What is Phishing and How to Spot It

Phishing is the most prominent and pressing cybersecurity issue at the moment. It’s got nothing to do with a day out on the lake however. What is phishing and how do we spot it? Attacking a system at the hardware level is a cat and mouse game. There are many ways to do this, and we are constantly patching vulnerabilities.

As our solutions become more effective, cyber criminals are leveraging weaknesses in human nature to gain access into computer systems.

Phishing Definition: What is Phishing?

Pronounced fishing, this is the act of crafting carefully worded emails or text messages designed to make the target intentionally reveal credentials in their care.

Whether this is login information, bank account numbers, or miscellaneous forms of security keys, it’s classified as phishing.

Usually, the attacker makes their text or email appear as official looking as possible, hoping the victim subconsciously accepts them as legitimate requests for information.

The History of Phishing

Back in the earliest days of the internet on the platform AOL, employees working for AOL routinely asked for their customers login credentials. This became a very convenient attack vector for phishing. Nowadays, banks will often warn you “We never ask for passwords or confidential information”, and that has historical precedence.

By the early 2000’s, this very baseline tactic became over-exploited, and so phishers turned their efforts to more lucrative operations. This largely centered around phishing banking credentials and credit card information.

By 2020, almost three quarters of businesses within the U.S. experienced some form of successful phishing attack.

In 2023 alike, the threat is growing on a continual basis. The only effective mechanism to fight against phishing is training your employees in identifying these threats. Aside from that, our managed endpoint protection services can add another layer of defense to actively identify these attempts to your staff.

Common Phishing Vectors

There are many ways to orchestrate a phishing attack. Whether it’s through a fake email or fake website, the goal is always the same: to create an official looking interface the target will subliminally trust through recognition and authority, and will give over credentials to.

Replicating Known Websites

Creating replicas of known and trusted commerce and banking platforms. This includes eBay, PayPal, major banking institutions, and government agencies. These websites are registered on addresses visually similar to the address they are trying to replicate.

The victim receives a phishing email with this phishing link and proceeds to put their real credentials into a fake website.

After this, the attacker can use these credentials on the real website, and have access to their funds.

Email Phishing

Another style of phishing is to stick strictly to the email platform. This usually presents itself as a request for information from a bank or government agency.

Often times the emails will pose as password recovery emails and play on legitimate emails you would get from a trusted service.

This is a very common way to infiltrate an organization, since people are naturally inclined to accept the information from official looking emails. Often times the sending address is spoofed, and the only way to notice the attack is to read the email’s metadata.

We have managed endpoint protection software which can automatically flag and delete phishing emails.

Common Phishing Techniques

Aside from the common vectors, there are also common phishing techniques. Some of them are very targeted whereas others work by playing on volume.

Spear Phishing

This is a targeted approach which will only be deployed to one person or a specific segment of people. The targets are often chosen because they might have elevated credential privileges within the organization. This is in contrast to mass phishing schemes which can target many individuals in the organization or even across multiple organizations.

The attacker will pretend to be someone of authority, such as the CEO of an employee. They could spoof the sending address and say that they need the employee’s credentials for whatever reason.

Often times, the hacker uses additional social engineering techniques to coerce the target. This is usually done through a sense of urgency, so that few questions are asked. This combination of trust and urgency will eliminate the victim’s potential reluctance.

Whale Phishing

This is a form of spear phishing, but it is specifically geared for the biggest catch possible. This is where an attacker might send a malicious email to the CEO. To make an attack like this work, they are usually very particular, very personal, and even feature undisclosed information to make it seem even more legitimate.

Through these means, the attacker can trick senior employees into completing fraudulent transfers. One such incident happened at Crelan Bank in Belgium, leading to a $75m loss.

Mass Campaign

Just like the name implies, this is the absolute opposite of spear and whale phishing. Mass campaigns operate on volume alone rather than targets and specificity.

These attacks try to imitate the communications of a trusted third party. Often, they are prompting to change billing information or to reset your password.

Since the information is harvested in such great volumes, people who fall for such scams might not face the repercussions until much later when the data is verified and sold.

Ambulance Chasing

This technique also plays on people’s need to respond to urgency. Rather than using an authority figure to create the urgency, they use natural events and disasters. For example, spoofing a fundraising campaign to fund the rebuilding of a destroyed down village, or to help distribute food to victims of war.

It is common for these to be sent as mass campaigns. However, they can also be specified.

Pretexting

This gets an individual used to the idea of soon receiving a transmission. Therefore, when they do receive the phishing email, it will seem a lot more legitimate to them.

Pretexting builds up trust without there being any necessary authority. They might receive a text or voicemail advising on an incoming email regarding their billing plan.

Now, when the victim does get this phishing email, it will automatically seem more legitimate to them.

Mobile Phishing

With the rapid proliferation of smartphones, mobile phishing is one of the easiest and most accessible ways to get to people. A well-crafted text can hit a target at any given time.

Sometimes known as smishing, the attackers will use SMS or social media platform messengers to make them take quick actions without forethought.

An SMS which supposedly comes from your own bank, advising of suspicious activity, with a well-placed link, will invoke fear.

Man in the Middle

This attack is a lot more sophisticated than the other varieties. They will actually intercept messages coming from a verified sender, and then send an altered version to the intended recipient.

This way, the attacker can leave the body of emails intact while only changing the links. This will automatically be trusted and lead the victim down a dark road.

Wi-Fi Twinning

This is a form of attack where the hacker will create a network with the same SSID as the one you normally use. Anyone who connects to this network will send their traffic right to the hacker.

If you are not using a VPN, they are able to access passwords and other critical information.

How to Report and Defend Against Phishing

If you are having issues with frequent phishing attacks throughout your organization, there are agencies to for fraud reporting. In Canada you can contact the Canadian Anti-Fraud Centre at

https://www.antifraudcentre-centreantifraude.ca/report-signalez-eng.htm

If you want to reduce or eliminate the potential impact of phishing attacks, consider hiring a managed services provider like Livelinx. We can help your organization overcome phishing attempts through endpoint protection and training.

Contact us now for more information.

Leave a Comment

Your email address will not be published. Required fields are marked *