What Is Phishing? Definition, Types, and Prevention Best Practices
Phishing involves illegal attempts to acquire sensitive information of users through digital means.
Phishing is defined as a type of cybercrime that uses a disguised email to trick the recipient into believing that a message is trustworthy. If the target falls for the trick, they end up clicking on a malicious link or downloading a dangerous attachment, thereby compromising their sensitive data. This article discusses phishing in detail, the different ways phishing attacks can be carried out, and the best prevention methods for 2021.
Table of Contents
What Is a Phishing Attack?
Phishing is a type of cybercrime that uses a disguised email or link to trick the recipient into believing that a message is trustworthy. If the target falls for the trick, they end up clicking a malicious link or downloading a dangerous attachment, compromising the security of sensitive personal information.
To be successful, a phishing attack takes the form of some trusted entity; often, a person who is either real or can pass off as real. However, phishing attacks can also present themselves as messages from a company that the victim might have a business relationship with.
Phishing is one of the first types of cyber attacks that originated online and is almost as old as the internet. Despite being prevalent from the 1990s, it is still a commonly used effective method to steal personal information. Even though the core methodology remains, the same, phishing techniques have become more sophisticated in recent times.
The COVID-19 pandemic has seen cybercriminals take advantage of technically fragile individuals who are working remotely by sending fraudulent emails, purportedly from the employee’s organization, to steal personal credentials. These credentials can then be used to compromise the organization’s digital infrastructure and lead to losses worth millions.
Phishing in recent years
The 2020 Verizon Data Breach Investigations Report stated that over 30% of all breaches in the previous year involved phishing, and the figure increased to 78% for cyber espionage. An alarming takeaway on the phishing front in 2019 was that attackers are getting much more efficient at executing attacks and ensuring clicks. The existence of well-made, ready-to-use templates and tools is allowing phishing to become more common than ever.
Three phishing cyberattacks that made waves in the past decade are:
- An attack in which the intimate photos of numerous celebrities were leaked resulted from phishing, even though the media initially reported it to be due to security flaws in the Apple iCloud server infrastructure.
- In 2016, cybercriminals managed to obtain the Gmail password of John Podesta, the campaign chair for Hillary Clinton’s 2016 US Presidential bid, through a phishing attack.
- In the same year, employees at the University of Kansas fell for a phishing email that stole access to paycheck deposit data, resulting in loss of pay.
Phishing attacks peaked in 2020, with cybercriminals taking the opportunity presented by the COVID-19 pandemic to exploit security loopholes that surfaced because of a paradigm shift toward remote work. Threat actors mercilessly launched phishing attacks that targeted individuals as well as organizations.
According to an article by Security Boulevard, a division of MediaOps, Inc., 97% of users cannot recognize sophisticated phishing emails, and successful spear phishing is the cause of 95% of attacks targeting enterprise networks. 85% of organizations surveyed reported being hit by at least one phishing attack, with 540 data breaches reported in the U.S. alone by July 2020.
With more than 60,000 phishing websites being reported to exist in March 2020 and 96% of all targeted attacks being intended for intelligence-gathering, the problem only intensified during the pandemic. Brand impersonation accounts reportedly constituted 81% of all spear phishing attacks, and phishing attacks played a role in more than 1 of every 5 data breaches in 2020.
Also Read: What Is a Security Vulnerability? Definition, Types, and Best Practices for Prevention
Why do crises encourage phishing attacks?
A typical phishing attack relies on deceiving and creating a sense of urgency to achieve success. When a crisis, such as the COVID-19 pandemic, arises, cybercriminals get the perfect opportunity to trick unsuspecting victims into biting on their phishing hook.
A crisis means higher levels of anxiety among the general populace. People actively seek out information and search fervently for direction from the government, their employers, and other authority figures. Therefore, an email that presents itself as one from any authoritative entity, instructs the reader to finish a task quickly, or promises a good outcome, is likely to receive lower levels of scrutiny by the receiver than it would have before the crisis. One impulsive click is all it would take for the victim’s system to be compromised or infected.
If a company follows an authoritarian hierarchy, it might run a higher risk of falling victim to phishing attacks. This is because employees would be more likely to cooperate with an email that is authoritative in its tone. The same logic applies to organizational cultures where asking for help is frowned upon, a degree of mutual distrust exists, or a working model with lower levels of collaboration is followed.
For instance, if an administrator at a university receives an email that warns him of someone attempting to take over his email account and instructs him to update his information to secure his account, it would be an excellent mix of a warning, an authoritative instruction, and panic. This would lead to high motivation to click the bait and fall prey.
