Fishing: An act where bait is used to fool unsuspected fish, a fellow low-intellect-level earthling, to reel it in and eventually catch it.
At first, it was born out of necessity. It is a hunting activity as well as a sport. It provides the hunters’ food and the sportsmen the thrill of the hunt.
Phishing: A quite similar act, where the fish is replaced by another high-intellect level, but a tad bit careless fellow earthling, a human.
The catch here is their sensitive information; which results in financial loss or identity theft.
It was born out of ill intentions, complexes and to seek the thrill of the hunt.
It is majorly a hunting activity. It provides the hunters—hackers/phishers, in this case—financial gains and the thrill they seek to feel high.
Let’s dig deeper…
What Is Phishing?
Phishing, named after fishing, also a homophone of fishing, is named because of the similarities between both the acts. Bait is used in both cases to catch the prey.
It is the act of conning the victim by communicating in a way that the phisher (the person/team doing the phishing) seems like someone they are not. By pretending to be somebody else, the phisher tries to take sensitive information from the victim. They then use it to hack their way into places they normally cannot without that particular information. This is also known as social engineering.
Phishers use special discount offers, warning/alarming messages, rewards and any other attention-grabbing content to take hold of the probable victim’s focus. This acts as bait, forcing user’s mind to overlook any information that may make them suspicious, and then coerce them into doing something they shouldn’t—share their information.
Imagine someone sending you a message on your mobile device, pretending to be your email provider, asking you to re-enter your credentials since someone else just made a login attempt. Not only will you feel a sense of urgency but also a compulsion. So much so, that you will try the nearest possible access to your email. What if the message has a link for you to follow to your login page?
You may end up following that link…Someone having access to your email has access to all the information available on your account. You just caught the bait.
Now consider someone finding out your personal information, your birthday or your social security number, to an extent that they can impersonate you over a call to a financial institution. A lot of things can go wrong.
Phishing is one of the top cybercrimes. The rapid increase in the mobile users market has made it a huge target in the eyes of phishers. Given the fact that mobile screens are much smaller compared to monitors, and that phishing is based on playing with human psychology, mobiles users are more likely to fall victim to a phishing attack. The reasons vary but they are mostly because:
- Mobile users are almost always online.
- They respond to message/email alerts frequently.
- The false sense of urgency is always on… you are always a button away.
- Users almost always have instant access to their mobile device compared to their computers.
- It is easier to misread/confuse small print on a small screen.
- Browsers act and display information in a different way on mobile devices.
Since it is based on fooling human nature, our behavior plays a huge role in the effectiveness of a phishing attack. A user’s behavior is a combination of the application’s behavior on a particular device and its user’s unique behavior. Perhaps this is why the success rate of phishing attacks varies between different types of mobile users, ranking alarmingly high for Apple users. These are essentially different types of people depending on the device they use.
Phishing is not a new thing. The technique can be dated back to the 1980s, with its name first mentioned in the 1990s. With the internet, came the phishers, trying to con their way into our banks.
Now, it is high time we find out about how to secure ourselves from it.
How Does It All Start
Phishing is a cyberattack based more on fooling human nature than using technology as an aid. It is based on communication, and this is why any kind of phishing attack starts off by way of communication.
Initially, it was through email. As the modes of communication grew beyond email, so did the ways of initiating phishing. Now, the different types of phishing are categorized by how they are initiated as well as their target audience.
1. Deceptive Phishing
The oldest, most common and the most effective of all types of phishing attack is deceptive phishing. It is started by sending an email to the victim, pretending to be a legitimate company. It uses a sense of urgency in its content to bait the victims into clicking malicious links within the same email.
The phishers also create clone websites which mimic the original ones appearance-wise. This tricks the victims into sharing their credentials or other information.
2. Spear Phishing
Where a deceptive phishing attack may appear a bit generic in their content, a spear phishing attack is essentially the same attack with personalized information. The phishers research their target and use their name, address, education or other details to customize their message. This in turns tricks the victim into thinking that they are in some way connected with the sender, luring them into a false sense of security.
Spear phishing is usually used as an initiating point to make an entry into an organization and gain access to a large scale of data.
Whaling is when the phishers go after the bigwigs or CEOs of a company. Following the logic that CEOs have the most influence over a company’s data, gaining their level of access to information results in larger gains for phishers. Consider having the power to authorize huge financial transactions.
Contrary to popular belief, whaling is quite effective as most senior executives usually do not participate in training programs. They also aren’t very tech savvy, with the exception of a percentage of CEOs with a tech background.
Pharming is the next step of evolution in the world of phishing. It is when there is no need for the phisher to lure the victim into clicking a wrong link. Even if the victim types in the right address, they are taken to a website of the phisher’s choice.
Pharming is done by corrupting the DNS table on the DNS servers. The DNS table is where the human-readable alphabet addresses are matched against the numeric IP addresses of the website. When the phishers get access to that, they can write any website’s IP address they want against any website name. Typing google.com, for example, may open yahoo.com.
Identifying and avoiding such an attack is extremely difficult. This can be accomplished by ensuring a proper security protocol which takes care of the hardware as well as the software.
When a phishing attack is initiated by an SMS message, it is called SMiShing. At the beginning of the mobile age, phishers used to send SMS messages to get the victims to call them or reply them back with sensitive information. Now with increased connectivity, they use short links in the messages to be more effective.
ViShing is initiated either by a voicemail or by a VoIP call. The attack begins when the phisher leaves a voice message and tries to get the victim to call back on a VoIP number. Once the victim does that, they are tricked into thinking that they connected to a valid company’s support department and then are scammed into revealing their personal information.
This can also be initiated by bringing the victim to a seemingly legitimate website where a chat window starts a voice chat to a pretending agent.
