10 Common Phishing Techniques and How to Prevent Them
What Is Phishing?
Phishing is a form of fraud in which an attacker masquerades as a reputable entity or person in an email or other communication channels. These emails are often pixel-perfect to what would be sent from an official company, making it hard to distinguish them from the real thing. While phishing originated sometime around the year 1995, it has been one of the most popular attack vectors and remains consistent throughout 2020. As phishing was involved in 70% of breaches, this attack vector is not slowing down, so targeted training must be deployed to help reduce this number.
1. Deceptive Phishing
Deceptive Phishing is the most common type of phishing attack used today. This method works by sending high volumes of emails to users, employing scare tactics and threats, forcing the end-user to submit credentials to fake websites or downloading malicious software.
For example, a Netflix scammer may send a look-a-like email to a victim, informing them that their billing details have expired and that their subscription will be terminated unless updated. The link within the email will take them to a fake Netflix login page that emulates the real thing. Once the user has submitted their credentials, the website will then redirect them to the official login page for Netflix. They then enter their credentials once more thinking it was just a glitch, none the wiser that they have submitted their credentials to scammers.
These types of emails are rather generic, addressing the person by ‘Dear user’ rather than their name. This is because only a list of email addresses has been purchased by the cyber criminal, rather than first and last names.
2. Spear Phishing
As Deceptive Phishing spams thousands of users at once, in hopes to generate a few clicks and submissions, Spear Phishing is essentially the opposite. Combining the use of social engineering and bespoke email templates, fraudsters carefully craft a customized email for specific users.
For example, after researching their victim online, they know that they bank with Chase Bank. Combining this with their first and last name, and their general location, a Chase Bank Spear Phishing template can then be made.
The email prompts the user that unusual activity has been detected on their account. Details of the ‘fake’ login have been provided which instills panic in the user, as a device running an outdated iOS version has logged into their account, from a location which has no relation to the user. The date should be changed to mere minutes from the email being sent, which adds to the legitimacy as it will appear like an automated email.
Given the details learnt by the scammers of their target, this email may lure the victim into clicking on a link as they will want to report this unauthorized login. As they know their general location, as long as the one in the template isn’t the same, these types of scare tactics are highly effective and yield a high click-through rate.
Whaling takes Spear Phishing to a whole new level. Using the same principles that Spear Phishing utilizes, criminals target high profile users such as senior executives or managers.
These types of emails try to initiate a massive transfer of funds, or to submit company credentials, as they have a high access level. Whaling does not require extensive technical knowledge, yet can deliver huge returns. As such, it is one of the biggest risks facing businesses.
Therefore, carrying over the personalized template creation, a sense of urgency and an understanding of services from Spear Phishing, this attack vector can be highly lucrative.
Smishing makes use of a mobile phone. Instead of using the medium of email like the others do, cyber-criminals will use text messages to convey the same scam.
As the character count is limited to the software used, messages must be more precise and to the point. Since they can’t include branding and other means to appear graphically legitimate, this method of Phishing can be harder to accomplish the desired outcome.
Usually, the message will open with the issue. For example, a Smishing message may say “Your Apple ID has been locked due to too many login attempts”. The user isn’t called by their first name, this is because they need to be short and sweet, and quickly get to the point.
The message will then be followed up by a “Please confirm your account by logging into https://www.apple.co.uk/login”. Of course, the text is just a hyperlinked HREF, whereby the real link behind the text won’t be anything like the link that it appears to be. This makes the message appear more legitimate to those who are looking out for a specific domain, but still catches people out.
In addition to falsifying the link within the text, fraudsters can create a false SMS Sender ID. Instead of the number appearing to be from ‘+44…’ they can pay for a service which instead makes the SMS appear to be from ‘Apple’. This increases open rates as it invokes trust to the user, which results in higher conversion rates for clicking the link.
The word ‘vishing’ is a combination of ‘voice’ and ‘phishing.’ Phishing is the practice of using deception to get you to reveal personal, sensitive, or confidential information. However, instead of using email, regular phone calls, or fake websites like phishers do, vishers use an internet telephone service (VoIP).
Vishing shares the same medium as Smishing does; this attack vector reaches the user via their mobile phones. However, instead of sending a text message, a Cyber Criminal will try to reach the phone by calling the victim, trying to impersonate an employee working for a particular company.
As with the previous Phishing methods, many of the same rules apply. These types of phone calls try to instill fear or panic to the user to invoke an emotional response, leaving them vulnerable.
