The fight against Phishing

Phishing is a type of social engineering where an attacker attempts to fraudulently retrieve a user’s confidential credentials by mimicking electronic communications from a trustworthy organization in an automated fashion. A phishing attack usually involves three roles of phishing. First, an attacker would use a mailer to send out tons of fraudulent emails that are used to direct users to fraudulent websites. Next, attackers use their fraudulent websites to prompt users to provide confidential information. The final step is that attackers use the information to achieve a pay-out. Since 1995 when the term “phishing” was introduced, it has spread beyond just email. The first time phishing was publicly used and recorded was on January 2, 1996. The attack involved phishers messaging America Online (AOL) users claiming to be AOL employees and asked customers to verify their accounts and hand over billing information. Nowadays, phishing has spread to VOIP, SMS, instant messaging, social networking sites and even multiplayer games. The three main types of phishing are clone, spear and phone phishing. Clone phishing involves phishers creating a cloned email. This is done by getting information such as content and recipient addresses from legit emails and then sending the same emails with links replaced with malicious ones. The phisher can also employ address spoofing so that the email appears to be from the original sender. Unsuspecting users will most likely click the link, and enter their credentials which will be stolen by the phisher. With spear phishing, instead of sending tons of emails randomly, spear phishers target selected groups of people with something in common such as people from the same organization. This type of phishing takes more time because it requires pre-attack reconnaissance such as finding names, job titles and email addresses. According to a 2016 report, spear phishing was responsible for 38% of cyberattacks on enterprises during 2015. The average cost of a spear phishing attack per incident was $1.8 million. Spear phishing can also be used against high-level targets which is a called “whaling”. Phone phishing has become extremely popular lately with the increase in spam calls. This type of attack involves a phisher claiming to a representative from a local bank, the police, or even the IRS. They then try to scare you to give them your account information or by paying a fine by either wire transfer or with prepaid cards. SMS phishing usually involves a phisher sending a message containing a malicious link to click. Mobile phishing has increased by 85% every year since 2011 according to a report by Lookout. Now attackers are also taking advantage of highly used social media platforms such as WhatsApp, Facebook Messenger and Instagram. Some risks for mobile devices are apps that lack built-in security, WiFi monitored by attackers, Bluetooth that can spread viruses and human error from lost or stolen devices.

Phishers use various techniques to conduct phishing attacks to help make them less suspicious. Email spoofing is a common phishing technique where a phisher sends a spoofed email with the sender’s address and parts of the header are altered to deceive the recipient into thinking the email is genuine. In the email, the phisher can put a link to their spoofed website. With web spoofing, a phisher can forge a website to look like a legitimate website which can trick victims to think the website is genuine and enter their password and personal information. This allows the phisher to collect their information from the spoofed site. Phishers can also use their techniques to implant malware into the victim’s computer. This malware can collect confidential information from a victim’s computer such as keystrokes, screenshots, clipboard content and program activities which can be sent directly to the phisher.

Phishing can be dangerous to individuals and organizations. This leads to the question, how can I protect myself? One of the best ways to prevent yourself from being a victim is by training the end-user to recognize a phishing scam. User education is extremely important to help prevent a user from becoming a victim of a phishing attack because it doesn’t matter how many firewalls, encryption software, certificates, or multi-factor authentication (MFA) an organization has if an individual still falls for a phisher’s tricks. One of the most famous phishing attacks was in 2013 where 110 million customers and credit card records were stolen from Target customers from a phished subcontractor account. Another infamous event was launch by Fancy Bear (a Russian military intelligence agency cyber espionage group). This involved Hillary Clinton’s campaign manager’s email being hacked after falling for a phishing attack that claimed his email password. With phishing attacks becoming more popular and more dangerous, organizations have implemented more training and education for their staff to combat phishing. Some studies have shown that anti-phishing education can reduce users from entering information into phishing webpages by 40%. Unfortunately, this has also led users to become paranoid and decreased their tendency to clicking on legit links. The government has also looked into ways to fight phishing through legal actions. In 2005, a bill named The Anti-Phishing Act of 2005 was introduced, “A bill to criminalize Internet scams involving fraudulently obtaining personal information, commonly known as phishing”. The bill proposed a five-year prison sentence and/or fine for individuals who committed phishing attacks. Even though the bill was not passed at the federal level, some states such as California, New Mexico, Arizona and Texas have strict anti-phishing laws in place.

Trying to recognize a phishing attempt can sometimes be difficult depending on the skills of the phisher. Some signs of a phishing attempt can be receiving an email that sounds too good to be true such as an email saying that you won the lottery or some sort of expensive prize. Be wary of messages containing alarming language to create a sense of urgency and entice you to “act now”. Also, be careful of messages that contain unusual attachments. These attachments can contain malware, ransomware or some sort of online threat. Watch for emails that contain links that seem a little off, and look for misspellings which can indicate fakery. Training users in an organization to detect these types of warning signs and practice safe computing can help decrease the odds of becoming a victim of a phishing attack. If you think that you have been the victim of a phishing scam, you should change your passwords. This includes your computer, financial institutions and any other password-protected websites. If you have an anti-virus on your computer, run a Full System Scan for viruses.