Smartphone apps can play a huge role as well. Imagine an app that intercepts your outgoing/incoming calls and routes any particular one to phishers. Your bank calls you and is taken to a phisher misleading them and when you call your bank, you are taken to one as well.
7. And Finally—Social Media Phishing
Any attack initiated by today’s social media applications falls under this category. This can be an attack where the medium is Twitter, Facebook Messenger, Google Docs or Dropbox.
What makes the phishers use these mediums is their particular attributes. Dropbox, for example, is a huge storage hub of data where people store and share everything from their personal photos to their professional project files.
The ever-growing social media popularity means that customer services have found unorthodox ways of connecting with customers. Consider you reaching out to your bank, and then getting a comment from someone pretending to be the customer support. You may be tempted to give up your banking information.
Furthermore, the luxury of having free apps has made us overlook the dangers they possess. The free app business model has made the pop-up ads go under our radars. These ads can be the links phishers want us to click or the apps themselves may be part of malware we unknowingly install, exposing us to threats.
These phishing apps are a continuous threat. This is why it is extremely important to download apps from a genuine source or legitimate app stores like the Google Play Store or the Apple App Store. These app marketplaces continuously monitor the quality and legitimacy of the apps they host.
Warning Signs of a Phishing Attack
Knowing the types of phishing attacks will make it easier for us to consciously and then subconsciously look for some signs that would trigger a defense response in our brain, eventually helping us avoid the attack.
Since a phishing attack is initiated through the form of a message, look out for the following parts of the message.
Whether it is an email, a message on Facebook Messenger, a WhatsApp message or a Twitter handle, check out carefully who it is from.
Check the following:
- Do I really know this person?
- Does the person I know have THIS particular address/handle/number?
- Does the domain name of the address seem a bit off? E.g., @arnericanews.net instead of @americannews.net?
- I don’t usually communicate with this person.
- It’s an unfamiliar person having attachments and unknown links in their email. Should I really click them?
- This voice message is from someone I haven’t heard from before; is their number a legitimate number to the bank?
These are the signs you can pick up from the “From” part of the message, simply by focusing a bit on its authenticity.
If the message sent to you is not personally addressed to you, see if the “To” part contains any other people you know.
- Whether the name(s) included in the “To” part is part of a known group or not?
- Do you know them personally?
- Is it an unusual mix of people?
- The message doesn’t address you by your name. Do they really know you?
If you are on a computer, it is rather easy; you can simply hover over the link to see where it actually leads to. This is also true for Samsung Galaxy Note devices and Apple devices supporting the Apple Pen. However, if you are on a mobile device, you are a bit blind. So do look out for…
- Short URL links. You never know where they take you.
- Messages filled with links having no other information.
- Long hyperlinks which have no context to the content of the message.
- Spelling mistakes in URLs. E.g., sketcher.com instead of skechers.com or racernods.com instead of racemods.com.
4. URL Padding
Even if everything else checks out and you find yourself following a seemingly legitimate link, make sure to look out for extra “-‘s” right after the link.
It is technically a wrongly spelled link which is made to look like a legitimate one using different symbols.
This technique takes advantage of the small screens of mobiles to hide the complete address from the victim’s eyes and shows them only a subdomain which is spelled like a legitimate domain. The rest of the domain is written on further right side of the address bar, hidden from the victim’s eyes.
You can, however, select the address, copy and paste it somewhere other than the address bar to view it completely. Once you have done that, it is easy for you to judge whether the address is proper or not.
Consider the person/entity this message is coming from. Is this a normal time/date for them to send you a message?
This can be:
- A message from your office on off-duty hours.
- A message from an organization on their off day.
In the subject, if the message is an email, check to see if the subject is relevant to the content of the message.
Sometimes phishers use a subject which makes it look like it’s a reply to an email sent by you. See if it is something that you never contacted them (the company they pretend to be) about.
Check to see if the message has an attachment.
The only safe form of attachment is a text file attachment.
If it is anything else, see if it is…
- Relevant to the context of the content.
- A file or file type that you were previously accepting from the sender.
Glance over the content in the body of the email and check for signs of:
- An offer which is too good to be true.
- Spelling or grammar mistakes. Considering the message is coming from a reputable organization.
- A short time limit to act, implying urgency.
- An urge for opening the attachment.
- An invitation to click on a link to find out something beneficial or to avoid a negative outcome.
This relates to behavior more than anything else. You need to train yourself to be a good judge of the sender’s behavior to catch this.
Be advised that you should avoid clicking on the link inside the message if you’ve determined it to be suspicious following the above suggestions.
But, if you did happen to click on the link, note whether or not the website you are taken to has a lock symbol in the address bar of your browser. Having the lock symbol means that site you are taken to is using an SSL certificate.
Although, it has been discovered that phishing sites also often use SSL certificates. Some are even going as far as hosting their phishing site on the very platform they are trying to phish on, Google, protected by SSL. But still, a lot of phishing websites do not use it.
Make sure that the site has the lock symbol and SSL certification on. Having one isn’t a sign of complete security; however not having one IS the sign of complete insecurity.
Finally, It Comes down to Training & Instilling Behavioral Changes
Summing everything up, it all comes down to how cautious and knowledgeable someone is about scamming techniques. Regularly updating yourself on the latest threats and keeping trained on how to avoid them can also help.
What is required, however, is that one changes their outlook towards how they approach incoming messages about unexpected situations.
The training should not only be consistent of what phishing techniques are used but also on how to control one’s reactions. These training should be given across the board, not excluding executives higher up in the hierarchy.
In a world where not even the biggest tech giants are safe from phishing attacks, this is the least we can should do.