What Is Phishing?

Published by Adrian in Web Security

illustration of phishing scam

The only thing phishing and fishing have in common? The victim always gets hooked. If you’d like to avoid the bait, you’d better not have the memory of a golden fish. Learn what is phishing and educate yourself to stay away from it.

Whether it’s email phishing or website phishing or any other type of phishing, the outcome is the same. And it’s never pleasant for you. So, coming up next, we’re going to show you what to watch out for.

Shall we dip our toes into the cloudy waters of phishing? Before you wet your toes for good, remember the following.

Phishing is one of the many social engineering attacks that are skyrocketing in popularity these days. It started back in the 1990s and its frequency continues to rise. Every day, new, more sophisticated propagation techniques pop up.

For some reason, hackers don’t get tired of using it. Correct that, we actually know the reasons pretty well. There are oh-so-many ways to orchestrate such an attack. Plus, it works like charm, more often than not.

What kind of attack is it, you wonder?

Phishing is tricking people into providing login credentials for specific accounts. Sometimes even for bank accounts. Credit card numbers are on top of the list when it comes to hackers’ favorite targets. But that’s not all a victim can provide without even knowing the perils.

One major attribute of phishing attacks is that the sender pretends to be an official party. Someone you trust. Someone with whom you have a certain relationship established. It can be your bank or the IT administrator of the building you work in.

It can be any authority who reaches out to you and says something like “Dear XYZ, we need your attention to verify the security of your account. Go to this address and fill in your credentials to update your account information”.

This message usually lands in your inbox, though email is not the only distribution channel for phishing attacks. Apart from it, instant messaging apps or just plain text messages sent on your mobile are just as effective spread tools.

After all, it doesn’t really matter how you get the message

What matters most is the alleged sender and the formal request. For the trick to work, it has to be someone you really trust. And following the malicious link that they provide you with?

You can end up installing all kinds of crazy malware. Messing up your system. Becoming the victim of a ransomware attack. Or simply revealing information you wouldn’t normally share. Not. Even. With. Your. Mom.

Regular individuals can end up dealing with identity theft or some major financial losses. But phishing attacks are even more dangerous when targeting institutions and organizations. For the latter, it goes all the way to:

  • Loss of market share and consumer trust
  • A big financial hit
  • Not to mention reputation problems

All these are common when large scale phishing attacks open the door to security incidents.

Phishing made easy – by hackers, for hackers

If you’re reading this, you’re probably not a regular user of the dark web. Just so you know, the dark web is filled with phishing kits and mailing lists for sale. Everything that even a newbie hacker needs to launch an email phishing attack.

The kit will serve for installing the phishing resources on a server. But before that, there’s a standard process. It would involve cloning a legitimate website. And changing the login page to expose the users to a credential-stealing script.

Once the modified files are nicely wrapped in a zip archive, the newly created phishing kit will be uploaded to the hacked website. The archive is unzipped. And emails with links to the spoofed website are being sent to its users.

Going deeper into the subject, there are several different types of phishing attacks.

Get to know what you’re really standing against

Depending on the target and the specificity of the attack, there is:

  • Spear phishing – the hacker targets particular individuals or companies instead of sending bulk phishing campaigns for the average users.
  • Whaling – the hacker specifically targets high-profile users, like senior executives, managers with important roles, and lots of sensitive data stored on their accounts.

Depending on the methods the hacker uses, there is:

  • Clone phishing – the hacker steals a legit message from the victim’s inbox, clones and resends its modified version to redirect the user to a spoofed website.
  • Covert redirect – the hacker overlaps a malicious login popup dialogue box over a real website, where the user types sensitive information.
  • Filter evasion – the hacker hides the text of his emails within images, to avoid triggering the spam filters and increase the odds of the message to reach inboxes.
  • Infiltrating popups – the hacker makes a popup show up on the bank’s legitimate website, making the user believe that the message asking for his credentials comes from the bank’s website
  • Link manipulation – the hacker sends links that appear as legit as possible, misspelled URLs (slightly different from the original URL) being commonly used.
  • Social engineering – the hacker uses all kinds of strategies to make users go to a website where they get malware – fake news stories, Google doc links sent as attachments etc.
  • Tabnabbing – the hacker will make the web browser load a fake page among many other tabs opened within the browser at that time.
  • Voice phishing – the hacker messages the victim to dial a phone number to discuss an account-related problem; during the VoIP call, the user enters his account number/PIN.
  • Website forgery – the hacker can alter the address bar of the website where he redirects the victims, using JavaScript commands.

