In today’s world, email is one of the most used means of communication. In fact, over 3.8 billion email accounts exist today, around half of the world’s population. If you have an email account, it’s likely that you also receive emails every day. We might receive newsletters we’ve signed up for, updates on deals from our favorite stores, or personal correspondence from friends and family. However, the one email we never want to receive is a phishing scam. Though these emails usually go to our junk folder, sometimes they make their way into our inbox to confuse and frighten us.
What is Phishing?
Phishing, a play on the word “fishing,” is a type of cyber attack . Attackers utilize email to perform this type of attack by throwing out a line via email to “fish” for your private information.
Usually, the instigators of phishing perform the process like this: they create an email that looks like it’s coming from a reputable organization or company and trick the reader into thinking that the company needs something from them. They typically look for credit card information or for the user to click on or download a malicious link or document.
Similar to fraudulent telephone calls soliciting information or money, the goal of phishing is to get some kind of information from you that hackers can use to your disadvantage.
Surprisingly, phishing “kits” are readily available to hackers around the world. These kits are typically found on the dark web and are templates used to emulate prominent companies’ emails.
There are websites that exist to combat phishing, making available to the public commonly received phishing kits so that people can watch out for them. A couple of these are PhishTank and OpenPhish .
What’s even more concerning is the number of phishing kits that exist (that we know of). One study found that there are 62 known kit variants for Microsoft, 14 for PayPal, and 11 for Dropbox.
There are a few steps to creating a phishing kit.
- First, the legitimate website of the company people are using to phish is cloned.
- Second, the login page is altered to include a credential-stealing script.
- Third, modified files are put into a zip file to create the kit.
- Fourth, the kit is uploaded to the fraudulent website, and the files are “unzipped.”
- Finally, fraudulent emails are sent to unsuspecting people with links to the spoofed website.
The good thing is that there are ways to identify where phishing emails come from. Phishing kit analyzers can look at email addresses found in the kits and track actors down. They can even use the “from” part of the email to track multiple kits made by the same creator.
Of course, phishers always use fake names, leaving them virtually unidentifiable except by location, and thus, many successful phishing scams never find the instigator to hold them accountable.
Types of Phishing
Though all phishing has the same ultimate purpose of getting a person’s private information, there are many ways to divide these cyber attacks.
Purpose of the Attack
The first way to divide phishing into categories is by the intent or purpose of the phishing attack. Usually, phishers are trying to get the victim to do one of two things:
Give out private information: This type of phishing message seeks to trick users into giving out their important information. The kind of information they’re looking for varies, but it is commonly usernames and passwords used to get in some sort of important account or system.
The most typical version of this scheme involves receiving an email that looks like it came from a major bank. Scammers send out the message to millions of people, knowing that at least some of them will be members of that bank. The victim is supposed to click on a link that takes them to the spoofed web page of the bank created by hackers and enter their information for the attackers to exploit.
Download malware: Like many spam messages, some hackers send out emails to get the victim to infect their computer with malware.
These messages are often disguised as resumes or other information that certain staff members may need. Once opened, the attachments in the email will infect the victim’s computer with malicious code. The most common type of malicious code is ransomware, with 93% of malware found to be of this type in 2017.
Target of the Attack
Another way to differentiate between types of phishing attacks is by who the phishers are trying to target.
Sometimes, these emails aren’t targeted at all; attackers simply throw out the biggest net possible and hope to catch some information. A company called IronScales studied phishing emails and found that these are the most prominent sites hackers try to emulate:
- PayPal: 22%
- Microsoft: 19%
- Facebook: 15%
- eBay: 6%
- Amazon: 3%
As described before, this is a very common trick performed by phishing hackers: trying to get victims to log into spoofed versions of prominent websites and thus give out their account information for hackers to use.
However, some phishing attacks are directed at very specific people. There are a couple of types of these sort of attacks that we’ve nicknamed according to the fishing theme.
Spear phishing: This type of phishing takes its name from the act of aiming at a very specific fish, as a fisherman does with a spear. Hackers that spear phish often use websites like LinkedIn to get information of employees of a certain company. Then, they send emails to important people such as those in the finance department to get sensitive information such as bank deposit details.
Whaling: This is a form of spear phishing aimed at the “big fish” of companies, CEOs, CFOs, etc. However, many of these types of scams also target people that are still high on the totem pole, but not as important as the chief executives, such as company board members. These scammers often target personal emails of these people and pretend to be their coworkers to get private information about the company or themselves.
Prominent Examples of Phishing
John Podesta: One of the most consequential examples of phishing would be when Hillary Clinton’s campaign chairman accidentally gave his email password to hackers.
In this case, Podesta received an email that appeared to look like someone from Ukraine had gotten the password to his Gmail account. He was directed to a link to change his password, effectively handing it over to hackers.
This demonstrates the ability of phishing to affect even the most secure of email accounts.
University of Kansas: Five employees of the University of Kansas were attacked by hackers in 2016. They gave out their direct deposit information to the attackers, and lost money because of it.
The targets of phishing attacks can effectively be anyone, from your everyday person, to a prominent political figure, to university employees.
Why Phishing Happens
Criminals often take advantage of their environment and circumstances to exploit other people. While we can’t know why exactly people decide to phish for information instead of making a positive impact on the world, we can notice trends in when and why phishing scams occur.
Worldwide crises or even personal problems give criminals and hackers the opportunity to exploit victims by throwing out their phishing bait and hoping for a bite.
In a recent article we wrote for our blog about how to maintain the cybersecurity of remote workers, we talk about an example of how cybercriminals have used the COVID-19 pandemic to scam people through text messages, social media, phone calls, and emails to disclose personal information. According to the 2021 Data Breach Investigations Report by Verizon, Phishing has utilized COVID-19 to pump up its frequency to being present in 36% of breaches, up from 25% last year”.
How to Prevent Becoming a Victim of Phishing
The best way to learn how to identify phishing scams is to familiarize yourself with what these emails look like. You can visit the aforementioned websites that crowd-source phishing kits to learn about how hackers utilize email to attack people.
In addition to getting acquainted with phishing kits and how they work, you can do a number of things to prevent you from becoming a phishing scam statistic:
- Check the spelling of the URLs in emails, and of the email itself. A professional copywriter for email won’t make abundant mistakes as phishers sometimes do.
- Look out for redirects from the original website that take you to the spoofed one
- If you receive a strange email from a friend or family member, contact them directly instead of replying to the email
- Don’t post personal information on the internet for everyone to see, including things like birthdays and vacation plans
As with anything, the first step to preventing being part of a phishing scam is educating yourself on how these attacks work. It’s crucial to remember that phishing is just one of the cybersecurity risks we face. If you’d like to find out how your company is performing and isolate weaknesses in your cyber defenses, schedule a call with us or take our free, self-guided IT Security Risk Assessment .