Phishing is when attackers send malicious emails designed to trick people into falling for a scam. The intent is often to get users to reveal financial information, system credentials or other sensitive data.
Phishing is an example of social engineering: a collection of techniques that scam artists use to manipulate human psychology. Social engineering techniques include forgery, misdirection and lying—all of which can play a part in phishing attacks. On a basic level, phishing emails use social engineering to encourage users to act without thinking things through.
History of Phishing
The term “phishing” came about in the mid-1990s, when hackers began using fraudulent emails to “fish for” information from unsuspecting users. Since these early hackers were often referred to as “phreaks,” the term became known as “phishing,” with a “ph.” Phishing emails try to lure people in and get them to take the bait. And, once they are hooked, both the user and the organization are in trouble.
Like many common threats, the history of phishing starts in the 1990s. When AOL was a popular content system with internet access, attackers used phishing and instant messaging to masquerade as AOL employees to trick users into divulging their credentials to hijack accounts.
In the 2000s, attackers turned to bank accounts. Phishing emails were used to trick users into divulging their bank account credentials. The emails contained a link to a malicious site that looked like the official banking site, but the domain was a similar variation of the official domain name (e.g., paypai.com instead of paypal.com). Later, attackers went for other accounts such as eBay and Google to use the hijacked credentials to steal money, commit fraud, or spam other users.
Why Is Phishing a Problem?
Cyber criminals use phishing emails because it’s easy, cheap and effective. Email addresses are easy to obtain, and emails are virtually free to send. With little effort and little cost, attackers can quickly gain access to valuable data. Those who fall for phishing scams may end up with malware infections (including ransomware), identity theft, and data loss.
The data that cybercriminals go after includes personal identifiable information (PII)—like financial account data, credit card numbers and tax and medical records—as well as sensitive business data, such as customer names and contact information, proprietary product secrets and confidential communications.
Cybercriminals also use phishing attacks to gain direct access to email, social media, and other accounts or to obtain permissions to modify and compromise connected systems, like point-of-sale terminals and order processing systems. Many of the biggest data breaches—like the headline-grabbing 2013 Target breach—start with a phishing email. Using a seemingly innocent email, cybercriminals can gain a small foothold and build on it.
What Does a Phishing Email Look Like?
Attackers prey on fear and a sense of urgency. It’s common for attackers to tell users that their account is restricted or will be suspended if the targeted user does not respond to the email. Fear gets targeted users to ignore common warning signs and forget their phishing education. Even administrators and security experts fall for phishing occasionally.
Usually, a phishing email is sent to as many people as possible, so the greeting is generic.
Types of Phishing Attacks
Phishing has evolved into more than simple credential and data theft. The way an attacker lays out a campaign depends on the type of phishing. Types of phishing include:
Spear phishing: these email messages are sent to specific people within an organization, usually high-privilege account holders.
Link manipulation: messages contain a link to a malicious site that looks like the official business.
CEO fraud: these messages are sent mainly to financial people to trick them into believing that the CEO or other executive is asking them to
Transfer money. CEO fraud falls under the umbrella of phishing, but instead of an attacker spoofing a popular website, they spoof the CEO for the targeted corporation.
Content injection: an attacker who can inject malicious content into an official site will trick users into accessing the site to show them a malicious popup or redirect them to a phishing website.
Malware: users tricked into clicking a link or opening an attachment might download malware onto their devices.
Smishing: using SMS messages, attackers trick users into accessing malicious sites from their smartphones.
Vishing: attackers use voice-changing software to leave a message telling targeted victims that they must call a number where they can be scammed.
“Evil Twin” Wi-Fi: spoofing free Wi-Fi, attackers trick users into connecting to a malicious hotspot so that they can perform man-in-the-middle exploits.