What is a phishing attack and how can we prevent it?
Phishing explained
Phishing is a type of cyberattack or online fraud where malicious individuals or entities attempt to deceive users into revealing sensitive information, such as passwords, social security numbers, credit card numbers, or other personal and financial data. Criminals often do this by posing as a trustworthy or legitimate entity, such as government institutions or company boards of directors. Phishing attacks can occur through various channels like email, text messages, phone calls, or even social media.
Here’s how a phishing attack typically works:
- The bait: The attacker sends a message or communicates with the victim, often impersonating a reputable organisation or person. This message can take various forms, such as an email claiming to be from a bank, a social media message from a friend’s compromised account, or a text message offering a fake prize.
- The hook: The message contains a call to action or a reason for the victim to take immediate action. This could be clicking on a link, downloading an attachment, sharing personal information, or visiting a website.
- The deception: The attacker goes to great lengths to make their message and associated websites or forms look legitimate. This includes using logos, branding and language that mimic the real organisation or person they are impersonating.
- The theft: When the victim takes the requested action, they unwittingly provide their sensitive information to the attacker. This information is then used for malicious purposes, such as identity theft, financial fraud, or unauthorised access to accounts.
Phishing attacks can vary, and hackers are now employing more advanced techniques, such as spear phishing, vishing, or smishing. Let’s take a closer look at these terms.
Spear phishing
Spear phishing is a targeted phishing attack in which cybercriminals customise their emails or messages to appear as though they are from a trusted source or legitimate entity. Unlike regular phishing attacks that cast a wide net and send generic messages to many potential victims, spear phishing is more precise and focused on a particular individual.
How it works:
- Research: Attackers gather information about their target, such as their name, job title, colleagues, interests, and publicly available information (often through social engineering). They then use this information to personalise the phishing message to make it more convincing.
- Creation: Next, the attacker creates tailored content that appears to come from a trustworthy source, such as a colleague, boss, bank, or a known service provider. The message often includes details that make it seem legitimate and relevant to the target. It also usually contains a call to action, such as clicking on a link, downloading an attachment, providing sensitive information like passwords or account numbers, or making a financial transaction. The goal is to trick the recipient into taking an action that benefits the attacker in order to steal sensitive information or spread malware.
- Delivery: The message is sent to the targeted individual through any channel – email, social media, instant messaging, etc.
- Exploitation: If the target falls for the spear phishing attack and takes the requested action, the attacker gains access to sensitive information or the victim’s system. This can lead to severe consequences, such as data breaches, financial losses, or ransomware.
Attackers are more likely to use spear phishing when trying to gain access to a corporate network, since these networks typically have a higher level of security. Thus, spear phishing attacks are often more difficult to detect than generic phishing attempts because they are highly personalised and appear more legitimate.
Smishing
Smishing is a type of cyber-attack that involves sending fraudulent or deceptive text messages (SMS) to individuals to trick them into taking specific actions. It’s like phishing, which uses email as the attack vector, smishing aims to steal sensitive information, spread malware, or initiate other malicious activities. The term “smishing” is a portmanteau of “SMS” and “phishing.”
How it works:
- Receipt: The target receives an unsolicited text message on their mobile phone. The message may appear to come from a legitimate source, such as a bank, government agency, delivery service, or well-known company. It may also contain urgent or enticing content to prompt the recipient to act.
- Deception: The smishing message usually contains a call to action, such as clicking on a link, calling a phone number, or providing personal information like credit card details, social security numbers, or account credentials.
- Exploitation: If the recipient follows the instructions in the smishing message, they may inadvertently reveal sensitive information or land on a website or app designed to steal their data, install malware on their device, or engage in other malicious activities.
- Consequences: Depending on the attacker’s objectives, the consequences of falling for a smishing attack can vary, including identity theft, financial fraud, unauthorised access to accounts, or the compromise of personal and sensitive information.
Smishing is often used against consumers, with individuals generally receiving messages on their mobiles.
Vishing
The term “vishing” (voice phishing) describes using voice communication, typically over the phone, to trick individuals into divulging sensitive information, such as personal passwords, identification numbers, credit card numbers, or other confidential data. Vishing attacks often involve manipulation and impersonation tactics to gain the victim’s trust.
How it works:
- Caller impersonation: The attacker poses as a trusted entity, such as a bank, government agency, tech support, etc. They may spoof the caller ID to make it appear that the call is from a legitimate source.
- Urgency: The attacker often creates a sense of urgency or fear, claiming there is a problem with the victim’s account, security, or finances that requires immediate attention.
- Request: The attacker will ask the victim to provide sensitive information (social security numbers, bank account numbers, credit card details, passwords etc). They may also ask the victim to confirm or verify personal information.
- Threats: In some cases, attackers may threaten the victim with consequences (account closure, legal action, etc) if they don’t comply, or they may offer enticing rewards or benefits to encourage cooperation.
- Manipulation: Vishers may use various techniques to keep the victim on the phone and manipulate their emotions, making it more likely for them to share sensitive information.
- Consequences: If the victim provides the requested information, the attacker can use it for various malicious purposes, such as identity theft, financial fraud, or gaining unauthorised access to accounts.
Vishing attacks can be sophisticated and convincing, so it’s crucial to remain vigilant and take steps to verify the identity of callers before sharing sensitive information over the phone.
How to protect against phishing?
- Be careful and aware: Be sceptical of any unsolicited message, especially if they ask for personal information, immediate action or to open an attached document. Being cautious about sharing sensitive information online and verifying the authenticity of messages, especially when they involve financial or confidential matters, is essential to mitigate the threat of phishing.
- Check everything meticulously: Verify the sender’s identity and website URL before clicking on links or providing company information. If you’re unsure what to do, don’t hesitate to contact the organisation directly using official contact information or check with your internal IT security team.
- Use updated security software: Antivirus and anti-phishing software can help identify and block phishing attempts. Don’t forget to update and patch software regularly.
- Report: If you’ve received a phishing message, report it immediately to your IT security team. With your help, the phishing email can be spotted early, and the IT security team can prevent others from falling victim to the same scam.
Did you enjoy this article on how to protect against phishing? Want to learn more?