What is Phishing?
Phishing is a devastatingly effective cyber attack that targets people instead of technology. It typically uses modern digital communications such as email, SMS, instant messagers and social media, but it can also be done with more traditional commucation methods such as phone calls, postal services, leaflets and flyers, or face-to-face conversations. Any way that a criminal can communicate with you can be used as a medium to initiate a phishing attack.
In a traditional phishing attack you’ll be sent links, attachments, or both. The content of the email will encourage you to click on the links and open the attachments. Once you’ve reached the target website you’ll be prompted to give away your data by a website pretending to be something it isn’t. Criminals writing phishing emails use powerful psychological attacks that have been carefully designed, improved, and iterated upon for months or years to make them as effective as possible. We’re all vulnerable to these attacks and eventually even the most cyber-aware of us will fall for them.
What Are The Risks of Phishing Attacks
As individuals and organisations the biggest threats we face from phishing are:
- The theft of confidential information such as personally identifiable information, usernames and passwords, and other sensitive information which you may not wish to become public knowledge
- The installation of malware such as ransomware on your devices
The theft of login credentials through a phishing attack allows a criminal to access your accounts and perform actions as if they were you. Depending on the credentials stolen, they may be able to empty your bank accounts, send phishing emails to all of your contacts in your name (making them more believable), install software on your devices, and access corporate systems to send payments, fraudulently purchase goods which can be resold for cash, and much more. Anything you can do, they can do with ill intent.
They may also be able to obtain information about you that you wouldn’t want to become public. This information can be used against you in the form of extortion of blackmail.
The installation of malware can be incredibly destructive. If installed, ransomware encrypts and corrupts all of your files and demands the payment of a ransom to decrypt and release them back to you. As an individual this can mean the loss of treasured photographs, videos, and important documents. To an organisation it could be the loss of all finanial and customer records, bringing the business to a standstill and preventing them from trading.
Types of Phishing attacks
The standard, generic, phishing attack is a generic, spam-like email sent to millions of people around the world in the hope that at least a few people will take the bait. The quality of these emails can vary from so poorly written that they are obvious forgeries to almost indistinguishable from legitimate communications.
Beyond blanket emails sent to anyone and everyone, various more tailored techniques have emerged. Often, criminals will use a combination of these to achieve their goal.
Instead of blanket emails sent indiscriminately to millions of email addresses, spear phishing attacks are targeted campaigns targeting one or a group of individuals. Criminals will conduct research into the lives of their victims to increase the believability of their attacks. Read more about spear phishing.
Smishing is the name often applied to phishing attacks sent over text message aka SMS. The name is a portmanteau of SMS and phishing. The attacker sends a text message to the victim’s phone, often with a deceptive sender name or sender ID which appears instead of the true number. The message contains a link to a deceptive and malicious website designed to capture their information. Read more about smishing attacks.
Whaling is the term used when attackers focus their phishing efforts on VIPs such as a company CEO or CFO, celebrities, politicians, or other ‘high-value’ targets. Hackers will go to much greater lengths than usually conducing research into their behaviours, interests, and circle of trust.
When a phishing attack is initiated through a phone call we use the name vishing. Callers will often pretend to be from your telephone or internet provider, offer technical support, or from a government department with the authority to call and warn you of pending fines or charges.
Just like smishing, vishing will usually come from a spoofed caller ID and after establishing a dialogue the attacker will attempt to persuade you to give away personal information or visit a website which does the same.
When hackers use exact replicas of real emails, only changing the links to point to their own website, we use the term clone phishing. They literally clone real emails from real companies, copying the source code of a genuine message and making a minor alteration before resending. Using a familiar appearance and content makes these attacks more likely to succeed as readers may just assume a phishing email is just ‘another one of those…’ from a company they trust.
While most phishing attacks occur using digital technologies, there’s nothing stoping a dedicated attacker from sending a letter through the post with instructions directing them to a phishing website. We receive written documentation from banks and government departments all of the time, each giving us a link to visit from a computer.
Social Engineering Attacks
Phishing simulation tools allow us to conduct legal, phishing simulation tests against employees or clients. These tools behave just like real phishing kits but focus on measuring and reporting on the behaviour of recipients rather than stealing their passwords. See my curated list of phishing simulation tools here.