A Guide to Phishing and Keeping your Information Protected

Dear reader, you must click this link ASAP to apply urgent security updates.

Sound familiar? Chances are, if you have an email account, you’ve seen your share of messages just like this. Demanding you follow links, click attachments or even hand over your passwords; phishing emails have been around just about as long as the internet and has developed along with it. What does phishing mean in computer terms? Read on to find out.

As an inexpensive and massively scalable method of scamming users, phishing attacks have become one of the most common cybercrimes and contribute significantly to fraud cases across the globe. It’s estimated that around 90% of all organisations worldwide experienced targeted phishing attacks last year, with those being successfully breached often having to hand over huge sums of money – frequently to no avail.

Having pondered what does phishing mean in computer terms, regardless of whether you are an individual or a part of an organisations, with both the increased frequency and sophistication of this type of attack, it’s always a good time to begin learning about phishing attacks and how to protect yourself against online scammers.

What Does Phishing Mean in Computer Terms?

In it’s most basic form, phishing attacks are a form of communication that seek to trick the recipient into handing over information, such as passwords or credentials, or to prompt as user into taking an action that will aid the attacker in meeting their objectives, for example granting network access or making a bank transfer.

There are plenty of different types of information security attack, though amongst these nefarious methods, phishing attacks are shockingly common across the world and in all types of industry. The word ‘phishing’ coming from the analogy of the fisherman casting out a line and bait and simply waiting for their catch.

Though the most common form of phishing attack is email, the same methods can also be applied to different forms of communications, as well as frequently employing other elements or layers to assist in extracting sensitive information from targets, a topic which will be further examined later.

As previously mentioned, the cost of sending out millions of emails is effectively zero and potentially takes very little time, making this mode of attack especially appealing to opportunistic scammers. Much like actual fishing, by casting a wide net, phishing attacks only require a tiny fraction of their communications to be effective in order to ensure some success.

Background and History of Phishing

Though the exact history of ‘phishing’ is hazy, the practice is though to have originated largely in the early 1990s within chatrooms. Online communities, such as the AOL chatrooms became a training ground for online scammers to hone their skills, often pretending to be official moderators or AOL staff in order to fool unsuspecting users out of their credit card info.

As email became more common, criminals quickly progressed to email-based attack. With little means of tracking down these crooks, groups and online gangs also began registering domains like that of official and recognisable organisations to further bolster their deception.

Having given rise to the stereotypical ‘Nigerian Prince’, this era of phishing progressed with its target audience. As the general public became savvier, so did the scammers, and though there are still plenty of very basic scams tricking people out of their info, now even some experts can be duped.

Phishing Facts

94% of malware was delivered by email

Malware is a category of software that essentially describes anything designed to extract information or cause harm. Malicious software can include spyware (information collection), ransomware (encrypts your files and demands payment to decrypt) and adware (constant redirection to advertisements).

Typically delivered via email attachments, the consequences of this form of phishing attack have ranged from massive disruption to the UK National Health Service, effectively shutting down a currency exchange all the way to destroying a nuclear enrichment facility.

77% of all UK workers have never received any form of information security training from their employer

Despite the seriousness with which many businesses like to appear to approach information security, the reality that only 33% of UK workers have received any training in this area in the last twelve months, points to a serious flaw existing in sectors across the UK economy.

Much can be done to invest in infrastructure and technological security solutions, and this is indeed an integral part of information security, though without the essential training, many of these measures will fall short.

By enabling staff to defend against threats such as phishing, not only protects your organisation and makes technological security investments worthwhile, but it also provides individuals with skills that can be transferred into their personal lives whilst also contributing to an information security aware culture.

60% of small businesses are closing their doors within six months of an attack

It’s easy for both individuals and organisations to underestimate the impact of an information security incident or breach. The fact is, costs incurring from an attack is only one of the ways in which phishing attacks impact an organisation, with lost time and revenue and reputational damage often not as seriously appreciated.

Though the loss of funds can obviously be greatly problematic, the cumulative effect and loss of consumer trust can spell the end of an organisation; a sad reality that is especially true for SMEs whose names can be forever tainted by the public knowledge of a cyber victimhood.

More than two-thirds (68%) of all phishing sites use SSL protection

An authentic SSL (Secure Sockets Layer) certificate should ensure several things, firstly that a web address displays as HTTPS rather than HTTP, which should authenticate that not only is the website is genuine, but also that information being exchanged with the address is encrypted and thus protected against eavesdropping.

Though it’s undeniably a helpful suggestion that users look out for HTTPS and avoid those without SSL protection, it can now no longer be reasonably suggested that this is a good indication of a safe and trustworthy address.

Phishing websites, inauthentic pages designed only to capture sensitive information, are able to gain SSL certification in a number of suspect ways. Understanding that users have become use to trusting HTTPS addresses, scammers have been greatly incentivised to directly erode the earned trust in this method of authentication.

How Phishing Actually Works?

There are plenty of methods of manipulation that are frequently employed by attackers, about which all users should be aware. Though these methods will vary in terms of complexity and effectiveness, the following are some of the easiest to identify and most important to understand in mitigating information security risk.

Address

Firstly, your first method of identifying the authenticity of communications should be the senders address. The most overt and easily detected of phishing emails use gibberish or non-sensical addresses, though more sophisticated scammers use simple yet subtle tricks to disguise an emails criminal purpose.

