identify phishing. It’s common for organizations to work with experts to send simulated phishing emails to employees and track which ones open the email and click the link. These employees can be trained further so that they do not make the same mistake with future attacks.
Some email gateway reputation-based solutions do have the ability to catch and classify phishing emails based on the known bad reputation of the embedded URLs. What gets missed by these solutions are often well-crafted phishing messages with URLs from compromised legitimate websites that don’t have a bad reputation at the time of delivery of email.
The most effective systems identify suspicious emails based on anomalytics, which looks for unusual patterns in traffic to identify suspicious emails, then rewrites the embedded URL and maintains a constant watch on the URL for in-page exploits and downloads. These monitoring tools quarantine suspicious email messages so that administrators can research into ongoing phishing attacks. If a high number of phishing emails are detected, administrators can alert employees and reduce the chance of a successful targeted phishing campaign.
The cybersecurity landscape continually evolves, especially in the world of phishing. It’s critical for corporations to always communicate to employees and educate them on the latest phishing and social engineering techniques. Keeping employees aware of the latest threats reduce risk and generate a culture of cybersecurity within the organization.
Phishing poses a huge threat to individuals and businesses. The following phishing statistics offer some sense of the prevalence and seriousness of phishing attacks:
What to Do If You’ve Fallen Victim
After you’ve sent your information to an attacker, it will likely be disclosed to other scammers. You will probably receive vishing and smishing messages, new phishing emails, and voice calls. Always stay on alert for suspicious messages asking for your information or financial details.
The Federal Trade Commission has a website dedicated to identity theft to help you mitigate damages and monitor your credit score. If you clicked on a link or opened a suspicious attachment, your computer could have malware installed. To detect and remove the malware, make sure that your antivirus software is up-to-date and has the latest patches installed.
Anti-Phishing Training Suite
Training employees to detect phishing has shown to be a critical component in phishing awareness and education to ensure that your organization does not become the next victim. It only takes one employee to fall for a phishing campaign for it to become the next reported data breach.
Phishing simulation is the latest in employee training. The practical application to an active phishing attack gives employees experience in the ways an attack is carried out. Most simulations also involve social engineering, because attackers will often combine the two for a more effective campaign. Simulations are carried out in the same way as a real-world phishing scenario, but employee activity is monitored and tracked.
Reporting and analytics tell administrators where the organization can improve by discovering which phishing attacks trick employees. Simulations that include links tie into reporting by tracking who clicks a malicious link, which employees enter their credentials on a malicious site, and any email messages that automatically trigger spam filters. Results can be used to configure spam filters and reinforce training and education across the organization.
Proofpoint customers have used Anti-Phishing Training Suite and Continuous Training Methodology to reduce successful phishing attacks and malware infections by up to 90%. This unique, four-step Assess, Educate, Reinforce, and Measure approach can be the foundation of any organization’s phishing awareness training program.