Also Read: Whaling vs. Spear Phishing: Key Differences and Similarities
Types of Phishing Attacks
The common denominator among all phishing attacks is impersonation. An attacker may disguise an email address to make it appear like it has been sent by someone else, make use of different character encoding to disguise URLs, or build and operate fake websites that appear nearly indistinguishable from legitimate websites that victims trust. However, phishing campaigns can be of more than one type. Attacks can be categorized based on purpose—generally, phishing aims to entice the victim into doing two things: communicating sensitive information and installing malware onto their device.
Messages that solicit sensitive information seek to baffle the victim into sharing important data—typically credentials such as a username and password. If these credentials are stolen successfully, the attacker can breach the account or system that uses the collected credentials. A classic example of such a scam involves an email that is carefully crafted to appear like communication from a leading financial institution. This email is sent out to thousands of potential victims to ensure at least a few of the readers will be patrons of the financial institution being impersonated.
Of these readers, cybercriminals hope that at least a minuscule percentage will click on the link in the phishing email and share their internet banking credentials through a malicious duplicate of the bank’s original website. If any credentials are received in this way, the attacker can access the victim’s online banking or finance account and transmit the victim’s funds to his account.
Similarly, messages that inject malware into the victim’s system rely on getting the reader to click on a malicious link or download an infected email attachment. These emails are often ‘soft targeted.’ For instance, they could be sent to the human resources department of an organization with an attachment that appears to be the resume of a job seeker.
Such attacks rely either on Microsoft Office documents or .zip files that are embedded with malicious code. Many ransomware attacks rely on such malicious codes to take over an organization’s systems and encrypt their data. Data from 2017 estimates that over 9 out of every 10 phishing emails came with attachments that contained code for ransomware.
Attackers usually use different targeting techniques when sending out phishing emails or may not even use any targeting method at all. In the latter case, millions of emails are sent to potential victims to have at least some of them log in to malicious duplicates of popular websites.
Let’s understand the different types of phishing attacks.
Spear phishing
Spear phishing is a type of phishing wherein attackers craft phishing attacks precisely to steal the login credentials of, or compromise the system of, particularly high-value targets, such as someone from the IT or payroll department of a company. In such cases, the attacker would dedicate a higher level of energy toward tricking these targets because of the high potential for rewards in case of success.
Targets are often identified using information gathered from social media websites such as Facebook or LinkedIn. Attackers may then use spoofed addresses to send an email that plausibly looks like it has come from a colleague. An example of spear phishing would be an attacker sending a well-thought-out email to a finance executive purportedly from the victim’s manager and requesting a considerable sum of money to be wired on short notice for an emergency.
Whaling
Whaling, sometimes known as whale phishing, is a subtype of spear phishing aiming at very big fish, such as CEOs, network administrators, or payroll chiefs. A whaling scam can often target members of the company board because they are considered to be particularly vulnerable: board members have near-unquestioned authority within an organization. They often use non-company email addresses for business communication. Personal email addresses are not afforded the protections that corporate emails have, making them easier to spoof or compromise.
Clone phishing
Clone phishing is when an attacker creates a formidable replica of an official message to trick the target. The email address may also be spoofed to resemble that of a legitimate sender. Clone phishing sometimes involves the attacker ‘resending’ a message moments after the original, official one has been sent by the legitimate sender, pretending to resend the original message for some reason such as having inserted an incorrect link or attachment. Another variation entails the attacker creating a duplicate website with a spoofed domain.
Vishing
Vishing, a portmanteau of ‘voice’ and ‘phishing,’ is carried out over the phone. The victim may receive a call that relays a voice message purportedly from a bank or financial institution. The message might, for instance, ask the victim to call another number and key in their PIN or other account information for official purposes, such as security verification. This data would then be transmitted to the attacker.
Snowshoeing
Snowshoeing is a ‘hit-and-run’ attack that relies on the perpetrator pushing out multiple messages through different IP addresses and domains. Each domain and IP address is programmed to send out a few messages, so volume- or reputation-based spam filters do not block these messages immediately.
Also Read: Spear Phishing vs. Phishing: Key Differences and Similarities
Top 10 Best Practices to Prevent Phishing Attacks in 2021
With remote work having gained immense popularity with the onset of the COVID-19 pandemic, organizations need to invest in awareness training to deal with phishing campaigns by nefarious perpetrators. Training can include modules that help employees understand the risk of clicking on links or opening email attachments from unfamiliar sources. Making employees understand that messages from unknown senders can contain viruses or other malware, an effective security education program could potentially stave off losses worth billions.
