Phishing Basics
A Guide to Phishing and Keeping your Information Protected
Dear reader, you must click this link ASAP to apply urgent security updates.
Sound familiar? Chances are, if you have an email account, you've seen your share of messages just like this. Demanding you follow links, click attachments, or even hand over your passwords; phishing emails have been around just about as long as the internet and have developed along with it. What does phishing mean in computer terms? Read on to find out.
As an inexpensive and massively scalable method of scamming users, phishing attacks have become one of the most common cybercrimes and contribute significantly to fraud cases across the globe. It's estimated that around 90% of all organizations worldwide experienced targeted phishing attacks last year, with those being successfully breached often having to hand over huge sums of money -- frequently to no avail.
Having pondered what does phishing mean in computer terms, regardless of whether you are an individual or a part of an organization, with both the increased frequency and sophistication of this type of attack, it's always a good time to begin learning about phishing attacks and how to protect yourself against online scammers.
What Does Phishing Mean in Computer Terms?
In its most basic form, phishing attacks are a form of communication that seek to trick the recipient into handing over information, such as passwords or credentials, or to prompt a user into taking an action that will aid the attacker in meeting their objectives, for example granting network access or making a bank transfer.
There are plenty of different types of information security attack, though amongst these nefarious methods, phishing attacks are shockingly common across the world and in all types of industry. The word 'phishing' coming from the analogy of the fisherman casting out a line and bait and simply waiting for their catch.
Though the most common form of phishing attack is email, the same methods can also be applied to different forms of communications, as well as frequently employing other elements or layers to assist in extracting sensitive information from targets, a topic which will be further examined later.
As previously mentioned, the cost of sending out millions of emails is effectively zero and potentially takes very little time, making this mode of attack especially appealing to opportunistic scammers. Much like actual fishing, by casting a wide net, phishing attacks only require a tiny fraction of their communications to be effective in order to ensure some success.
Background and History of Phishing
Though the exact history of 'phishing' is hazy, the practice is thought to have originated largely in the early 1990s within chatrooms. Online communities, such as the AOL chatrooms, became a training ground for online scammers to hone their skills, often pretending to be official moderators or AOL staff in order to fool unsuspecting users out of their credit card info.
As email became more common, criminals quickly progressed to email-based attacks. With little means of tracking down these crooks, groups and online gangs also began registering domains like that of official and recognizable organizations to further bolster their deception.
Having given rise to the stereotypical 'Nigerian Prince', this era of phishing progressed with its target audience. As the general public became savvier, so did the scammers, and though there are still plenty of very basic scams tricking people out of their info, now even some experts can be duped.
Phishing Facts
94% of malware was delivered by email
Malware is a category of software that essentially describes anything designed to extract information or cause harm. Malicious software can include spyware (information collection), ransomware (encrypts your files and demands payment to decrypt), and adware (constant redirection to advertisements).
Typically delivered via email attachments, the consequences of this form of phishing attack have ranged from massive disruption to the UK National Health Service, effectively shutting down a currency exchange all the way to destroying a nuclear enrichment facility.
77% of all UK workers have never received any form of information security training from their employer
Despite the seriousness with which many businesses like to appear to approach information security, the reality that only 33% of UK workers have received any training in this area in the last twelve months points to a serious flaw existing in sectors across the UK economy.
Much can be done to invest in infrastructure and technological security solutions, and this is indeed an integral part of information security, though without the essential training, many of these measures will fall short.
By enabling staff to defend against threats such as phishing, not only protects your organization and makes technological security investments worthwhile, but it also provides individuals with skills that can be transferred into their personal lives while also contributing to an information security aware culture.
60% of small businesses are closing their doors within six months of an attack
It's easy for both individuals and organizations to underestimate the impact of an information security incident or breach. The fact is, costs incurred from an attack are only one of the ways in which phishing attacks impact an organization, with lost time and revenue and reputational damage often not as seriously appreciated.
Though the loss of funds can obviously be greatly problematic, the cumulative effect and loss of consumer trust can spell the end of an organization; a sad reality that is especially true for SMEs whose names can be forever tainted by the public knowledge of a cyber victimhood.
