Phishing is a technique widely used by cyber threat actors to lure potential victims into unknowingly taking harmful actions. This popular attack vector is undoubtedly the most common form of social engineering—the art of manipulating people to give up confidential information— because phishing is simple and effective. Scammers launch thousands of phishing attacks every day, and they’re often successful.In this guide
What is phishing?
In the 1990s, it was common for hackers to be called Phreaks. What passed for hacking in those days was referred to as phreaking. So, the act of using a lure—a more or less authentic-looking email—to catch or trick an unsuspecting computer user adopted the “ph” from phreaking to replace the “f” in fishing and became modern-day phishing.
Today the most common type of fraudulent communication used in a phishing attack is still email, but other forms of communication such as SMS text messages are becoming more frequent. Threat actors use any means they can conceive to get a user to follow a link to an illegitimate webpage and enter their computer or banking system login credentials or download malware.
In a modern phishing attack, a threat actor uses skillful social human interaction to steal or compromise sensitive information about an organization or its computer systems. A recent Egress 2021 Insider Data Breach Survey has revealed that almost three-quarters (73 percent) of organizations have suffered data breaches caused by phishing attacks in the last year.
Phishing scams are often the “tip of the spear” or the first part of an attack to hit a target. The attack may be aimed at stealing login credentials or be designed to trick a user into clicking a link that leads to deploying a payload of malware on the victim’s network. Once one or more users within an organization fall prey to an orchestrated phishing campaign, the attackers will have culled credentials or delivered a malware payload needed to launch their full-scale attack.
There is a wide variety of attack types that begin with a phishing campaign. The hacker’s objective may be to steal credentials and other personally identifiable information (PII) that they can then sell on the dark web, download the malware for a ransomware attack, or steal valuable information as part of an industrial or military espionage campaign.
Nation-states and state-sponsored advanced persistent threat (APT) actors use phishing to gain a presence on the victim’s network to begin privilege escalation that can eventually severely compromise our nation’s critical infrastructure or financial institutions.
Until a few years ago, it was generally pretty easy to spot a phishing email. Users could readily identify a bogus sender address, poor spelling, or a doctored link URL with only a bit of examination. Today scammers are much more clever. Phishing emails can be almost undetectable by the average user.
The various types of phishing attacks
Phishing has become so profitable for bad actors that the methods for attacking various victim types have evolved. Today there are at least four categories of phishing attacks—each with a specific victim type.
In addition to what we might think of as common phishing that is focused on everyday computer and network users, there is spear phishing, whale phishing, and smishing.
Unlike common phishing scams where hackers use a wide-reaching net to reel in the largest possible number of potential victims, spear phishing attacks are more focused. Spear phishing thieves generally target members of a particular group. It could be employees of an aerospace company on which the attackers have set their sights or students, staff, or the faculty of a targeted university.
The success rate of spear phishing is much higher than that of common broadcast phishing but also requires the hackers to invest time and resources into doing some pre-attack research. The more they can learn about their target, the more likely they are to be successful.
When someone receives an email or text message from a name they recognize, and this individual knows details about the victim’s company or personal life, they are more likely to trust the email source.
If, for example, an employee receives an authentic-looking email from what appears to be someone within their company asking them to follow a link and download a document, they are likely to follow those instructions if the details all seem to fit how the company operates. The company’s cyber adversary would have needed to do considerable research before launching the attack, but the results would likely be successful.
Whale phishing is similar to spear phishing, with a few notable differences. While spear phishing is generally aimed at members of a group, whale phishing is focused on a specific individual—usually the “biggest phish” at the target organization or an individual with significant wealth or power that the attackers wish to leverage.
Whale phishing also requires an extraordinary amount of pre-attack research. Attackers can spend months, if not years, learning about and grooming a whale. The ne’er-do-wells will learn everything they can from social media and other public sources about their target. Sometimes criminals spear phish lesser marks to gain additional intelligence about their whale target.
The term smishing derives from SMS phishing. It is phishing that involves a text message rather than email. Victims typically receive a deceptive text message to lure the recipient into providing their personal or financial information. Scammers attempt to disguise themselves as a government agency, bank, or other company to legitimize their claims.
Smishing scammers are generally looking for information about the victim, such as account credentials, credit or debit card numbers and PINs, Social Security number, date of birth, or sensitive health-related information. This information is then used to carry out other crimes, such as financial fraud, against the victim.
Notable phishing attacks
Ukraine power grid cyberattack
In what is considered to be the first successful cyberattack against an electrical power grid, the Ukrainian power grid was knocked offline in a 2015 attack that began with phishing.
That attack, thought to have been launched by a Russian advanced persistent threat group known as Sandworm, was initiated with a spear phishing ruse that dumped a payload of BlackEnergy malware onto the SCADA system that controls Ukraine’s power grid. The resulting distributed denial of service (DDoS) attack left large parts of Ukraine without power for about six hours. More than two months after the attack, power grid control centers were still not fully operational.