The easiest way to protect an organization’s network from phishing attacks is practical and functional employee training. Even after the pandemic struck, many organizations simply do not teach effective cybersecurity training—despite the entirety of some organizations shifting online. Even enterprises that do deliver this training often make it a one-off event—during employee orientation or, at most, at an annual event.
However, even the most carefully crafted training is useless if it is not administered effectively. Training modules given online may lead to employees glancing through the content and ignoring the knowledge being shared. In-person training sessions may no longer be feasible for companies that have adopted remote work environments. Still, other measures such as sufficient training time and effective testing can make online training meaningful.
There are several different services for thwarting phishing attempts by cybercriminals. For instance, solutions that send out harmless phishing emails to employees are used to collect metrics and report them to management teams. These metrics help appraise managers and tech security personnel of the efficiency of existing anti-phishing measures, such as training programs and spam filters. Some corporations also use heuristics solutions to filter fraudulent emails. However, these services come with mixed success rates—while many obvious scams are quarantined effectively, the emails that are more cleverly designed are usually left alone.
Apart from attempting to filter phishing emails, some companies also manage their risk through investments in cybersecurity liability insurance. However, such insurance may not always be the right solution to measure the RoI for spending on such a policy, the price must be compared with the business model, sensitivity of the data, security of company infrastructure, and the potential cost of damages in case of a successful phishing attack.
Below is a list of 10 best practices that organizations and even individuals can use to avoid phishing attacks in 2021.
1. Be wary of hyperlinks and attachments in any email
Emails asking the reader to click on a link or download an attachment should not be entertained unless the email is expected and sent by a known sender, such as for email verification by a service that the user signed up for a few moments ago.
2. Backup system copies
A backup of system copies allows IT personnel to fall back to an uncompromised system state if a phishing attack is ever successful and malware or other malicious software are introduced into the system infrastructure.
3. Ensure HTTPS connections
Users must ensure the presence of ‘HTTPS’ (and not ‘HTTP’ without the ‘S’) when transmitting sensitive data online. This helps ensure that the information being conveyed is passing through a secured channel.
4. Avoid entering credentials in a pop-up window
Pop-up windows are a common tool used by phishers. Unless the user’s website is completely trustworthy, information should never be entered into a pop-up window. Most browsers allow users to restrict pop-up windows from showing up and allow exceptions to be made for trusted domains.
5. Provide employee education and training
Keeping employees informed about the latest phishing scams and the techniques and technologies that the company is using to prevent them is very important. Outsourcing this task to a specialist can also be considered, especially as companies move toward a remote work environment.
6. Install a robust firewall
A reliable firewall protects all users on the corporate network from malicious code that might be sent in through a phishing email.
7. Use anti-spam solutions
Anti-spam software protects against phishing attacks by filtering out emails from known phishers and other cybercriminals. Without this software, these emails might show up directly in employees’ inboxes, increasing the chances of being considered legitimate.
8. Provide antivirus protection
This may come across as an obvious tip, but a surprising number of companies do not ensure the enforcement of up-to-date antivirus installation policies. This may have become more difficult for IT departments to implement due to the COVID-19 pandemic and more liberal BYOD policies, but solutions that ensure meaningful compliance exist and must be considered.
9. Use anti-spying tools
Anti-spying tools can be used to counter spyware. By eliminating spyware from the systems of employees that may be targeted by cybercriminals for a spear phishing attack, the risk of successful phishing attempts can be lowered.
10. Increase awareness about DNS pharming attacks
DNS pharming is a type of phishing attack that has been developed recently. These attacks do not involve pop-up windows or carefully-created emails; instead, they rely on ‘poisoning’ an individual’s local DNS server. Once the attack is successful, the user will be routed to a malicious duplicate website when attempting to go to the original website. Administrators can prevent such attacks by ‘locking down’ DNS servers under their administration using security techniques.
Also Read: Top 8 Disaster Recovery Software Companies in 2021
Takeaway
With remote work still largely prevalent across regions in 2021, companies must take heed of recent security breaches caused by phishing attacks and treat them as cautionary stories that show the requirement for robust security practices to protect company infrastructure and sensitive proprietary data.
By ensuring the use of technology such as DMARC (an email authentication protocol used by leading providers such as Gmail and Outlook), as well as taking the precautions listed in this article, management teams and users can ensure that phishing emails are blocked before they can reach the inboxes of employees, thus preserving system integrity and preventing irreversible damage to company reputation.
Was this article helpful? Comment below or let us know on LinkedIn, Twitter, or Facebook. We would love to hear from you!
