What is Phishing?
By Nick Anderson 6 minutes
Phishing comes from the word ‘fishing’. In the context of cyberfraud, it describes the act of tricking users into revealing personal and sensitive information. As a user, you hold information that could be valuable for cybercriminals, like bank account and social media login details.
It remains one of the biggest threats you could face during your time on the internet. According to the Federal Bureau of Investigation (FBI), phishing resulted in a reported loss of over $54 million in 2020.
It is very important to educate yourself on what is phishing to identify it and prevent any incident.
What is Phishing – How Cybercriminals Target You
Imagine that you just received an email saying that your account has been suspended or deactivated. The email explains that an action is required to reactivate the account. It could be your bank or cloud service account that you wouldn’t risk losing. The email asks you to visit the link and enter the credentials on what looks like the bank or service’s website.
If you enter the details and click enter, you would become a victim of Phishing.
The goal of a Phishing email is to look authentic so that it can bypass your attention. The sender’s email address will be based on the email address of the service it’s impersonating, but look closely and you will find an incorrect spelling. Similarly, banks don’t ask for your username and password or ask you to click on a link, neither by email nor by SMS. So that’s something you should always keep in mind before clicking on any links or downloading an attachment.
Phishing as Trojan for Malware
Trojan is the term given to software that stealthily installs malware on your device. The same can be said for attachments in phishing emails that appear to be legitimate files. But, in reality, it is malware that will execute once you download it on your device.
Here are a few things must do if you receive an email that could be phishing.
- Verify the sender’s email address. Look for any misspelling in the address; even a single alphabet will confirm it’s fake.
- Is the email trying to create a sense of urgency? Be vary of following up with immediate action. If the appears to be from someone familiar and demands money, call up the person and verify.
- Never click on links in unverified emails. Some phishing emails may use link shorteners like bit.ly that conceal the actual URL.
- Keep your device protected with an anti-virus that can scan emails for malware and malicious URLs.
- If you are a business, educate your employees to identify phishing.
Types of Phishing
Phishing is an umbrella term for malicious activity that involves tricking users into revealing personal or financial information like passwords, social security numbers, OTP, and such. The target of phishing ultimately defines its type.
Spear Phishing targets a specific group instead of a large number of people. It’s a one-size-fits-all technique that targets hundreds or thousands of people. It’s like throwing a large fishnet in the sea and expecting a few catches.
In contrast, spear phishing involves a lot of preparation and a message that is specific to that group or person. It will usually target mid-level employees of an organization, for example. Spear Phishing requires knowing the target to establish familiarity. It could be anything like a piece of information that you would expect a few people to know or something related to your organization. Cybercriminals could impersonate a vendor and ask for payment by targeting the finance department.
Once trust has been established, cybercriminals could even install malware on your device by asking you to download an attachment. The malware is usually spyware that records information from the device and can also have the worm-like capability to spread through the network. It could also be ransomware, which encrypts data on the device, leaving you unable to access important files without paying the ransom.
A Whaling Attack focuses on one high-level target, such as the CEO, CFO, or CTO of an organization. The target is big, hence preparation will be ten fold of a typical phishing attack. The cybercriminals will use information collected through other social engineering techniques.
Infecting a high-level employee’s device means access to confidential information. Moreover, it can also give enough information to cybercriminals to strengthen phishing attacks against other employees, such as requesting urgent money from the finance department using the CEO’s email address and including specific information that avoids detection.
Another way of getting you to install malware is by impersonating as the IT department. By making it sound like an urgent and important update, cybercriminals could succeed in the attack.
What is Smishing?
Emails are not the only medium that cybercriminals utilize. Smishing refers to phishing through SMS. Cybercriminals could text you by impersonating as your bank or a service provider, informing you that a particular action is required.
It may contain a link, or you may be asked to reply in the conversation with the information.
What is Vishing?
Vishing is another form of phishing that involves calls. You would see cybercriminals impersonating banks most often because financial information is most valuable for any criminal. The visher can ask you to verify some bank details and repeat an OTP (One-time Passcode) sent through your account.
If the visher gets hold of two-factor authentication information like an OTP, it can get into your bank account. The OTP could also be for verifying a transaction that the cybercriminal is trying to make through your account.
Sextortion – When Phishing Gets More Aggressive
You might not always receive a seemingly polite email that asks you for information. Sextortion is a rising scam that plays on the target’s fear. Derived from the word extortion, sextortion emails typically inform the user that the sender has compromising pictures or videos of you, and that you have been active on pornography websites recently.
The email will say the picture/video was taken by hacking your webcam or phone’s camera through spyware installed on your device. The cybercriminal will demand some payment, usually in the form of cryptocurrency, if you don’t want the picture/video leaking out.
Do not worry about it. These are just scare tactics to get you to pay up. It may even include your password so that you take the message more seriously. However, it is all simply a scam that is using information gathered from social engineering techniques or passwords from a data breach.
Whether you are an organization or an individual, there is an urgent need for education on phishing and various other cybercrimes. Phishing has claimed many victims over the years. Seek help from cybercrime prevention entities in your state/country if you have been a victim of a scam.