What is phishing?
From banking scams to industrial espionage, we look at why phishing is so lucrative
Balanced scepticism is an undervalued trait these days. Treating every email with the same scrutiny is obviously a tiring job, but sadly individuals not doing so is why phishing is such a lucrative hacking technique.
Phishing is a rather personal attack method, attempting to trick you into believing that a trusted source - the taxman, your employer, even your friends - needs something from you. This could be information, bits of identifiable data, or even money. The most common are requests for login credentials, which can be used to gain access to larger jackpots.
Email has become the platform of choice for phishing. It has also become particularly favoured by hackers during the COVID-19 pandemic, which the number of phishing attacks increasing by 220% in 2020. Much of this has also centred around the coronavirus, with hackers playing people's fears of the virus.
In the first few weeks of the outbreak, the World Health Organisation reported an increase in phishing attacks. Hackers were looking for information on the pandemic or to disrupt the work of those trying to combat it. This has evolved along with the outbreak and hackers have also reportedly tried to phish companies making vaccines.
The continued rise in phishing does suggest that the human element of cyber security is still the weakest link. Opening malicious email attachments are a simple method of attack, but it keeps proving to be one of the most efficient.
In 2019, whole towns in Florida were shut down with ransomware, and in one case it was reportedly due to a government official opening a malicious email attachment.
History of phishing
While a theoretical phishing technique was first described in 1987, this type of attack only really started to gain popularity in the 1990s, with the advent of the consumer internet.
One of the earliest examples of phishing was known as AOHell and was a customer service ruse. This hacking tool targeted AOL users and allowed the attacker to masquerade as a customer service representative. The target user would be encouraged to hand over their password if they did, then the attacker would be able to use their account for nefarious purposes.
This element of using underhand tactics remains the defining feature of phishing, although the number of types and techniques has expanded significantly.
Here's what you need to know about some of the types of phishing attack you may come across and the motivations of the attackers.
COVID-19 phishing attacks
Hackers have taken advantage of the global COVID-19 pandemic, which has seen businesses are forced to grapple with a new way of working and employees moving from a traditional office environment to a remote working setup.
Google, for example, has recorded a huge surge in phishing emails sent during the pandemic. The company said that it's now blocking upwards of 100 million phishing emails on a daily basis, almost 20% of which were related to COVID-19. These emails, which often impersonate government organisations and company client, have been designed to target employees working from home, small businesses, and organisations impacted by the government-induced lockdown.
Microsoft in May also warned of a "massive" phishing campaign that uses coronavirus-themed emails to deliver attachments containing malicious Excel 4.0 macros. These malware-laced emails, which have the subject line “WHO COVID-19 SITUATION REPORT," claim to come from the Johns Hopkins Center for Health Security and show a graph purporting to display coronavirus cases in the US.
It's not just those working from home who are being targeted by phishing emails during the pandemic, as the NHS has also been flooded with emails during the crisis. NHS staff received some 43,108 malicious emails since the beginning of the pandemic, with half of these landing in inboxes during March alone.
Financial phishing attacks
Financially motivated phishing attacks have been used for a long time and take on many different guises.
Many of us will be familiar with the so-called Nigerian Prince scam emails, whereby the victim is contacted by a person alleging to be a representative of a Nigerian prince who, for whatever reason, wants to transfer some of his wealth out of the country and will give the victim a cut of the money if they let the scammer use their bank as a conduit. Other variations include the death of a long-lost relative or, more recently, a friend or family member who has been robbed while on holiday and needs an emergency loan.
Normally, this scam results in a loss of money - not because bank details are handed over, but because the victim is asked to pay money out to the scammer first, who they never hear from again.
Keep your data available with snapshot technology
Synology’s solution to your data protection problemDownload now
This is a very basic form of a financial phishing attack, but others are much more sophisticated. Scammers are sending out increasingly well-crafted emails that appear to be genuine messages from real banks. This type of attack is aimed at getting a user to enter all their bank or credit card details into a website accessed through a link in the phishing email that looks like the genuine article but is in fact owned by the criminals. Once that is done, the phisher can use the details as if they were the legitimate cardholder or bank customer.
Account takeover is what the first phishing attacks were geared towards gaining access to another person's online account, whether it's on social media, email, a forum or something else and then taking control of it.
This is typically done via a malicious link sent in a legitimate-looking an email, instant message or direct message. Once the user clicks on it, they will be taken to a realistic-looking website operated by the attackers and, much like the banking attacks mentioned above, asked to enter their username and password.
The purpose of an account takeover could be to send spam from that email address or social media account; to find out further information about the person, including financial information or other sensitive data; or as a form of protest rival ideologies at the fringes of politics have been known to take over and shut down the accounts of their opponents, for example.
This category covers both industrial espionage and state-level snooping. In both cases, the objective is to gain information on your rival with the aim of outmanoeuvring them or, in some cases, sabotaging them.
In this case, the email is normally crafted to look like it came from a supplier or perhaps a senior person within the company and has a sense of urgency. This, it's hoped, will make the recipient of the email more likely to respond with the information quickly, suppressing any doubts if they do arise.
This can be part of a much longer campaign that involves many other types of cyber attack like spyware and specially created malware to harm industrial machinery or national infrastructure.
Under the umbrella of "phishing", security researchers have identified a number of sub-groups that are even more targeted in their approach, with the two most common being spear-phishing and whaling.
Spear phishing is a phishing campaign that targets a specific individual or company. This technique requires a bit more effort on the part of the cyber criminal, as they need to do more background research in order to create a personalised phishing email. According to research, 88% of organisations worldwide reported spear-phishing attacks in 2019.
Whaling is like spear-phishing, but it's even more targeted, focusing on the likes of CEOs and CFOs within a business. These emails are crafted to look like an urgent item a senior person within a business must look at, such as a customer complaint or a court subpoena. The scams often then demand the transfer of a large sum of money.
The Symantec report said that "these scams can be damaging as they require little technical expertise but can reap huge financial rewards for the criminals and significant losses for the companies involved. For example, early in 2016, an Austrian aerospace company fired its CEO after it lost almost (USD) $50 million to BEC scammers".
Choosing a collaboration platform
Eight questions every IT leader should askDownload now
Performance benchmark: PostgreSQL/ MongoDB
Helping developers choose a databaseDownload now
Customer service vs. customer experience
Three-step guide to modern customer experienceDownload now
Taking a proactive approach to cyber security
A complete guide to penetration testingDownload now