What You Need to Know About Phishing
It sounds odd, phishing. While you might think it’s fishing in the dark (cue Nitty Gritty Dirt Band) or some tribute to the band Phish, (cue Sample in a Jar) it’s neither. Phishing is a type of cyber attack, wrapped in social engineering, smothered in malware sauce. Delicious.
So what is Phishing?
Phishing is a type of cyber attack that uses social engineering usually in the form of an email to get a user to click a malicious link or attachment to steal vital information.
What makes phishing so devious is that the hackers will attempt to use our trust to manipulate people to do what they want, which is to steal some sort of access or information. Many times victims don’t know what happened at all or that they played a role in their own hack.
Some of the more famous phishing attacks are seemingly absurd. Remember the Nigerian Prince email scam? It went something like this:
A Nigerian Prince you’ve never heard of has found out that you are a good and honest person. This prince is trying to move his family’s fortune out of Nigeria and he wants you to send your banking information so he can deposit his money into your bank account. Then when he comes to America, he’ll let you keep $50 thousand$100 million for your good deed.
Now, this sounds ridiculous. But it worked. In fact, according to a CNBC article, a variation of this phishing attempt was still working in 2019 and raking in big bucks. Crazy, right?
Why do Phishing Attacks Work?
Phishing attacks like the Nigerian Prince work because you, the target, want to help. You are a good and helpful person who would certainly help out someone overseas, right? That’s what they're banking on.
They are preying on your good nature. Hackers send this email a few thousand times and they only had to catch a few fish for it to be worth it.
Email fatigue is exactly what it sounds like and chances are you’ve felt this before. Hackers know that we get hundreds of emails a week and they’re betting that after you read email number 127 that you’ll be more likely to drop your guard and click on a malicious link.
According to BleepingComputer.com, 94% of malware is delivered by email. This just goes to show us that the weakest link in our cybersecurity is us, the humans. Hackers know we get tired of reading emails and we’re not as sharp. So they exploit that with a little bit of social engineering and next thing we know, they’ve hooked us.
Common Types of Phishing
Phishing is sending a fraudulent email with a malicious link or attachment sent to many people attempting to steal sensitive data. Hackers hope they’ll get a few bites, but generally, they cast a wide net and see what they get.
Spear phishing, on the other hand, is more targeted. It’s targeting individuals and small groups. You may remember the big data breach at Sony Pictures. It was a spear phishing attack.
Hackers gathered open source information on Sony employees from LinkedIn and sent specific messages to these people. Sony lost 100 terabytes of data that ended up costing them $100 million dollars. This goes back to episode 128 of The Secure Dad Podcast on open source intelligence and to specifically be careful of what you put on LinkedIn.
Whaling is an ever more targeted attack on a specific person like an executive at a major company. These emails are very well done with a high degree of individualized social engineering. A simple attempt to get them to click on a link won’t work.
Whaling gets them to take action beyond the email to get them to do something they wouldn’t normally do. Think something along the lines of a con from one of my favorite movies, The Sting.
Then there is Angler Phishing. This one could happen to any of us. Hackers search for people like us who are expressing our frustration at a specific brand. They will contact victims on the same social media platform pretending to be a customer service representative of a brand.
They hope to get vital information via chat like account and credit card numbers. Victims make themselves a target when they post on social media that they are upset with a company. The hackers swoop in pretending to be someone helpful who can resolve their issue.
Takeaway: Don’t air your grievances on social media.
The last two things I’ll mention are smishing and vishing. No, I’m not making up any of these names. Smishing uses normal phishing techniques but is done via text. Vishing is a phone scam. (I'd like to talk to you about your car's extended warranty.)
What Happens When You Suspect a Phishing Attack?
If you read the subject line of an email and it sounds fishy, then delete it immediately. If you click on it and open it up, then delete it as soon as you realize it could be malicious.
Whatever you do, do not click on any links or open any attachments. This is when bad things happen. Usually, a click on a link or an attachment triggers the hack.
If you get a link from a friend or business associate that you think might be a malicious link, then try to use Google to find the link independently. Don’t click on it, find it on your own.
You might be wondering what is the most effective way to stop a phishing attack. There are software programs out there that will scan your email. Chances are your office has something like this that the IT department runs.
Honestly, the best way to combat phishing is education.
So congratulations, you’re more educated on this than you were 20 minutes ago so you’re already moving in the right direction. Also, remember to be vigilant, don’t let email fatigue cost you your email address, an online account, or worse your bank account, stay alert.
All things considered, use your gut when you read an email that doesn’t seem right. Don’t diminish the little voice in your head, listen to it. It’s trying to help you.
Don’t get me wrong, it can be hard to see one of these attacks coming, but you have to question what you see in order to protect yourself and your network. I hope to revisit this topic in the future once more research can be conducted.