Phishing Attack Definition
Here's a succinct, simple phishing definition to help you understand phishing attacks: The deceptive practice of sending ostensibly authoritative communications (often emails) to trick individuals into revealing personal information like credit card numbers or passwords.
What is The Purpose of Such Attacks?
Ultimately, the purpose of email phishing attacks is to deceive individuals into thinking they're interacting with an authoritative, trustworthy entity by sending well-crafted emails or messages. These emails often mimic legitimate sources and can be highly effective at exploiting a victim's trust to disclose confidential data like login credentials or financial information.
Identity Theft
Threat actors execute their phishing attempts primarily to steal a victim's identity. Phishing attacks, if successful, trick a victim into disclosing sensitive information like their Social Security number or bank information. The repercussions of successful identity theft can be profound: victims can experience long-term damage to their credit scores and may even suffer psychological distress; recovery from identity theft can be challenging and complicated.
Deployment of Malware or Ransomware
Phishing schemes often serve as a conduit for malware deployment. Social engineering attackers first send seemingly legitimate emails that trick individuals into opening an email and interacting with a malicious link or attachment. Email mimicking, for example, is one of many phishing attack examples in which a victim is led to a fake website where malware is automatically downloaded to their machine.
Corporate Espionage
Phishing attacks have the potential to serve as potential tools for corporate espionage. Social engineering attackers can gain unauthorized access to confidential corporate systems; the consequences of such breaches are severe as organizations may lose their competitive edge, suffer damaged relationships with clients, and face significant legal repercussions.
Damage to Reputation
Phishing attacks can significantly tarnish an organization's reputation as customers, stakeholders, and the general public tend to lose trust in the wake of such scams and data breaches. Reputational damage can have dire and long-reaching consequences on an organization's bottom line, potentially causing stock price declines and, eventually, the erosion of customer loyalty.
Data Harvesting and Selling
Social engineering attacks, after successfully executing one or more phishing attacks, can begin collecting and selling user data such as login credentials, financial information, and personal identification. This data is then sold on the dark web or used to fuel future cybercrimes. The impacts of data harvesting and selling can be wide-reaching as organizations or individuals may experience unauthorized transactions or further attacks.
Disruption of Services
Phishing attacks can be engineered to disrupt an entity's services, often as a form of protest or to sow chaos. Attackers use phishing to access critical systems, then alter, delete, or ransom data, crippling normal operations. This can lead to halted services, creating a domino effect of financial losses and customer dissatisfaction. The disruption can span from temporary service unavailability to severe, long-term operational paralysis, underscoring the gravity of such cyberattacks and the cascading consequences they can unleash on an organization's functionality and reputation.
Propagation of Misinformation
Phishing attacks can spread misinformation since they grant attacks access to trusted communication channels, like official email accounts or social media profiles. Attackers can use these channels to disseminate false information that aims to cause reputational damage and sway public opinion. The credibility of these trusted sources makes the misinformation more impactful, potentially leading to wide-reaching consequences, including public confusion, tarnished reputations of individuals or organizations, and even market volatility.
Phishing Attack Delivery Methods
Cybercriminals use a variety of digital communications techniques in a phishing attack, including malicious emails, fake websites, and fraudulent text messages.
- Email—By far, the most common method used in a phishing attack is email. The email may include logos and links that resemble those of an actual business. The email content often requests that the recipient click a link that takes them to a webpage where they’re asked to enter credentials such as username, password, account numbers, etc.
- Fake Advertising—Some phishing scams involve redirecting a web surfer to a phony page via a link advertising products or services. When the user attempts to make a purchase, the cybercriminal captures the user’s sensitive information.
- Social Media—Cybercriminals may use social media to distribute fake URLs that link to phishing websites. Social media can also be used in phishing to impersonate an executive or authority figure or for reconnaissance on a target.
- Content Injection—Threat actors will sometimes change content on a legitimate website to redirect the user to a fake page. That fake page will then ask the user to enter credentials or other sensitive information.
- Web-based, Man-in-the-Middle Attack—In this type of attack, a threat actor has already infiltrated a legitimate website and captured the user’s credentials.
- SMS Messaging—Known as ‘smishing,’ targets receive a fake message via a text messaging service that contains a link that redirects to a page that attempts to collect personal and sensitive information.
- Voice Mail—In a process known as ‘vishing’, a cybercriminal calls the target’s phone number and pretends to be someone legitimate, such as a bank or law enforcement. The criminal may try to collect information over the phone or ask the victim to visit a fake website and enter sensitive information.
Types of Phishing Attacks
Most phishing attacks involve the distribution of a large number of phishing emails all at once. Usually, the emails pretend to come from a legitimate business, such as:
- Financial institutions or services, such as major banks and credit cards or online payment companies
- Email or technology service providers
- Social networking sites
- Online shopping sites
- Government entities (e.g., IRS)
- Cloud-based document management services
- Delivery and shipping companies
The email may include a logo and artwork that make it appear as if it came from a genuine company. Links are often “spoofed” to make them look like they’re connected to a legitimate website. Cybercriminals will also use sophisticated social engineering techniques to further lure the victim into responding to a phishing attack, such as creating a sense of urgency using fear tactics or attempting to bait the target through greed or curiosity. Sometimes the attacker pretends to be an authority figure or creates a fake identity to encourage the target to provide sensitive information.
