Phishing is the crime of tricking people into sharing sensitive information like passwords and credit card numbers. As with fishing, there is more than one way to catch a victim, but one phishing tactic is the most common. Victims receive an email or text message that impersonates (or “spoofs”) a trusted person or organization, such as a coworker, bank, or government office. When the victim opens the email or text message, they find a message designed to scare them, intended to weaken their better judgment by instilling fear. The message requires the victim to go to a website and act immediately or face consequences.
If a user takes the bait and clicks on the link, they are sent to a website that is a legitimate imitation. From here, you are asked to sign in with your username and password credentials. If you’re clever enough and do this, the login information finds its way to the attacker, who uses it to steal identities, steal bank accounts, and sell personal information on the black market.
“Phishing is the simplest form of cyberattack and, at the same time, the most dangerous and effective.”
Types of phishing attacks
Despite its many varieties, the common denominator of all phishing attacks is the use of a fraudulent pretext to acquire valuable data. Some main categories include:
Spear phishing
While most phishing campaigns send mass emails to as many people as possible, spear phishing is a targeted attack. Spear phishing attacks a specific person or organization, often with personalized content for the victim or victims. Requires pre-attack reconnaissance to discover names, job titles, email addresses, and the like. Hackers search the Internet to match this information with what they have learned about the target’s professional colleagues, along with the names and professional relationships of key employees in their organizations. With this, the phishing author creates a credible email.
For example, a fraudster could create a spear phishing attack on an employee whose responsibilities include the ability to authorize payments. The email appears to be from an executive in the organization, requiring the employee to send a substantial payment to the executive or to a company vendor (when in fact the malicious payment link sends it to the attacker).
Spear phishing is a critical threat to businesses (and governments), and it costs a lot of money. According to a 2016 research report on the subject, spear phishing was responsible for 38% of cyber attacks on participating companies in 2015. Additionally, for US companies involved, the average cost of spear phishing attacks was $1 $.8 million per incident.
“A lengthy phishing email from someone claiming to be a Nigerian prince is one of the oldest scams on the internet.”
Clone Phishing
In this attack, criminals make a copy, or clone, of previously sent legitimate emails that contain a link or attachment. The phishing artist then substitutes the links or attachments with disguised malicious content to pose as the real thing. Unsuspecting users click the link or open the attachment, often allowing them to take control of their systems. The phishing author can then falsify the victim’s identity to pose as a trusted sender to other victims in the same organization.
419/Nigerian Scams
A lengthy phishing email from someone claiming to be a Nigerian prince is one of the oldest scams on the internet. According to Wendy Zamora “The Nigerian prince phishing comes from an individual claiming to be a government official or member of a royal family who needs help transferring millions of dollars from Nigeria. The email is marked as ‘urgent’ or ‘private’ and its sender asks the recipient to provide a bank account number to remit the funds to a secure location.”
In an amusing update on the classic Nigerian phishing template, the British news website Anorak reported in 2016 that it had received an email from one Dr. Bakare Tunde, claiming to be the director of the Astronautics project at the National Agency for Space Research and Development of Nigeria. Dr. Tunde claimed that his cousin, Air Force Commander Abacha Tunde, had been trapped in a former Soviet space station for more than 25 years. But for just $3 million, the Russian space authorities could arrange a flight to take you home. All the recipients had to do was submit their bank account information to transfer the amount needed, and Dr. Tunde would pay them a commission of $600,000.
By the way, the number “419” is associated with this scam. Refers to the section of the Nigerian penal code dealing with fraud, the charges and penalties for offenders.
Phone phishing
With phishing attempts over the phone, sometimes called voice phishing or “vishing” the phisher calls claiming to represent your local bank, the police, or even the IRS. They then scare you with some sort of problem and insist that you fix it immediately by providing your account information or paying a fine. They usually ask you to pay with a bank transfer or with prepaid cards, because they are impossible to trace.
SMS Phishing, or “smishing,” is the evil twin of vishing, which performs the same type of scam (sometimes with an embedded malicious link to click) via SMS text message.
How to identify a phishing attack
Recognizing a phishing attempt isn’t always easy, but a few tips, a little discipline, and some common sense can go a long way. Look for something that is rare or unusual. Ask yourself if the message makes him suspicious. Trust your intuition, but don’t give in to fear. Phishing attacks often use fear to cloud your reasoning.
Here are some more signs of a phishing attempt:
- The email makes an offer that seems too good to be true. It could say that you have won the lottery, an expensive prize, or something else of very high value.
- You recognize the sender, but it’s someone you don’t deal with. Even if you know the sender’s name, be suspicious if it’s someone you don’t normally communicate with, especially if the content of the email has nothing to do with your regular job responsibilities. The same is true if it’s being copied in an email to people you don’t even know, or perhaps a group of colleagues from departments you’re not related to.
- The message sounds terrifying. Be wary if the email uses alarmist language to create a sense of urgency, urging you to click and “act now” before your account is deleted. Remember, responsible organizations do not ask for personal details over the Internet.
- The message contains unexpected or strange attachments. These attachments may contain malware, ransomware, or some other online threat.
- The message contains links that seem a bit strange. Even if none of the above points tingle, don’t assume that the included hyperlinks lead where they appear to. Instead, hover over the link to see the actual URL. Be especially watchful for subtle misspellings on a familiar website, because it indicates a fake. It is always better to directly type the URL instead of clicking the embedded link.