By switching visually similar or easily confused characters, attackers may fool even the most security conscious users in a hurry.  A phishing address may, for instance, substitute an ‘I’ for a ‘1’ or even an ‘m’ for an ‘rn’.

An address may also include an expected or familiar domain/company name within the incorrect part of the address. Consider for a moment, how it may be possible to accidentally confuse shipment-tracking-amazon@gmail.co.uk for shipment-tracking@amazon.co.uk; one being perfectly legitimate and the other highly suspicious.

Urgency

Many phishing attacks attempt to rush a recipient into making rash decisions. By including ‘ASAP’ or ‘URGENT’, often capitalised, scammers try to minimise the amount of time between seeing an instruction and the user taking action. As well as this, these instructions will often attempt to appear to come from senior members of staff, as to add authority to these supposedly time-sensitive requests.

Though you will undoubtedly receive legitimate time-sensitive correspondence, whenever particularly consequential actions are being requested, the time should be taken to confirm authenticity through another line of communication, such as over the phone or in person.

Attachments

It is entirely possible that in your role you frequently send and receive files in the form of email attachments. Opening files is a requirement for many businesses, yet it is through email attachments that many malware attacks are enabled. Given the significant information security risk that attachments potentially pose, it is vital that staff understand best practices and the threats involved.

Like email addresses, staff should pay attention to naming, and non-sensical file names should be either avoided or treated with a level of suspicion. File type should likewise be closely inspected and any files ending in .exe or a file type you don’t recognise should be treated with extreme caution. Attackers may even try and obfuscate a file type by inserting a more secure or ‘trustworthy’ file type into the name, of instance ‘pdf.exe.’

Links

Likely the most frequent technique phishers utilise to extract sensitive information are nefarious and inauthentic links. Emails will often contain company logos, spoofed addresses, and links that appear to lead you to a legitimate login page for popular organisations for which you likely have an account.

Scammers and phishers go to great lengths to build extremely convincing pages that mimic popular HTMLs. Designed only to capture sensitive information, once a link is clicked, it can be difficult even for the most vigilant of users to tell the difference (especially via mobile browsers where HTML addresses are truncated).

For this reason, before any link is followed the address should be inspected by either hovering over the link with your cursor, or on most mobile devices, by holding down on the link without release. If the link does not point to an address that you recognise or expect, the link is likely best avoided.

Other Types of Phishing

Spear Phishing and CEO Fraud

As the name suggests, spear phishing (a form of CEO Fraud) is a more targeted form of plain old phishing. Rather than using the ‘cast a wide net’ approach to online scams, spear phishers often use a far more calculated and personalised approach to their criminal enterprise.

Frequently assuming the identity of a senior member of staff, such as a CEO, a spear phishing attack will often exploit compliance to authority as a means to an end. Spear phishes can also lurk undetected for extended periods of times, laying in wait for the perfect moment to strike.

When email accounts and networks become compromised, sophisticated attackers will gather information, take the time to understand an organisations structure and the channels of communication within. Every year, this form of attack costs businesses hundreds of millions, often through intercepted communications relating to bank transfers.

Though authority within organisations should be respected, users responsible for making transfers of funds are highly likely to be targeted by phishers and as a result, should always seek to exhaustively confirm through means other than just email.

Vishing

A portmanteau of Voice and Phishing, Vishing is a phone based approached to this popular email scam. Vishing can be the only component of an attack, or simply one part of a multi-layer ploy.

Though the above advice proscribed that multiple modes of confirmation should be used prior to an action being taken, it is not impossible that contact information contained within a fraudulent email also leads back to the scammer.

If, for example, you’ve never heard the voice of the CFO who should confirm the large payment you’re about to make, and you don’t take the time to confirm the number of said CFO, it’s not unimaginable a scammer could seem as convincing over the phone as they do in the initial email. That’s why channels of verification, should also be verified as authentic themselves.

Smishing

This time a combination of SMS and Phishing, smishing is unsurprisingly a text message form of a phishing attack. Again, this can be a part or the whole of an attack, though frequently instructs recipients to follow links to suspicious addresses.

These messages may disguise themselves as confirmations, bank warnings or even attempts to lure you in by offering a link to cease bothersome communications. By responding to these messages, or following a link, you’re not only exposing yourself to malicious software, but also confirming that a potentially randomly generated phone number, is indeed active.

Preventing Phishing

Beyond the previously mentioned common elements, there are plenty of measures that can be taken to help mitigate the cyber security threat of phishing emails. Among the technological solutions, spam filters that use machine learning and natural language processes are the first hurdle upon which any organisation would hope phishing attacks falter. Beyond this point it is largely up to human judgement to avoid a breach or incident.

No matter the mode of delivery, all forms of phishing attack rely on one critical weakness; human error. Attackers rely on common forms of negligence, a lack of vigilance and a lack of awareness, all of which are reliably present in any workplace.

Information Security Awareness Training

Information security awareness training can do a great deal to help mitigate these risks. Enabling a staff to understand, appreciate and be permanently vigilant towards phishing and other threats is the objective of any organisation truly wise to the dangers of an insecure culture.

What Does Phishing Mean in Computer Terms? With classes, online tutorials, workplace events and simulated phishing campaigns, your organisation can not only better understand the threats to which you are susceptible, but also take the steps to fix your weaknesses and ensure the security of your information.