Phishing - Explained
What is Phishing?
If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.
- Marketing, Advertising, Sales & PR
- Accounting, Taxation, and Reporting
- Professionalism & Career Development
Law, Transactions, & Risk Management
Government, Legal System, Administrative Law, & Constitutional Law Legal Disputes - Civil & Criminal Law Agency Law HR, Employment, Labor, & Discrimination Business Entities, Corporate Governance & Ownership Business Transactions, Antitrust, & Securities Law Real Estate, Personal, & Intellectual Property Commercial Law: Contract, Payments, Security Interests, & Bankruptcy Consumer Protection Insurance & Risk Management Immigration Law Environmental Protection Law Inheritance, Estates, and Trusts
- Business Management & Operations
- Economics, Finance, & Analytics
What is Phishing?
Phishing is a tricky and shoddy way of extorting sensitive information from individuals or even corporate organizations. Phishing is a fraudulent means of getting vital information such as credit card numbers, login passwords, and other confidential information through disguise. Fraudsters pose as professionals or cyber security experts to get relevant information from their victims. Phishing is done through hoax or instant messages sent directly to users to lure them into entering their personal information in fake websites that ordinarily look original.
How Does Phishing Work?
Phishing in any of its form is a cybercrime and there are legislative and technological measures that have been devised to combat this crime. Attackers cloak their identities, share spiteful links, forge addresses and webpages to reach their target audience. Access to users accounts result in identity theft, financial loss and even integrity loss. These cyber criminals do not only use emails or texts, they also use voice phishing (vishing), SMS Phishing (smishing) and several other techniques. The first legal war against phishing was a lawsuit filed against a Californian teenager in 2004. The lawsuit was filed because the teenager imitated a website belonging to America Online. Through the use of counterfeit emails and messages, the teenager extracted sensitive information such as passwords and credit card details from users. There are many attributes of qualities of phishing, the most common features of phishing are;
- They are attractive- Phishers use appealing and captivating statements to lure victims into their traps. These attractive means include prizes claims, extremely low prices or lotteries.
- Imitations that look original- this is another feature that is commonly found in almost all forms of phishing.
- Another attribute of phishing is that they compel victims to act fast, leaving no room for second thoughts.
- Phishing also use hyperlinks that redirect users to clone websites.
- Professionalism in circulation and contents of emails and text messages.
Spear phishing, whale phishing, evil twin phishing, clone phishing, filter evasion and website forgery are forms of phishing that have been discussed earlier. However, other types of phishing that were not expressly discussed are SMS phishing (Smishing), Voice phishing (Vishing) and Pharming.
As the name implies, SMS phishing is a form of attack that use text messages on users devices to deceive and launch attacks on unsuspecting victims. Voice phishing on the other hand uses communications, media, VoIP (voice over IP) and POTS (plain old telephone service) to defraud victims.
Pharming relies on DNS cache poisoning to launch attacks on victims. Although, the history of the term phishing is vague, the concept of phishing can traced to the 1990s with the experience of America Online. Phishing is also regarded as a homophone of fishing and just as the methods used in fishing to lure fishes to the net, phishers also deploy similar techniques.
Quite a large number of people have fallen victims of phishing, many have been lured to expose their sensitive information such as passwords and credit card pins without they suspecting any foul play. Phishing is a type of social engineering technique used for fraudulent purposes. These fraudsters pose as legit engineers and trick people into releasing security information after gaining their trust. The impact of phishing worldwide can be estimated as 5 billion US dollars.
Despite the impacts of phishing, several measures which include sensitization, public awareness, technical and legislative measures have been put in place to tackle this crime.
There are different modes or types pf phishing, spear phishing is one of the prominent ones. This type of phishing is target-focused as it is directed as specific individuals or companies. Attackers or fraudsters that use spear phishing always have prior information on individuals or companies before having them as targets. One relevant information are gathered on potential victims, they also weigh the success chance of the attack before they launch attacks on their targets.
Another popular type of phishing is clone phishing, this is an attack that focuses in creating cloned emails using original or legitimate emails that have been previously delivered. By crafting counterfeit emails that look like real ones from original senders, attackers are able to gain the trust of unsuspecting victims and have access to their passwords and other essential information. With this trust established with the receivers, phishing then becomes much easy. Hence, clone phishing entails the act of forgery by producing a simulation of previously delivered emails in such a way that it is different for receivers to differentiate the clone versions from the original versions.
Whaling in an ordinary sense means targeting big or magnificent things. Whaling as a term used in spear phishing attackers means a phishing that is targeted at high profile individuals or senior employees at corporate organizations. This type of phishing is specific and goal-oriented. Its targets are superiors of organizations or reputable individuals. A whaling attack can take the form of customer complaints, subpoena or a release of executive statement to reach its targets.
Since, phishing attackers use technological means to trick their suspects, the role of technological deception in phishing cannot be overemphasized. Attackers use link manipulation, clone emails and other tricky means to get information from victims.
A popular example of the technological strategy used by attackers is the intentional misspelling of URLs or the use of fake subdomains that rest on real domains.
Another trick that attackers use is to place a link text that literarily suggest a real destination but its not. So, through a general manipulation of links and web addresses, attackers can have their preys.
Phishers also create clone web addresses that are similar to legitimate ones but a click on them directs users to malicious destinations. Filters are designed to create a restriction for counterfeit texts or addresses. Filters address the vulnerability of internet exploration by limiting unwarranted texts or characters. For example, net filters disallow alphabets inserted after the < character, this is a way to limit net vulnerabilities, However, due to exposure to diverse technological techniques, phishers use images in place of texts and this is difficult for filter to detect. Anti-phishing filters experience great difficulty in detecting images as they commonly snoof and detect texts, hence, with this awareness, phishers have drifted towards the use of images instead of texts.
Another technique that attackers use to reach their targets is the covert redirect technique which refers to a subtle means of making links look real but these links redirect users to attacker's websites. This technique is as a result of security flaws based on the domains of legitimate sites, redirect and XSS vulnerabilities in websites can be used. Also, attackers use spiteful browser extensions to redirect users to phishing sites. However, users can easily spot malicious pages URL because they are not the same as original link sites. Through covert redirect, phishers use fraudulent means to extract information from unsuspecting site users.
Aside from the common techniques used by phishers that are listed above, there are other techniques that might not be as prominent as the listed ones. Examples of these techniques include using popup window to request a client's credentials on a banks legitimate website, this will look like it is the bank that is requesting the information. Tabnabbing which refers to phishers taking advantage of multiple open tabs in a window is another technique. The creation of fake wireless network similar to original one is another technique, this is called evil twins technique. The fake wireless network can be found in public places.