Much like with Smishing, the caller ID is spoofed. This means instead of displaying ‘07xxxx’, it will display the name of the company, such as PayPal. Because of this, those that are unaware that this is possible, have no reason to doubt that it is indeed PayPal trying to contact them because their phone displays it.
However, if the call is missed or the user does not pick up, the criminals will leave a voicemail message or make telephone calls directing people to the bogus phone number, while making additional passive threats, in hopes that they call back to try and resolve the issue desperately.
If the talking point in the phone call is not panic-inducing or threats to close a service that is relied upon, they can also promise free items, such as a giveaway, which requires payment for shipping. During this process, they will then gather details such as full name, address and credit card details if paid over the phone. It is always best to immediately put the phone down and directly ring the company, to confirm whether or not what was said holds any truth.
6. Search Engine Phishing
Search Engine Phishing is amongst the newer types of Phishing. Unlike the previously discussed types, this one does not involve the medium of email or mobile devices. Instead, as the title suggests, it utilizes search engines.
Search engine phishing occurs through online website search engines. Here, the person may encounter offers or messages that entice the person to visit the website. The search process may be legitimate, but the website is fake and only exists to steal the person’s personal information.
The Cyber Criminal will first create a fake website, which follows suit with a fake brand. In terms of graphics and brand feel, the website will appear to be legitimate, when comparing these to real websites such as eBay or Amazon.
These websites then index the brand and the pages on popular search engines, such as Google, Bing and Yandex. If one searched for the name of the company or a specific product that they are selling, it would display in the search results.
To gain popularity, their products will be promoted via paid advertisements on platforms such as Google Ads, Facebook Ads and Instagram, to gain as much exposure as possible. The products that they offer are often extremely sought after and promote being either heavily discounted or free.
As many people are inherently skeptical of highly discounted items or free giveaways, users often research the company, to find out if the promises are too good to be true. Because of this, the criminals will then make fake reviews, on websites such as Google, Trustpilot and Facebook to trick those who first look to verify the authenticity.
When a user tries to purchase an item from the fake website, they will be first prompted to create an account, and input both their billing and delivery details. The name, address, phone number and DOB will all be transmitted to their servers and will be placed directly in their database, which can then either be sold or used as part of a sophisticated Phishing attack.
With the data that is submitted, they can potentially steal money, as they may have attempted to purchase an item and have entered payment details, steal an identity or destroy any company or personal reputation due to the impersonation.
Pharming is a crafty type of internet fraud that subverts the very foundations of the internet itself. By manipulating web traffic, pharming attackers attempt to fool their targets into handing over valuable personal information.
This type of Phishing is the third stage to a traditional Deceptive Phishing attack. During a typical email-based vulnerability, the victim clicks on a link, which opens up their web browser and in turn downloads automatically executable malware. Once the malware has been installed, it will then proceed to modify the hosts file found on a windows machine. A Hosts file is a file that almost all computers and operating systems can use to map a connection between an IP address and domain names.
When a website is first visited, the DNS records of the machine logs the domain name that was visited, and the IP address associated with that. For example, when one types in ‘www.paypal.co.uk’, the ASCII characters of the domain name is converted into the associated IP address that the domain name points to, so your browser resolves to ‘184.108.40.206’. This information is then stored in the hosts file, so it is quicker and easier for the machine to visit a website.
However, if the data within the hosts file is altered, when a domain name is entered into the address bar, which then queries the hosts file, users will be taken to a different address. Instead of ‘www.paypal.co.uk’ taking you to ‘220.127.116.11’, it will resolve to a completely different IP address.
Therefore, if the malware installed on the machine alters the hosts file, users may think they have entered the correct domain name in the address bar or clicked on the same bookmark as they always do, but users will unknowingly be redirected to a completely different website, which is most likely impersonating a real website to harvest your credentials.
8. Angler Phishing
Due to the rise in popularity of social media platforms, and companies offering customer support via this method, a new way of Phishing users has raised, called Angler Phishing.
Put simply, angler phishing is the practice of masquerading as a customer service account on social media in order to reach and defraud a dissatisfied consumer. Angler Phishing uses popular social media platforms, such as Twitter, Instagram and Facebook to social engineer a victim into handing over sensitive information.
Because businesses like Domino’s have moved a large portion of their customer service team over to platforms such as Twitter, customers often tweet at Domino’s with issues or complaints. Due to the nature of the platforms, tweets such as these are publicly available and can be seen by anyone.
