Phishing: What it is and how to protect against it

What Is Phishing

Definition

Phishing is when cybercriminals send malicious emails designed to trick people into falling for a scam. The intent is often to get users to reveal financial information, system credentials, or other sensitive data.

The term “phishing” came about in the mid-1990s, when hackers began using fraudulent emails to “fish for” information from unsuspecting users. Since these early hackers were often referred to as “phreaks,” the term became known as “phishing,” with a “ph.” Phishing emails try to lure you in and get you to take the bait. And once you’re hooked, you’re in trouble.

Phishing is an example of social engineering: a collection of techniques scam artists use to manipulate human psychology. Social engineering techniques include forgery, misdirection, and lying, all of which can play a part in phishing attacks. On a basic level, phishing emails use social engineering to encourage you to act without thinking things through.

Why Is Phishing a Problem?

Cybercriminals use phishing because it’s easy, cheap, and effective. Email addresses are easy to obtain, and emails are virtually free to send. With little effort and little cost, attackers can quickly gain access to valuable data. Those who fall for phishing scams may end up with malware infections (including ransomware), identity theft, and data loss.

The data cybercriminals go after includes personal information — like financial account data, credit card numbers, and tax and medical records — as well as sensitive business data, such as customer names and contact information, proprietary product secrets, and confidential communications.

Cybercriminals also use phishing attacks to gain direct access to email, social media, and other accounts — or to obtain permissions to modify and compromise connected systems, like point of sale terminals and order processing systems. Many of the biggest data breaches — like the headline-grabbing 2013 Target breach — start with a phishing email. Using a seemingly innocent email, cybercriminals can gain a small foothold and build on it.

How does it work?

Cybercriminals use three primary mechanisms within phishing emails to steal your information: malicious web links, malicious attachments, and fraudulent data-entry forms.

Malicious Web Links

Phishing Email Example

Links, also known as URLs, are common in emails in general, and also in phishing emails. Malicious links will take you to imposter websites or to sites infected with malicious software, also known as malware. Malicious links can be disguised to look like trusted links, and embedded in logos and other images inside an email.

Here is an example of an email received by users at Cornell University, an American college.  It is a simple message that showed "Help Desk" as the name of the sender (though the email did not originate from the university’s help desk, but the @connect.ust.hk domain). According to Cornell’s IT team, the link embedded in the email took clickers to a page that looked like the Office 365 login page. This phishing email attempted to steal user credentials.

 

 

 

 

 

 

 

 

Malicious Attachments

Phishing Malicious Attachment Example

These look like legitimate file attachments, but are infected with malware that can compromise your computer and the files on it. In the case of ransomware — a type of malware — all of the files on your PC could become locked and inaccessible. Or, a keystroke logger could be installed to track everything you type, including your passwords. It’s also important to realize that ransomware and malware infections can spread from your PC to other networked devices, such as external hard drives, servers, and even cloud systems.

Here is an example of phishing email text shared by international shipper FedEx on its website. This email encouraged recipients to print out a copy of an attached postal receipt and take it to a FedEx location to get a parcel that could not be delivered. Unfortunately, the attachment contained a virus that infected recipients’ computers. Variations of these types of shipping scams are particularly common during the Christmas shopping season, though they are seen year-round.

 

 

 

 

 

 

 

Fraudulent Data Entry Forms

Fraudulent Phishing Data Entry From

These emails prompt you to fill in sensitive information — such as user IDs, passwords, credit card data, and phone numbers. Once you submit that information, it can be used by cybercriminals for their personal gain.

Here is an example of a fake landing page shared on the gov.uk website. After clicking on a link in a phishing email, users would be routed to this fraudulent page that appears to be part of the HMRC tax collection agency. Users are told they are eligible for a refund but must complete the form. This type of personal information can be used by cybercriminals for a number of fraudulent activities, including identity theft.

 

 

 

 

 

 

 

 

It’s important to recognize the consequences of falling for a phishing attack, either at home or at work. Here are just a few of the problems that can arise from falling for a phish:

In Your Personal Life

  • Money stolen from your bank account
  • Fraudulent charges on credit cards
  • Tax returns filed in your name
  • Loans and mortgages opened in your name
  • Lost access to photos, videos, files, etc.
  • Fake social media posts made in your accounts

At Work

  • Loss of corporate funds
  • Exposed personal information of customers and coworkers
  • Outsiders access to confidential communications, files, and systems
  • Files become locked and inaccessible
  • Damage to the employer's reputation

How can I protect against Phishing Attacks?

User education around signs to look for when an email looks or feels suspicious definitely helps to reduce successful user machine compromises. However, since user behavior is not predictable, typically security solution-driven phishing detection is critical.

Some email gateway reputation-based solutions do have the ability to catch and classify phish based on the known bad reputation of the embedded URLs. What gets missed by these solutions are often well-crafted phishing messages with URLs from compromised legitimate websites that don’t have a bad reputation at the time of delivery of email.

Opt instead for a system that identifies suspicious email based on anomalytics, which looks for unusual patterns in traffic to identify suspicious emails, then rewrites the embedded URL and maintains a constant watch on the URL for in-page exploits and downloads.

Phishing Statistics

Phishing poses a huge threat to individuals and businesses. The following phishing statistics offer some sense of the prevalence — and seriousness — of phishing attacks:

Anti-Phishing Training Suite

Our customers have used our Anti-Phishing Training Suite and our Continuous Training Methodology to reduce successful phishing attacks and malware infections by up to 90%. Make our unique, four-step Assess, Educate, Reinforce, Measure approach the foundation of your phishing awareness training program.