Spear phishing — Spear phishing is a targeted phishing attack focused on a specific person or group of people. Spear phishing typically involves some reconnaissance and research on the target individuals to make the fake communication seem legitimate.
Whaling — Whaling is a type of spear phishing focused on a high-profile individual, such as a corporate executive or leader. Often whaling is used to steal money or capture highly sensitive information.
Clone Phishing — A cybercriminal uses a genuine, previously delivered email to create an almost identical email containing malicious links or attachments in a clone phishing attack. The original sender’s email address is typically spoofed to make it appear authentic.
Business Email Compromise (BEC) — Business email compromise involves the criminal spoofing of the email address of a high-profile person (usually an executive) and sending a fake email to someone else in the company. The email may request payment on a fake invoice or a large sum of money in a wire transfer, or it may ask the recipient to share sensitive employee information, such as social security numbers and birth dates.
Vishing — Vishing is a combination of ‘voice’ and ‘phishing’. During a vishing attack, the target receives a phone call in which the criminal attempts to convince the victim to divulge sensitive data, such as a credit card number or bank account information.
Smishing — Smishing is a phishing attack that is delivered via SMS/text messaging. The text’s content usually includes a link, phone number, or email address for the target to respond to.
What is Social Engineering?
Phishing attacks are often successful because of cybercriminals’ ability to persuade their intended targets of the fraudulent request’s legitimacy and urgency. Social engineering leverages different human emotions and reactions, including fear, trust, greed, urgency, curiosity, and scarcity. Social engineering techniques can also take advantage of the natural human response to authority figures, such as law enforcement or government officials.
How Does Phishing Work?
Cybercriminals often follow a process when engaging in a phishing attack:
Step 1: Identify the Victim
- A large group of individuals (mass phishing attack)
- One or more individuals at a specific organization (spear phishing or whaling attack)
Step 2: Create the Attack
- Select brand name or well-known company to spoof
- Build a website that has logos and information similar to the selected brand, as well as web pages for collecting victim data
- Develop digital content for distribution to targets. Content looks and feels legitimate
- Spoof sender email addresses to make them seem real
- Socially engineer the content to create a sense of urgency or fear
Step 3: Distribute the Attack
- Send emails or messages with fake links/attachments
- Promote links on existing websites to fraudulent phishing pages/sites
Step 4: Hook the Victim
- The victim responds to attack and provides the information or money requested by the attacker
Step 5: Expand or Monetize the Attack
- Use stolen credentials for additional future attacks
- Sell stolen credentials to other cybercriminals
- Steal money through wire fraud or stolen financial credentials
Phishing Telltale Signs
There are many common traits in phishing. If any of these characteristics appear in an email, text message, or website, chances are good that it’s phishing.
- Spoofed email ‘display’ name — The display name doesn’t match the actual email address
- Spoofed links — When hovering over the link, the URL redirects to a site that is different from the claimed business
- Shortened URLs — Shortened URLs are often used to hide a malicious URL
- Typos and poor grammar — Poorly written content containing punctuation and grammar errors and typos are common in phishing communications
- Urgent or alarming content — Emails, pop-up website advertisements, or text messages that contain subject lines and content that suggest urgency or create a sense of alarm should be red flags
- Attachments and links — As a rule, you should never open attachments or click links from suspicious sources
- Login/Credentials Request — Any emails or text messages asking for login credentials, password resets, financial account information, credit card information, or any other type of sensitive data are immediately suspect
Phishing Prevention Best Practices
Several preventative measures can help protect an organization from phishing attacks:
- Phishing awareness training — Train staff to watch out for common phishing techniques and threats
- Hover over links — By hovering over a link, you can view the source and determine if the ‘display’ name matches the link
- Avoid sharing personal information on social media — Cybercriminals often scour social media for personal information on a potential target to help ‘legitimize’ the attack by pretending to know the target
- Don’t hit reply — If an email looks suspicious and you wish to verify its authenticity, respond to the sender by creating a new email and typing their email address. Don’t hit reply in case the email has been spoofed
Phishing Protection
- Phishing Awareness Training — By providing employees with security awareness education, organizations can train staff to be suspicious of any email that asks them to provide login credentials or financial information
- Email Security — Since most phishing attacks begin with an email, email security solutions can help stop malicious emails before they reach an intended target
- Anti-phishing Solutions — Anti-phishing solutions can include website and browser protection, anti-phishing toolbars, anti-spam, anti-malware, mobile app security, and social media protection
- Firewalls — On-premise and cloud-based firewalls can help prevent phishing threats from reaching staff
- Multi-factor Authentication (MFA) — MFA offers protection from phishing attacks by helping to prevent a breach if a threat actor has gained access to someone’s credentials
- Principle of least privilege — If a cybercriminal gains access to a user’s credentials, the principle of least privilege can help prevent threat actors from gaining access to sensitive systems and data
Next Steps
Phishing is a common and dangerous threat to businesses. But some basic steps—such as employee security awareness education combined with phishing services can help alleviate many of the risks associated with a phishing attack. Schedule a security consultation with one of the GuidePoint Security experts to help you evaluate your current solutions and to protect against phishing.