More than two-thirds (68%) of all phishing sites use SSL protection
An authentic SSL (Secure Sockets Layer) certificate should ensure several things, firstly that a web address displays as HTTPS rather than HTTP, which should authenticate that not only is the website genuine, but also that information being exchanged with the address is encrypted and thus protected against eavesdropping.
Though it's undeniably a helpful suggestion that users look out for HTTPS and avoid those without SSL protection, it can now no longer be reasonably suggested that this is a good indication of a safe and trustworthy address.
Phishing websites, inauthentic pages designed only to capture sensitive information, are able to gain SSL certification in a number of suspect ways. Understanding that users have become used to trusting HTTPS addresses, scammers have been greatly incentivized to directly erode the earned trust in this method of authentication.
How Phishing Actually Works?
There are plenty of methods of manipulation that are frequently employed by attackers, about which all users should be aware. Though these methods will vary in terms of complexity and effectiveness, the following are some of the easiest to identify and most important to understand in mitigating information security risk.
Address
Firstly, your first method of identifying the authenticity of communications should be the sender's address. The most overt and easily detected phishing emails use gibberish or nonsensical addresses, though more sophisticated scammers use simple yet subtle tricks to disguise an email's criminal purpose.
By switching visually similar or easily confused characters, attackers may fool even the most security-conscious users in a hurry. A phishing address may, for instance, substitute an 'I' for a '1' or even an 'm' for an 'rn'.
An address may also include an expected or familiar domain/company name within the incorrect part of the address. Consider for a moment how it may be possible to accidentally confuse shipment-tracking-amazon@gmail.co.uk for shipment-tracking@amazon.co.uk; one being perfectly legitimate and the other highly suspicious.
Urgency
Many phishing attacks attempt to rush a recipient into making rash decisions. By including 'ASAP' or 'URGENT,' often capitalized, scammers try to minimize the amount of time between seeing an instruction and the user taking action. As well as this, these instructions will often attempt to appear to come from senior members of staff, as to add authority to these supposedly time-sensitive requests.
Though you will undoubtedly receive legitimate time-sensitive correspondence, whenever particularly consequential actions are being requested, the time should be taken to confirm authenticity through another line of communication, such as over the phone or in person.
Attachments
It is entirely possible that in your role, you frequently send and receive files in the form of email attachments. Opening files is a requirement for many businesses, yet it is through email attachments that many malware attacks are enabled. Given the significant information security risk that attachments potentially pose, it is vital that staff understand best practices and the threats involved.
Like email addresses, staff should pay attention to naming, and nonsensical file names should be either avoided or treated with a level of suspicion. File type should likewise be closely inspected, and any files ending in .exe or a file type you don't recognize should be treated with extreme caution. Attackers may even try to obfuscate a file type by inserting a more secure or 'trustworthy' file type into the name, for instance 'pdf.exe.'
Links
Likely the most frequent technique phishers utilize to extract sensitive information are nefarious and inauthentic links. Emails will often contain company logos, spoofed addresses, and links that appear to lead you to a legitimate login page for popular organizations for which you likely have an account.
Scammers and phishers go to great lengths to build extremely convincing pages that mimic popular HTMLs. Designed only to capture sensitive information, once a link is clicked, it can be difficult even for the most vigilant of users to tell the difference (especially via mobile browsers where HTML addresses are truncated).
For this reason, before any link is followed, the address should be inspected by either hovering over the link with your cursor or on most mobile devices, by holding down on the link without release. If the link does not point to an address that you recognize or expect, the link is likely best avoided.
Other Types of Phishing
Spear Phishing and CEO Fraud
As the name suggests, spear phishing (a form of CEO Fraud) is a more targeted form of plain old phishing. Rather than using the 'cast a wide net' approach to online scams, spear phishers often use a far more calculated and personalized approach to their criminal enterprise.
Frequently assuming the identity of a senior member of staff, such as a CEO, a spear phishing attack will often exploit compliance to authority as a means to an end. Spear phishes can also lurk undetected for extended periods of time, laying in wait for the perfect moment to strike.