Email phishing concept

The only two phishing-related terms you should know

Phishing emails are just the hook that draws you to a spoofed website. That’s where you type in the information the attacker steals from you. Without taking you to a website, there’s no power in a phishing email. And so, you have:

  1. The phishing email – if you were wondering what is phishing email, it’s as simple as that – any email you receive from the attacker, pretending to come from a trusted source. Trusted means a well-known, legit organization. Commonly, the source asks you to follow a link or to download an attachment, as well as to provide personal information once you get to the destination they suggest.
  2. The phishing website – the phishing or spoofed website is the intended destination where users must land and type in the sensitive information, to „update the account”.

Don’t provide sensitive information with your eyes wide-closed

On your way from the phishing email to the phishing website? There are quite a few telltale signs that should raise your suspicion. If anything, ask yourself the following questions. They don’t sound too serious, but their answers will make a huge difference.

So, who did you say you are?

Look at the „From” field of the incoming email. The address is not an official one. After the @, there’s no domain name of the sender (like all reputable and respectable companies do), but rather a free email account extension. Specifically, you don’t have an email from contact@paypal.com, but rather from contactpaypal@yahoo.com.

The world is on fire and you’re sending me an email about it?

Then, you won’t help but notice how everything about updating your account information is „extremely urgent”. In other words, the sender wants you to believe that unless you follow their instructions and update the information required, the end of the world will come. Your account has been compromised or your account will be suspended.

Only that we don’t know each other as well as you claim, do we?

Still haven’t lost your sense of reason at the sight of the urgent message? Great, you might have the time to notice that the sender doesn’t even know your real name. Instead of using it, as any good-faith sender would do, your contact uses a generic greeting. Dear member/customer/client/whateverbutyourrealname.

Is this the real website where you want me to go, is it just „fatasy”?

Caught in a landslide, there’s still escape from reality. Sure, it’s more difficult to spot but it’s still essentially a clear sign. Expect to see fake links or a combo of legitimate and fake links on this occasion.

Just because you see the company logo, doesn’t mean you’re on the right page. Just because 99.99% of the domain name’s is the same with the original website’s domain name, doesn’t mean it’s the same thing.

A letter might be missing, or be doubled, or accompanied by a symbol. Any easy to overlook misspell will do the trick.

Hackers go as far as to insert authentic links on their spoofed pages. They send you to a phishing website where they also display genuine pages from the websites that they are mimicking. Like their terms of service, privacy policy, or any other less relevant page.

Even worse, the hacker can initially take you to the original page only to redirect you from there, with a pop up where they ask for your account information.

Aside from the spelling errors, a generally poor grammar and/or inferior graphics should also make you wonder!

Looking into everything from above is prevention. Still, you should…

  • Slightly modify your browsing habits;
  • Always check if the email/request is legit – whenever asked to “verify” an account, contact the company from which the email originates;
  • Start typing the URLs in the address bar, instead of clicking on the links sent via emails;
  • Pay attention to details showing that the sender doesn’t know you – like “Dear PayPal customer” instead of “Dear Your Name”;
  • With bank messages, always check the last few digits of the account number, not the first few digits, which are usually the same for all the clients of a bank;
  • Consider using a browser spam filter or an AV with real-time protection that includes one;
  • Check the links you receive via email on a website that documents phishing sites – like the Safe Browsing service;
  • Activate transaction verification on your mobile, to receive notifications if your account was hacked and someone tries to make transactions in your name.

What you need to remember, in the end

Phishing is a fraud attempt. The goal is to obtain sensitive information from the user – credit card details, login credentials. The channel is electronic communication. And email spoofing and instant messaging are two of the most common types of phishing.

But regardless of the context, the attacker will pretend to represent a trusted party – a bank, a website where the user has an account, an IT administrator, an online payment processor etc.

Under the pretext of authority, the attacker will ask personal information from the user. And the user will deliver it, unaware of the trick. The message he receives and the website where he is suggested to navigate look and feel very real, just like the ones of the legitimate parties.

Never ever trust an email where you’re asked to provide personal information.

Especially if you haven’t initiated this kind of request in any way. And if you have even the slightest doubt about the validity of the request? Reach out to the entity pretending to ask you all those details. Visit them in person, if it’s your bank. Or call them if it’s an online service.

Rest assured, there is a general tendency of the „good guys” out there to want to know about any phishing attempt. Once such a scam is spotted, all the customers of that entity are normally notified. Helping them to be aware if the attacker reaches them too is essential to any company.

In other words, no one will blame you or condemn you for asking an official confirmation. All the more reasons to never feel ashamed and confront that organization whenever in doubt. That way, you help to build a better online world. And manage to stay safe!