What is Phishing?
Phishing is a form of social engineering, which involves gaining the trust of a victim and then tricking them into divulging personal information or performing an action that would normally raise a red flag. Most commonly, phishers will communicate trust to the targeted victim by piggybacking on the good reputation of other organizations or groups. Communications often include well known logos or text that encourage the user to:
- trust the source of the communication
- believe the intentions of the communication are genuine and legitimate (ex. an email stating that the victim’s account is locked and to click a special link to unlock it)
The social engineering aspect of phishing presents itself in scenarios where phishers appeal directly to a victim’s sympathy or desire to help others. This type of “lure” is demonstrated in emails where the sender explains his/her dire situation and needs assistance.
Most phish rely on creating a sense of urgency or strong emotional reaction to trick victims into forgoing the typical due diligence that would otherwise prevent them from clicking on a suspicious link. Language such as “you must act now” or “click here to prevent child abuse” are tempting to click on. However, those are merely distractors, so the victim doesn’t notice obvious phishing signs, such as misspellings in the email or suspicious domains in the link URL. Fake receipts and invoices are an increasingly effective way to surprise the victim and trigger a knee-jerk reaction of clicking a link before checking its validity.
Common Types & Techniques
Phishing comes in many forms. The most common type comes in the form of email phishing, when attackers send emails to potential victims. These emails can be anywhere from generic in nature (i.e. Click here to login to your webmail) to highly customized and directly targeting an organization (i.e. Click here to view your receipt for your recent purchase from a company’s website). Additionally, other forms of phishing, such as spear phishing and whaling, represent specialized forms phishing – either targeting a small number of people or a single high value target.
Not all phishing is done via email. With the increasing popularity of mobile phones and SMS/text messaging, three new forms of phishing have emerged – voice-based phishing (vishing), SMS-based phishing (smishing), and QR code phishing (quishing). As their names imply, vishing and smishing are similar to normal phishing, except done via phone – these attacks may leave a message requesting a call back or ask the victim to click a URL. They can also involve a call center full of attackers hoping the victim answers the phone. Quishing involves sending the victim a benign looking QR code in hopes they will go to the malicious URL it represents. As with typical phishing, all three of these methods share a common goal – to convince the victim to divulge personal information or perform an action that could be detrimental to them.
Due to the reduced screen size and lack of cursors, mobile devices often truncate or hide parts of the URL, which can make identifying a phishing link more difficult or impossible – especially when trying to hover over a “login here” button to determine the destination.
A phishing message typically contains a link that takes the victim to a phishing website. To reduce suspicion, phishers often employ the following techniques:
Obfuscate links using look-alike domains
banknamee.com or c0mpany.com
Add a brand name into the URL or domain
Attempt to confuse the user by using very long links and/or legitimate keywords
Use legitimate redirectors to redirect the victim to the website
bit.ly/123456 which redirects to mydomain.com/BankName-login-here/
Hide the destination of the link through html
Legitimate “login here” link takes the victim to mydomain.com/BankName-login-here/
Make use of domain homoglyphs, which are characters that look alike but are part of two different character sets
bankname.com (legitimate) versus bänkname.com or bånkname.com (both are fake, but visually look very similar)
The Rise of Phishing
Originating in the late 1980’s, phishing has continued to grow as new technologies become available to bad actors.
Phishing consistently remains the most prevalent cause of breaches and unauthorized access to controlled systems. As more companies and individuals move toward centralized computer systems, those systems become more attractive to attackers. Since 2000, the number of phishing cases has steadily risen, resulting in increased payouts, larger organizations being targeted, and derivations of phishing becoming more popular.
The most popular derivations of classical phishing emails, vishing and smishing, have seen a drastic increases in popularity since 2019. They are extremely effective social engineering-based methods that take advantage of mobile phone users through direct calls or SMS messages. Typical phishing bait, which is communicated via email, is under increased pressure as spam filters and secure email gateways become more intelligent and filter out emails prior to them reaching the end user. However, since vishing and smishing are communicated via mobile phone, they sidestep the typical filtering systems.
Protection against Phishing
There are many methods that can be utilized to decrease the impact of phishing attacks.
- Because social engineering is at the heart of phishing, vishing, and smishing, educating users on how to recognize fraud is an important method of prevention.
- Companies may utilize phishing training simulations, which include bait emails sent to entice employees to click a URL. This tests the employees to verify if training is working or if additional training is required.
- Teaching users better email protocol helps them identify bad inbound emails and avoid creating emails with a potentially suspicious link.
Many organizations leverage machine learning and intelligence to pre-filter incoming email. This greatly reduces the number of suspicious emails presented to users. Emails that fall into the gray area between good and bad can be quarantined or displayed differently to the user to indicate that extra care should be exercised.
Since a typical phishing site gathers static information such as a username and password, many organizations add a dynamic form of authentication called multi-factor authentication. The user must present two or more credentials to verify their identity before they can login. However, phishing has become more intelligent and can simulate the workflow of the multi-factor token generation.
Blocking and shutting down fraudulent sites and phone numbers
- Since typical phishing messages contain a link to a phishing website, the threat can be eliminated by shutting down the website. An individual or company can report a phishing site to a domain registrar or network provider, who can perform the shutdown.
- Similarly, a vishing or smishing threat can be eliminated by an individual or company reporting a phone number to a telephone company, who can perform the shutdown.
- Browser operators can block links to phishing sites or warn visitors that the site may be dangerous.
- In rare cases legal action is leveraged against responsible entities to force fraudulent content to be taken down.
Latest Blog Posts
“Freemsg: Chase, Did you attempt a wire transfer amount of $7500. Reply Y if recognized, Or NO to stop fraud.” How would you react if you received this text? Many people wouldn’t hesitate before replying. But the above text is from a criminal impersonating Chase Bank – and this scam cost the recipient $15,000. Such…
OpSec Security provides world-class threat intelligence and reduces risks from fraudulent business email scams. London, UK, & Philadelphia, US, May 12, 2021 – OpSec Security, the leading provider of a complete solution to combat online brand-related threats, is announcing the advanced OpSec® Early Warning System reporting and OpSec® AntiFraud Monitoring service, part of the OpSec® AntiPhishing…
In 2020 so far, over half of all phishing sites the OpSec Online AntiFraud Security Operations Center have detected have an SSL certificate associated with the site. How much value do consumers place on the presence of a security certificate on a website? From my very scientific Facebook poll of non-industry friends and family, the average user…