Let us run through a scenario. Adam has ordered a pizza, and it arrived cold, so he proceeds to tweet directly at Domino’s with a complaint, attempting to get some form of compensation. A Cyber Criminal has seen this tweet, then proceeds to create another account, identical to the real Domino’s Pizza.
The logo will be the same, the display name will follow suits, the ‘@’ tag will be spoofed to appear very close to the original, and they may even build up original tweets to make the account look realistic.
The hacker will then reach out to Adam directly, using the private messaging feature, offering the compensation that he was initially wanting. As the display name and logo is the same, that is often all it takes for a user to trust an account, given the relevancy of the issue.
Posing as the established company, the hacker can then gain sensitive information about the victim, such as their full name, address and potentially payment details, dependent on the approach the criminal takes.
As social media platforms is a fast-moving environment, both good and bad PR is easily accessible and must be dealt with promptly, as the company reputation is at risk. This opens up an easy opportunity for the hacker, as they can pose as an official company.
When a customer is contacted regarding their twitter, they are often given a link to click, offering either heavily discounted items or even those with no value. Of course, these links are effectively Phishing websites that want to harvest credentials, such as official Domino’s accounts.
9. Session Hijacking
When you login to a website or service, the end servers gives you a temporary session cookie which enables your browser to keep you logged in and authenticated to the session. This cookie is not permanently set, however can last for a significant amount of time as sessions can be kept open for hours on end.
However, if a Cyber-criminal was to get their hands on this session cookie, they could for all intent and purposes be you. By stealing this cookie, their browser would be tricked into thinking you are online and logged in, which bypasses the need for a password, consequently logging into your account without authorization.
While there are various methods to obtain your session ID and the subsequent cookie, a common method to grab it would be for you to click a link within a phishing email, the website you visit can then grab the cookies that are stored in your browser, and capture the ones it needs.
Alternatively, a malicious payload such as malware could be installed on your system if you fall victim to a phishing attack. By clicking links within an email, you could inherently directly download software onto your machine that automatically executes, opening the door for Cyber-criminals to steal your cookies.
10. Watering Hole Phishing
This type of Phishing attack is more complex and technically challenging versus many other methods. Using social engineering tactics, Cyber Criminals will scout their victim to find out the most commonly used websites and platforms that are visited.
Usually, a hacker will attempt to mimic the website and the domain to fool the user into thinking the site is real, however, Watering Hole Phishing relies on the real, genuine website.
Once the criminal knows the websites that are frequently visited, they will then proceed to hack the website, and inject malware. This means users who visit the website will be automatically infected with malware, which can then steal your personal details or passwords stored on your device.
This type of attack is extremely hard to find, as you are on the legitimate site and all the tell-tale signs of Phishing will not appear. As the end goal is to infect you with malware, traditional anti-malware software packages should prevent the attack vector but is otherwise completely invisible.
For example, let’s say the victim frequently visits a forum that discusses high-end watches. The hacker will then penetrate the back end of the website and inject malware which will be automatically downloaded once a user visits the site. The victim then enters the URL and carries on with their usual activity. The hacker then has malware on each device users access the website from, including the targeted victim, which can be used to track what passwords they type, steal their browser cookies or hijack a session.
What Are the Consequences of A Phishing Attack?
Neglecting user awareness training for the threat Phishing poses scales up to the biggest companies in the world. For example, tech giants Google and Facebook were fooled by Evaldas Rimasauskas via an extremely sophisticated Phishing attack. The thieves pretended to represent a Taiwanese hardware maker called Quanta Computer. They told Facebook and Google workers that the companies owed Quanta money, and then directed payments be sent to bank accounts controlled by the scammers, which totaled $23 million from Google and $98 million from Facebook.
As anyone can fall victim to this attack vector, the effect that it has on the target varies significantly. Regarding businesses, the average cost of a data breach is $3.86 million, with an average cost per lost or stolen record of $148, with the reputational cost being incalculable.
Business such as Equifax suffered a data breach in 2017, which lead to around £184.9 million loss with fines and other damages. However, if a company is breached, with evidence showing security was neglected or purposely inadequate, they can be fined up to 20 million Euros or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
In 2018, it was discovered that the hospitality company Marriott International was the victim of a large-scale data breach, with over 500 million records stolen by Cyber Criminals. Many of the records include extremely sensitive information like credit card and passport numbers and other vital Personally Identifiable Information (PII), which could be used to duplicate an identity.
