Phishing is the practice of tricking an internet user into clicking on a link or falling for a scam pretending to be a legitimate organization or personal acquaintance. The goal is to get them to reveal sensitive data or personal information about themselves. The most common forms of phishing attacks are done through email, but they can also be attempted through automated phone calls and text messages. They are typically identifiable by typos & misspellings, odd looking hidden links, spoofed email addresses, and robot voices.

How it Works

A phishing scam can work as follows; the victim receives a message disguised as a legitimate company. The “phisher” requests that the user verify their credentials at a link within the message, or through a prompt on a phone call. This message may have typos or initiate with a robotic voice, which is usually a giveaway for a scamming attempt. It’s also important to always verify email addresses from senders, if they don’t look right, they probably aren’t. The main ploy is that they are impersonating a trusted organization or acquaintance to install malware on devices, get money from victims, validate email addresses to steal personal information or hijack user accounts.

Since phishing attempts are performed using different methods, we’d like to take a moment to share some tips from the CompTIA+ SY0-601 security handbook on how to identify specific phishing attempts.

Phishing to Install Malware

Be careful of any link or attachment you click in an email. These links can trigger a software download that is a malicious attempt to infect your computer and network. Malware is software designed to disrupt, damage or gain access to a computer system. Once a computer system is infected, the “phisher” can assume control of the device, and or use it to infect other devices on a network. These attacks come in a variety of forms; but one example is when a victim receives an email, if they click anywhere on the message, it triggers a dialog box disguised as Adobe Flash. It asks, “Would you like to upgrade your version of Flash?”, if the user clicks “Yes,” it downloads and installs malware.

Phishing to Get Money

A popular form of phishing is a ploy to get money, or gift cards. Two popular email scams are; where a scammer is in possession or stands to inherit a large sum of money, but they need help retrieving it for a payout, and when a scammer informs the recipient that they won a huge cash prize, but they must pay processing fees and taxes first. These scams usually promise a compensation that is greater than the sum of money requested, coming off as a “no brainer.” “If it’s too good to be true, it probably is” … Victims who provide bank information or send money for a prize can be duped out of their reward and sometimes their life savings. They are typically easy to identify because of their rough English translations and outlandish backstories, but even so, people surprisingly still fall for Nigerian Prince email scams to this day.

Phishing to Validate Email Addresses

Most user accounts are linked back to an email address. If a scammer can gain control of a victim’s email account, they could gain access to their entire life. To validate an email address, a scammer sends an email with a link that has a beacon included. The link includes a unique code usually attached to an image that pings back to a server and identifies the receiver’s email as correct. To deter these attacks, many email services don’t automatically load images for this reason. The attacker doesn’t necessarily know who the victim is, but they are doing exploratory phishing for potential prey. Once an email address has been validated, scammers can tie it back to a specific user to further attack with phishing for malware, money, and long cons through social engineering.

Spear phishing | Targeted Attacks

A more direct form of phishing is Spear Phishing, this is when a scammer targets attacks towards specific user or group of users. The victims are usually stakeholders tied to an organization, including employees or customers. One example is when scammers use the customizable fields of their email accounts to impersonate a high-level employee, then abuse that trust to trick stakeholders into divulging information about their accounts. Its good practice to always verify if the email addresses in a message looks legitimate.

Whaling | High Rollers

A whale is a big phish… This is when Cyber attackers specifically target high level executives of an organization. They disguise their identity as senior executives to get authorized employees to provide them with sensitive information. A whaling attack can be directed at senior leadership or impersonate them to exploit trust. This can be a very embarrassing and expensive blunder for an organization. More famously, the social media company Snapchat fell victim to a whaling attack. Their finance department received an email that looked like it was the CEO requesting payroll data. The team that received the request complied and shared private information that ended up on the internet. To prevent these attacks, organizations are implementing unique digital signatures to reassure recipients that they are legitimate. It is possible for a Spear phishing attack to be a whaling attack at the same time, phishing attacks are non-discriminative in their delivery methods.

Vishing | Phone Scams

Phishing attacks aren’t limited to email, the attack surface expands into VoIP (voice over internet phones) and cell phones as well. We are all familiar with Robo-calls, right? Robo-calls are the robotic spam calls we receive that use deceptive language to trick victims into acting. Some popular examples are “your extended warranty is about to expire, ‘you’re being investigated by the IRS, ‘your credit card has been comprised,” bad actors are working to trigger a response from the receiver. Once you are engaged, they will socially engineer the conversation to get the victim to verify identifying information such as complete names, birthdays, social security numbers, expiration dates, and other revealing data. When a scammer identifies a target, they will be attacking on multiple surfaces extending between email, phone calls, and text messages.

Smishing | SMS Attacks

Using text or SMS messages as an attack method is called Smishing, which is a wordplay that combines SMS and Phishing together. In addition to using email, scammers are using text messages to trick users into clicking on to links. If the scammer knows the victims email address and cell phone, they can try to log into the victim’s email account then use the “forgot password” feature to trigger a secondary verification. At the same time, pretending to be their email provider, they send a verification text message with hopes that the victim clicks the link that takes them to a spoof page so they can “log in.” This is a more sophisticated approach as timing is everything, but if they succeed in gaining the victims credentials, they have access to all the sensitive information stored within their account.

Phishing scams aren’t limited to the examples mentioned above, bad actors can be very creative in their approach. A seasoned and clever scam artist can potentially uncover a user’s entire life by collecting bits and pieces of the victim’s personal information. Those who fall victim to scammers do so from moments of carelessness, either because they are unfamiliar with their tactics or because they don’t have enough layers of cyber security protection.