PHISHING 101
What is Phishing?
Phishing is a fraudulent attempt to obtain sensitive information such as login credentials and card numbers by posing as a legitimate institution or individual, usually through emails, text messages, or phone calls. It tricks the user into clicking on links, downloading attachments, or giving out personal information.
Anyone can send a phishing message. Making an email is free, and cybercriminals can harvest from various sources of email repositories. Anyone can also receive them and be a victim.
Where Did Phishing Come From and How Did it Evolve?
Did you know that the term phishing was coined during 1996? Back then, hackers targeted the leading Internet provider – American Online (AOL) through instant messages or emails to trick people into divulging their AOL passwords. Synonymous with fishing, these cybercriminals set out hooks to fish for passwords from the sea of online users. Upon obtaining the passwords, the attackers would then take over the victims’ accounts to propagate spams and phishing emails.
Back then, amateur phishers were often characterized by grammatical errors and glaring typos. Awareness campaigns were held against poorly designed phishing emails that, for many years, people were conditioned to think that typos and grammatical errors were the only red flags for phishing.
However, phishing has evolved largely over the years. Hackers have discovered how profitable phishing is and developed techniques to keep up with the growing trend. Many phishing emails are now professionally organized with impeccable grammar, proper layout, and email domains that resemble legitimate ones (ex: Facebo0k vs Facebook). Emails are now targeted to a specific group of people and usually appear to emotions such as fear (“your account has been locked”), urgency (“click now or else”), and desire for reward (“you won a discount”).
As phishers became more professional and financially motivated, the need to educate people on spotting phishing attacks became more critical.
Is Phishing Limited Only to Email?
Phishing comes in various forms, not just through emails.
Smishing
Smishing is the term for phishing through SMS. Like emails, senders pretend to be from a legitimate organization to lure people into clicking on links or responding with their personal information.
Vishing
Vishing, on the other hand, is phishing through phone calls. In Filipino terms, this is synonymous to “budol-budol” where scammers impersonate client-facing employees such as customer representatives or bankers to trick users into providing sensitive information.
As phishing emails are still more common, hackers have devised different ways to present phishing. The most common types are:
Spear-phishing
A targeted form of a phishing email sent to well-researched victims. For instance, if the hacker knows your job involves handling payments, you are most likely to receive emails containing invoice confirmations or transaction inquiries.
Pharming
A hacker directs the email recipient to a fake website instead of a legitimate one. These websites could capture the user’s personal data, such as banking information and login credentials.
Email Hijacking
Perhaps the sneakiest and most difficult type of attack to detect. Imagine a hacker gains access to your colleague’s email account (most likely through phishing too), and after studying how the two of you communicate, the hacker defrauds you by impersonating your colleague and sending legitimate-looking emails.
What are the Cultural and Economic Implications of Phishing?
Phishing remains to be a global problem among individuals and businesses. According to a study by RiskIQ, $17,700 (894,000 in PHP) is lost every minute due to phishing attacks worldwide.
In addition to account takeover and unauthorized access to systems, phishing also opens new doors for malware attacks such as spyware and ransomware. It can steal sensitive data, disrupt operations, destroy a reputation, compromise the organization’s entire infrastructure, and cause monetary loss.
Industries that deal with valuable data such as healthcare and finance are still the prime target for phishers. During the lockdown period, Google and Microsoft have identified more than 18 million daily phishing emails featuring COVID-19.
A study by Kaspersky revealed that phishing attempts in the Philippines increased by 158% during Q1 of 2020. With the ongoing COVID crisis, small and medium business enterprises are reportedly more prone to phishing.
The act of tricking people into divulging their confidential information is not new. Social engineering (“budol-budol”) could be easily done through personal interactions, audio or video calls, and online messaging. In this period, where almost everyone is sharing information about themselves, primarily through social media, cybercriminals have an easier time to craft believable and well-targeted phishing attacks.
How Do You Fight Phishing?
Phishing is a never-ending battle in the technological landscape. There will always be phishing attacks that adapt to the latest trends and social events. Here are some #CyberSure tips to protect yourself from phishing:
Think before you click.
Phishing doesn’t require exploiting a system vulnerability, but rather exploiting human emotions. It leans more on the psychological attack.
Very often, phishers capitalize on fear and sense of urgency to make you click on links or attachments.
Take time to assess the contents of the email and ask yourself a few questions:
1
“Is the sender asking you to click on a link or open an attachment to avoid a negative consequence, or gain something of value?”
2
“Do you recognize the email address of the sender?”
3
“Is the email message a reply to something you never sent or requested?”
4
“Does the email include an attachment that you’re not expecting or not related to your job?”
5
“If the sender is from your organization, does the content seem to be unusual or out of character?”
Pay attention to details.
Phishing is no longer riddled with grammar errors and spelling mistakes. But some details could still give away the fact that the email is fake, such as email domain, images, generic salutations, and signatures.
Your OTP is yours only.
Your OTP or One Time Password serves as your protection when logging in to your online accounts. If someone gets ahold of your password, your account will not be easily accessed. Do not share it with other people.
When in doubt, verify the sender.
If after perusing the email and you still conflicted, better verify with the sender using another channel. For instance, if you received an email from your bank, call their customer service, and confirm the legitimacy of the email sent to you. Or if you need to visit their website, don’t click on the email link. Manually type their web address and check your transactions.
Use social media responsibly.
Cybercriminals try to personalize their phishing attacks to targeted users based on their job, affiliation, location, and interests. Make sure that your confidential information is not posted on social media, where hackers can use it against you.