What is Phishing?
1 June 2021
[Phishing is] an attempt to trick someone into giving information over the internet or by e-mail that would allow someone else to take money from them, for example by taking money out of their bank account.
— Cambridge Dictionary
The Cambridge Dictionary gives a rather vague definition for a complex topic such as phishing but let's have a closer look at the quote above.
Phishing is indeed an attempt to trick someone into giving information to someone else (who we'll call a phisher). But what kind of information are we talking about? Clearly, there is no harm in giving out data which is publicly available like the weather forecast or results of the latest sport events. However, personal or private information in the wrong hands can be very dangerous. That includes e.g. work internal data, data used for personal identification and almost everything that contains a password. Thus, phishers are tricking people into giving out not just any data but information that should better stay private.
How do they reach out to their victims? - The Cambridge Dictionary states that phishing attacks are delivered over the internet or by e-mail, probably the most used media for phishing attacks. Although there is a common third way: our beloved (smart-)phones. SMS and even voice calls can be used to obtain sensitive data by fraud.
Money is most people's motivation to commit criminal acts. Therefore, the most obvious way to profit from phishing attacks is to steal bank data directly or make the victims give out their money voluntarily e.g. by letting them believe they're paying a long overdue bill from Amazon. Yet this is not the only way the stolen data can be used. Social media logins for instance could easily be sold to other cyber criminals or e-mail addresses could be used to send malware or viruses to future victims.
The problem in defining phishing is that there are no creative limits or rules for the phisher on how and where to steal sensitive data. However, there are some reoccurring types of phishing.
Phishing Types
1. Untargeted E-Mail Phishing
Untargeted e-mail phishing is a generic type of phishing. The victim gets an e-mail from an unknown mail address which often starts with "Dear user", "Hello" or has no form of address at all. The content can vary from a request of sending money over links to phishing websites to blackmailing. You could receive messages that inform you about unpaid bills for things you never bought or reminders to update a password for popular brands like Microsoft or Apple. Sex tapes of the victim which the phisher claims to have are also often used for blackmailing. The phisher then offers to only delete these tapes in exchange for payment or other personal data.
2. Clone Phishing
A clone phishing attack is based on an e-mail the victim has already received. This harmless first e-mail contains one or more links and often has an attachment. The phishers then send a second e-mail shortly after and writes that there was something wrong in the first mail e.g. a typo in the date or a non-working link. The second mail is basically a clone of the first e-mail but the link(s) and/ or attachments, which where harmless in the original, have been replaced by phishing. The vicitm then pays less attention to the links and can be convinced a lot easier to give out sensitive data.
3. Spear Phishing
A more specific type of phishing is spear phishing. The phisher chooses one person or a group of people inside a company with certain functions and sends a targeted mail. This could be system admins who receive a request to reset a password for a company e-mail account. They would then send the new password back to the phisher. It could also be a mail containing a bill for company utilities, sent to an accountant who receives dozens of such requests a day. The victim feels like this phishing e-mail was explicitly meant for them and doesn't double check if the e-mail comes from a suspicious account or whether the link looks slightly off.
4. Whaling
Whaling works like spear phishing but with "bigger phish". Instead of targeting certain employees in a company, the victims of these attacks are people on the C level like a CEO or CFO. This could be an e-mail with a link to information about an ongoing lawsuit or a business offer from a fake customer. Whaling is a type of phishing that, if successful, can cause existential damage for individuals as well as for the companies involved.
5. Business E-Mail Compromise
Business e-mail compromise (BEC) again targets a company's employees. Often lower level workers receive a message which seems like it comes from their boss, their boss's boss, or even the CEO asking for company internal information. The sender's name is shown as the person the phisher wants to imitate. The e-mail address, which could reveal that this mail is indeed a phishing attack, is usually hidden behind a click by modern e-mail providers.
6. Social Media Phishing
Social media is a fairly new platform for phishers. Apart from just posting or promoting phishing links they can also use fake or cloned accounts to send phishing to other users via private messages. The mechanic is the same as in e-mail phishing only the platform allows for even faster distribution and a bigger and wider-spread victim base.
7. Smishing
Of course, phishing links or demands of payment can also be distributed via SMS or other types of private messaging. Messages that inform about shortly arriving packages or letters are especially common to receive as smishing attacks. The victim doesn't need to know the number the message is coming from and trusts the "best regards" from the local DHL team and follows the link to the phishing website.
8. Vishing
Vishing is phishing in the way of a voice mail. We all know the famous grandparent scam which is a type of vishing. But calls about updating an anti-virus program in return for money or a check from your bank to make sure your bank data is still valid can also deceive younger people.
9. Search Engine Phishing
A phishing method which is completely independent from message delivery tools like e-mails or SMS is the usage of SEO (Search Engine Optimization). Phishers set up phishing websites and try to optimize their buzzwords in a way that the website appears in the top Google (or other search engines) results for certain search words or phrases. The victim opens the page only because of its high rank and doesn't even consider that it could be a phishing page. Attacks like this are not easy to create but once the set-up is successful the victim rate is comparatively high.
Conclusion
Phishing is a big problem in cybersecurity because of its diversity. Everyone can be a target; seniors, students, carpenters or even CEO's. On top of that, every attack can look completely different, use different delivery tools or have a different purpose. Therefore it is on us — the common people of the world wide web — to keep our eyes open and be suspicious about things that seem just a bit out of the ordinary.
Read about more about phishing:
- [How to Detect Phishing]
- [Been Phished. Whats next?]