After a thorough investigation, a Remote Access Trojan (RAT) was discovered on the system, which was used to harvest employee credentials. While no official entry point was confirmed, it is suspected that the RAT was uploaded onto the system via a Phishing attack, which resulted in $148 million for expenses and fines.
How Can You Prevent A Phishing Attack?
Given the consequences falling victim to a Phishing attack can have on you and those you care about, there are several simple steps you can take to help mitigate the threat that phishing poses.
- Official emails don’t boast about how ‘official’ they are. Phishing emails may contain fake account and ID numbers to fool you into thinking it’s real. Always compare your real credentials and account numbers against the ones shown, to help identify the authenticity.
- Avoid sending emails under pressure or in a time-sensitive situation. The panic and the fear that a Phishing email imposes is generated on purpose, in hopes to obtain an emotional response from you, so you lose all reason. Stay calm, stay cool and process the information at your own pace.
- Even though your account is physically secure, there’s always a chance the email could be intercepted during transmit. Services such as Google Mail allows emails to be encrypted, this means if a hacker grabs your email during transmission, the only thing they’ll see is a random string of characters that is unrecognizable.
- The worst-case scenario to a Phishing attack is that they successfully harvest your credentials and can strike at any time. Due to this, enabling Multi Factor Authentication (MFA) prevents them from logging in to your account, even if they have your username and passwords. This is because a secondary authentication method, such as a code sent to your phone, is required to prove your identity and to confirm it is you.
- Check that the email address hasn’t got any sneaky or additional characters in the domain name. Cybercriminals often try to spoof an email address by making subtle changes, to appear like the official one. For example, ‘firstname.lastname@example.org’ turns into ‘email@example.com’, which on first glance is enough to fool most users.
- Confirm if the email subject is relevant to you or not. For example, if you receive an email stating that your Netflix account has been locked, and that you need to reset your password by clicking a link, and yet you don’t have a Netflix account, you should question the authenticity of the email. The chances Netflix genuinely sending this email is next to none, so be cautious when non-relevant emails land in your inbox.
- Enroll on our free training courses today so you can protect you and your loved ones from Cybercriminals and become the human firewall!
Rouse, M. (2019) What Is Phishing? -Definition From Whatis.Com[online] available from <https://searchsecurity.techtarget.com/definition/phishing> [24 May 2020]
Phishing | History Of Phishing (2019) available from <https://www.phishing.org/history-of-phishing> [24 May 2020]
Jentzen, A. (2018) Phishing, Pretexting, And Data Breaches: Verizon’s 2018 DBIR | Proofpoint[online] available from <https://www.proofpoint.com/us/security-awareness/post/phishing-pretexting-and-data-breaches-verizons-2018-dbir> [24 May 2020]
(NCSC.co.uk2016) [online] available from <https://www.ncsc.gov.uk/guidance/whaling-how-it-works-and-what-your-organisation-can-do-about-it> [24 May 2020]
Belcic, I. (2019) What Is Pharming? | How To Protect Against Attacks[online] available from <https://www.avg.com/en/signal/what-is-pharming> [24 May 2020]
Vaughan-Nichols, S. (2017) How To Use A Hosts File To Improve Your Internet Experience | Zdnet [online] available from <https://www.zdnet.com/article/how-to-use-a-hosts-file-to-improve-your-internet-experience/> [24 May 2020]
IdentityExperts (2019) Angler Phishing: What You Need To Know | Identity Experts[online] available from <https://www.identityexperts.co.uk/news/angler-phishing-what-you-need-to-know/> [24 May 2020]
Dolmetsch, C. (2019) Facebook-Google Scammer Pleads Guilty In $121 Million Theft[online] available from <https://www.bloomberg.com/news/articles/2019-03-20/man-pleads-guilty-in-100-million-scam-of-facebook-and-google> [24 May 2020]
Graham, A. (2018) The Cost Of A Data Breach -IT Governance UK Blog[online] available from <https://www.itgovernance.co.uk/blog/the-cost-of-a-data-breach> [24 May 2020]
Ico.org.uk (n.d.) Penalties[online] available from <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-law-enforcement-processing/penalties/> [24 May 2020]
Fruhlinger, J. (2020) Marriott Data Breach FAQ: How Did It Happen And What Was The Impact? [online] available from <https://www.csoonline.com/article/3441220/marriott-data-breach-faq-how-did-it-happen-and-what-was-the-impact.html> [24 May 2020]