When email accounts and networks become compromised, sophisticated attackers will gather information, take the time to understand an organization's structure, and the channels of communication within. Every year, this form of attack costs businesses hundreds of millions, often through intercepted communications relating to bank transfers.
Though authority within organizations should be respected, users responsible for making transfers of funds are highly likely to be targeted by phishers and as a result, should always seek to exhaustively confirm through means other than just email.
Vishing
A portmanteau of Voice and Phishing, Vishing is a phone-based approach to this popular email scam. Vishing can be the only component of an attack or simply one part of a multi-layer ploy.
Though the above advice proscribed that multiple modes of confirmation should be used prior to an action being taken, it is not impossible that contact information contained within a fraudulent email also leads back to the scammer.
If, for example, you've never heard the voice of the CFO who should confirm the large payment you're about to make, and you don't take the time to confirm the number of said CFO, it's not unimaginable a scammer could seem as convincing over the phone as they do in the initial email. That's why channels of verification should also be verified as authentic themselves.
Smishing
This time a combination of SMS and Phishing, smishing is unsurprisingly a text message form of a phishing attack. Again, this can be a part or the whole of an attack, though frequently instructs recipients to follow links to suspicious addresses.
These messages may disguise themselves as confirmations, bank warnings, or even attempts to lure you in by offering a link to cease bothersome communications. By responding to these messages or following a link, you're not only exposing yourself to malicious software but also confirming that a potentially randomly generated phone number is indeed active.
Preventing Phishing
Beyond the previously mentioned common elements, there are plenty of measures that can be taken to help mitigate the cybersecurity threat of phishing emails. Among the technological solutions, spam filters that use machine learning and natural language processes are the first hurdle upon which any organization would hope phishing attacks falter. Beyond this point, it is largely up to human judgment to avoid a breach or incident.
No matter the mode of delivery, all forms of phishing attack rely on one critical weakness: human error. Attackers rely on common forms of negligence, a lack of vigilance, and a lack of awareness, all of which are reliably present in any workplace.
Information Security Awareness Training
Information security awareness training can do a great deal to help mitigate these risks. Enabling staff to understand, appreciate, and be permanently vigilant towards phishing and other threats is the objective of any organization truly wise to the dangers of an insecure culture.
What Does Phishing Mean in Computer Terms? With classes, online tutorials, workplace events, and simulated phishing campaigns, your organization can not only better understand the threats to which you are susceptible but also take the steps to fix your weaknesses and ensure the security of your information.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Featured
How to Keep Information Secure on a Computer - the Easy Way
Protecting data on your computer in 5 steps: Password Protection, VPNs, Anti-virus, Software Updates and Security Awareness.
How to Block Phishing Texts
Knowing How to Block Phishing Texts is vital to personal information security in the 21st century. Blog by Hut Six Security.
Information Security Attacks Threaten the UK Education Sector
How do Information Security Attacks threaten the UK Education Sector? Blog by information security awareness training provider Hut Six Security.
Is Information Stored in the Cloud Secure?
There remains concerns about the overall security of storing and processing information in the cloud. Is Information Stored in the Cloud Secure?
The Biggest Data Breaches and Hacks of 2019
The Biggest Data Breaches and Hacks of 2019: As a new year begins, it's time to begin reflecting on what has been observed. Blog by Hut Six
Google Chrome Goes for Gold in Password Security
Google Chrome introduces new password safety features. Cybersecurity blog by Information Security awareness training provider Hut Six.
What is Pseudonymisation?
What is pseudonymisation, and why it important to GDPR compliance? Blog from information security awareness training provider Hut Six.
NSA Discloses Severe Windows 10 Security Flaw
An extremely serious Windows 10 Security Flaw has been exposed by the NSA. Blog by cyber security awareness training provider Hut Six.
Top 5 WiFi Safety Tips: The Guide to Staying Secure
How safe is WiFi? Use these WiFi safety tips to help keep you secure online. Blog from cyber security awareness training provider Hut Six.
Travelex Ransomware Attack Enters Its Third Week
Travelex enters its third week of shutdown at the hands of a ransomware attack. Cyber Security blog by cyber security awareness training provider Hut Six.