Facebook and Google
In one of the most expensive phishing attacks ever, a Lithuanian hacker sent a series of fake invoices designed to look like they came from Quanta Computer—a Taiwanese electronics manufacturer—to Facebook and Google between 2013 and 2015. Both companies regularly did business with Quanta, so the bogus invoices did not appear suspicious, and the invoices were paid.
The hacker targeted specific employees at each firm with spear phishing emails to gain access to their computers and gather the intelligence needed to launch the attack. In all, these tech giants wired over $100 million to the hacker. In an unusual twist to this story, the hacker, Evaldas Rimasauskas, 48, was caught, and some of the funds were recovered.
Reported in 2016, this whale phishing attack targeted a high-level executive at Belgium-based Crelan Bank with instructions to immediately send approximately $75.8 million to an account controlled by the attacker. Details are scarce, but the victim complied with the fraudulent request, and the money was lost.
This flavor of whale phishing or business email compromise (BEC) scam is sometimes called CEO Fraud and is often targeted toward small to mid-sized companies that may not have adequate controls in place to prevent this type of fraud. An Austrian manufacturing company called FACC was hit with a similar attack, losing nearly $60 million.
UC San Diego Health
In July 2021, UC San Diego Health disclosed a data breach after attackers hijacked employee email accounts in a spear phishing attack. The school’s data breach notification page says that unauthorized access is likely to have occurred between December 2, 2020, and April 8, 2021.
In this recent event, the still-unknown attackers could have accessed or acquired patient data, including full names, physical addresses, email addresses, dates of birth, Social Security numbers, government IDs, usernames, and passwords.
It is also possible that healthcare-related information may have been exposed, including laboratory results, medical diagnosis records, and prescription and treatment information.
How to avoid phishing attacks
Phishing emails are designed to spoof a company that potential victims are likely to be familiar with. In low-budget, widely broadcasted scams, attackers will often create an email that appears to be from a major bank or other institution then send the email to hundreds of thousands of email addresses. Only a percentage of the recipients will be customers of the spoofed company, but it cost the hackers nothing to play the numbers game. They know that even if only a small percentage of the recipients are customers and only a tiny fraction of those people fall for the scam, they still come out on top.
Common phishing ploys include stating in an email that they have noticed some suspicious activity or login attempts—telling the potential victim to follow a link in the email to remedy the situation. Most of these low-budget scams are easy to detect. There will be misspellings or language that is not consistent with a business email. The address from which the email is sent can often be identified as not belonging to the company that purports to have sent it.
Low-budget mass email scams are often targeted toward senior citizens who may not know how to detect obvious clues indicating a phishing scam. An example of an easy to detect sender email address is BankofAmerica@gmail.com. To anyone familiar with email address formats and business email practices, it should be evident that Bank of America does not use a Gmail account for customer emails.
More sophisticated spear phishing and whale phishing attempts can be challenging for users to identify. Scammers will devise URLs that look similar to the spoofed company’s legitimate email address, such as firstname.lastname@example.org if they were attempting to persuade victims that the email is from PayPal.
The cardinal rule for avoiding phishing scams is never to click a link in an email unless you are sure the email is from someone you trust. Most companies will not ask their customers to click a link in an email. If a company asks you to interact with them on their website, type the company’s known URL directly into your browser rather than use a link from an email.
Email spam filters are an effective—but not foolproof—tool for protecting against low-budget phishing attacks.
A spam filtering solution integrated with your email platform uses a set of rules to determine which of your incoming messages are spam and which are legitimate. The several types of spam filters include content filters, header filters, blacklist filters, permission filters, and challenge-response filters. Each applies a different set of rules to your incoming emails and can be beneficial in detecting phishing scams.
Cyber threat actors are always finding new and innovative ways to bypass spam filters to trick email or SMS users, enabling them to steal sensitive information or deliver destructive payloads. Beyond spam filters, there are steps that users should take to avoid becoming a victim of a phishing attack.
Use security antivirus and other appropriate security software on all digital devices, including mobile phones, and apply automatic update settings to ensure you have the most current protection.
For all accounts that contain sensitive information, use multi-factor authentication if available. This extra level of protection ensures that even if you fall victim to a credential-culling phishing scam, the bad actors will be unable to access your accounts.
Always backup your data. Phishing is a common prelude to a ransomware attack. You can mitigate the adverse effects of having your data encrypted in a ransomware attack by maintaining a current backup.
Phishing is but a modern twist to any number of age-old ploys to trick people into giving up information that can be used against them. From eavesdropping to mail tampering, criminals have always sought to steal information as a precursor to launching other exploits.
As it has always been, each individual must shoulder the responsibility to protect themselves from trickery and deception. There are software tools, such as spam filters and antivirus software, that can help, but in the end, we must all be ever-diligent and even a little suspicious of email and SMS communications.