What is phishing?

From banking scams to industrial espionage, we look at why phishing is so lucrative

We've all grown accustomed to receiving the odd suspicious email - whether it's from someone claiming to be a recently-deceased relative's lawyer or what looks like an unexpected tax bill, scam emails have become just another part of life online.

These emails are examples of an attack method known as 'phishing', the goal of which is to trick people into doing something. Most commonly, hackers will try and get you to hand over your login credentials for an online service like a banking portal or your email account.

Advertisement - Article continues below

There are many tactics that can be used to do this; one ever-popular method is to send out an email purporting to be from a bank, alerting the user to a large (unexpected) withdrawal from their account and including a link to check their bank statement or activity. This link leads to a site that's made to look like the bank's login page, but is actually controlled by the attacker.

The idea is that, in their panic, users will click through to the login page and enter their details without realising that it's not really their bank - at which point the hacker will be able to use those details to ransack their bank accounts at will.

Advertisement
Advertisement - Article continues below

There are multiple ways to launch this kind of attack, but email has become the platform of choice. It's incredibly cheap to send messages to thousands of recipients, and at such a scale the scam would only need to fool a handful of victims to be lucrative.

Advertisement - Article continues below

Phishing attacks aren't always as simple as that, however. Hackers can often go after something as seemingly innocuous as the login details for a victim's social media or Netflix accounts on the basis that, because so many people use the same username and password for multiple services, these details may be able to give them access to more valuable accounts.

Hackers also frequently target corporate email accounts with phishing attacks, and not just those belonging to high-level executives or finance personnel. Gaining access to the email account of someone in the sales department, for example, could allow hackers to launch phishing campaigns against other areas of the business without arousing as much suspicion.

Aside from email-based campaigns, hackers can also use bogus webpages to fool victims, buying up similar domains to popular services (such as netflux.com or facebok.com) and mimicking the legitimate service's login page in order to harvest credentials.

History of phishing

While a theoretical phishing technique was first described in 1987, this type of attack only really started to gain popularity in the 1990s, with the advent of the consumer internet.

One of the earliest examples of phishing was known as AOHell and was a customer service ruse. This hacking tool targeted AOL users and allowed the attacker to masquerade as a customer service representative. The target user would be encouraged to hand over their password if they did, then the attacker would be able to use their account for nefarious purposes.

Advertisement - Article continues below

This element of using underhand tactics remains the defining feature of phishing, although the number of types and techniques has expanded significantly.

Advertisement
Advertisement - Article continues below

Here's what you need to know about some of the types of phishing attack you may come across and the motivations of the attackers.

Financial

Financially motivated phishing attacks have been used for a long time and take on many different guises.

Many of us will be familiar with the so-called Nigerian Prince scam emails, where the victim is contacted by either a person alleging to be a representative of a Nigerian prince who, for whatever reason, wants to transfer some of his wealth out of the country and will give the victim a cut of the money if they let the scammer use their bank as a conduit. Other variations include the death of a long-lost relative or, more recently, a friend or family member who has been robbed while on holiday and needs an emergency loan.

Advertisement - Article continues below

Normally, this scam results in a loss of money not because bank details are handed over, but because the victim is asked to pay money out to the scammer first, who they never hear from again.

This is a very basic form of a financial phishing attack, but others are much more sophisticated. Scammers are sending out increasingly well-crafted emails that appear to be genuine messages from real banks.

This type of attack is aimed at getting a user to enter all their bank or credit card details into a website accessed through a link in the phishing email that looks like the genuine article but is in fact owned by the criminals. Once that is done, the phisher can use the details as if they were the legitimate cardholder or bank customer.

Account takeover

Account takeover is what the first phishing attacks were geared towards gaining access to another person's online account, whether it's on social media, email, a forum or something else and then taking control of it.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

This is typically done via a malicious link sent in a legitimate-looking an email, instant message or direct message. Once the user clicks on it, they will be taken to a realistic-looking website operated by the attackers and, much like the banking attacks mentioned above, asked to enter their username and password.

The purpose of an account takeover could be to send spam from that email address or social media account; to find out further information about the person, including financial information or other sensitive data; or as a form of protest rival ideologies at the fringes of politics have been known to take over and shut down the accounts of their opponents, for example.

Espionage

This category covers both industrial espionage and state-level snooping. In both cases, the objective is to gain information on your rival with the aim of outmanoeuvring them or, in some cases, sabotaging them.

In this case, the email is normally crafted to look like it came from a supplier or perhaps a senior person within the company and has a sense of urgency. This, it's hoped, will make the recipient of the email more likely to respond with the information quickly, suppressing any doubts if they do arise.

Advertisement - Article continues below

This can be part of a much longer campaign that involves many other types of cyber attack like spyware and specially created malware to harm industrial machinery or national infrastructure.

Phishing subtypes

Under the umbrella of "phishing", security researchers have identified a number of sub-groups that are even more targeted in their approach, with the two most common being spear phishing and whaling.

Spear phishing

Spear phishing is a phishing campaign that targets a specific individual or company. This technique requires a bit more effort on the part of the cyber criminal, as they need to do more background research in order to create a personalised phishing email. Between 2013 and 2016, business email compromise (BEC) attacks carried out through spear phishing led to the theft of over $3 million, according to Symantec's 2017 Internet Security Threat Report.

Whaling

Whaling is like spear phishing, but it's even more targeted, focusing on the likes of CEOs and CFOs within a business.These emails are crafted to look like an urgent item a senior person within a business must look at, such as a customer complaint or a court subpoena. The scams often then demand the transfer of a large sum of money.

Advertisement - Article continues below

The Symantec report said that "these scams can be damaging as they require little technical expertise but can reap huge financial rewards for the criminals and significant losses for the companies involved. For example, early in 2016, an Austrian aerospace company fired its CEO after it lost almost (USD) $50 million to BEC scammers".

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/business/policy-legislation/356215/senators-propose-a-bill-aimed-at-ending-warrant-proof-encryption
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Visit/business-strategy/careers-training/356422/ibm-job-ad-calls-for-12-year-experience-with-6-year-old
Careers & training

IBM job ad calls for 12-years of experience with six-year-old Kubernetes

13 Jul 2020
Visit/business/business-operations/356395/nvidia-overtakes-intel-as-most-valuable-us-chipmaker
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
Visit/software/development/356420/linux-kernel-to-strip-out-racially-insensitive-terms
Development

Linux kernel to strip out racially insensitive terms

13 Jul 2020