Phishing or Fishing…?

Phishing may be a relatively unknown term to some of you so let’s start with the basics, what is it? Unfortunately or maybe even fortunately (whatever floats your boat) this has absolutely nothing to do with the more commonly known fishing

No, phishing is a cybercrime where people are targeted by email, telephone, or text message. You will be contacted by someone posing as a legitimate institution, most likely one you have interacted with previously. The goal is to lure the target into coughing up sensitive data such as their PII (personally identifiable information), credit card details, and passwords. This information can be used to access your personal accounts or sold on the dark web. Both scenarios often result in financial loss or identity theft.

What truly distinguishes a phishing message is the form that the message will take. The attacker will pretend to be a known person or organisation that you have most likely engaged with previously. Yes, they are going to have done their research on you. For example, your email may have been found in a data breach from Booking.com. Well, the attacker now has your email and the knowledge that you are used to receiving emails from that company. This makes it easy for them to pose as someone from Booking.com, thereby increasing the likelihood of you complying with the contents of the email.

The Evolution of Phishing

Phishing is one of the oldest types of cyberattacks dating back to the 90’s. Yet it still proves to be one of the most successful methods used by cybercriminals to this day. In a report for 2017, 76% of organisations asked said they experienced a phishing attack at some point that year. Phishing has come a long way since the 90’s increasing in the sophistication of the attacks. There are now multiple types of phishing, including but not limited to; deceptive phishing, spear phishing, CEO fraud, and malware-based phishing. So let’s dive a bit into each of these and see what different methods attackers are using to steal our private information.

Deceptive phishing is the most common type of phishing scam where the attacker will impersonate a legitimate company in an attempt to steal PII or login credentials. These emails often portray a sense of urgency to try and scare the target into complying with the email. The success of an attack like this depends on how similar the email is compared to that of a typical email you would receive. The more similar the email is in terms of URL, format, content, etc, the more successful the phish is likely to be.

Spear phishing is a similar technique that is more personalised. Here the attackers will use personal information about the target such as their name, job title, work phone number etc. in an attempt to seem more legitimate to the target. The goal is to lure the target into providing their log-in credentials to specific accounts.

CEO fraud is a by-product of ‘whaling’ which itself is a type of spear phishing. Whaling is when the attacker targets a top executive to try and gain access to their login details. Where CEO fraud comes into play would be in the event that a whaling attack proves successful. The attacker now has the option to conduct CEO fraud. This is the second phase of a business email compromise (BEC) scam where attackers impersonate an executive and abuse that individual’s email to authorise fraudulent wire transfers. Executives often don’t participate in security awareness training making it easier for whaling attacks to be successful.

Malware-based phishing is all to do with getting malicious software onto a user’s PC. This will be achieved by tricking the target into clicking on a link or downloading an attachment that lets the malware into the system.

What can you do?

So that’s quite a lot for you to be worried about right? The key here is to continuously educate yourselves and become familiar with these methods. In the setting of a workplace that is often the target for attackers, you can receive phishing training and simulate attacks. After all, we learn mostly by experience so why should this be any different.

One thing that you can do is download our free app Cypaw available on iOS and Android. Automate the process of finding your online accounts, and easily manage (delete) them. If they a company leaks your information, but it’s already been deleted, then you’re safe!