Social Engineering: What is Phishing?
Phishing is the most well-known social engineering attack, where a cyberattacker pretends to be a reliable source to make their victims reveal their personal information or download malware. According to the National Institute of Standards and Technology (NIST), there are more and more phishing attacks each year, with a staggering rise of 61% since 2021. These statistics show the prevalence of phishing attacks and the need to protect yourself against them. Discover how phishing works, how to avoid it, and how to protect yourself and your company.
What is phishing ?
Phishing (pronounced “fishing”) is a kind of identity theft. In these kinds of social engineering attacks, hackers will attempt to steal your personal or your company’s data or induce you to download some malware, using a deceptive method to get your trust, usually in an email.
Various deception tactics
Deception can be :
- The impersonation of a person or an organization you know, such as your bank or one of your coworkers,
- The use of URL links leads you to a fake site that mimics a genuine one you trust. This staged website will have been set up to get user’s credentials.
- Some seemingly useful files you’ll be invited to download, containing a Trojan horse hiding malicious software (malware).
If it’s the latter, the hidden malware can be :
- Spyware designed to collect data and spy on you,
- Malware designed to create a vulnerability, such as creating a backdoor in your IT system or converting your device into a zombie device,
- More frequently these days, ransomware, malicious software designed to freeze the victim’s device. To unlock it, you’ll have to pay a ransom.
Many forms of phishing attacks
There are several types of phishing attacks, depending on the tactic adopted by the hacker to get in touch with his victim :
- Classical phishing : The “phishermen” send massive emails to random people. These messages are all identical and they contain a link pointing towards a spoofed website to induce the reader to leave his credentials. Or they invite the addressee to download an attached file infected by malware.
- Spear Phishing: A phishing attack that targets organizations and specific individuals instead of sending bulk emails
- Smishing: Phishing attack that, instead of emails, uses SMS text. Hence the combination of words SMS+phishing
- Vishing: This attack involves the perpetrator voice (through a phone call) to trick you into completing an action.
- Whaling: An attack that targets “whales” such as senior & executive members of an organization. They will usually be induced to execute an action like the transfer of a large amount of money, leading to tremendous rewarding for the attacker.
How to recognize a phishing message?
Apart from ensuring you install an anti-spam filter and security software, the best way to combat phishing scams is to identify them.
Spelling mistakes and bad grammar in an email used to be a good telltale of a phishing attack. But nowadays, phishing attacks are more and more sophisticated, and phishing emails are often perfectly written.
You’ll have thus to focus on other details revealing an attempt to deceive you:
- Links in email. Take the habit of hovering over any hyperlinks sent in an email or SMS to check that they match the site page it’s meant to lead you to as typed in the message. Mismatched URLs (or misleading domain names) can also lead you to .exe files embedding malware.
- Links included in an email inviting you to connect to a website. Be especially cautious with any “clearance” or “outlet” website seemingly linked to a legitimate renowned retail portal, for instance. It could be a lookalike website created to steal your ID or some money.
- Threats – Have you ever received a threat that your account would be closed if you didn’t respond to an email message? Cybercriminals often use threats. They will send you a fake alert telling you your security has been compromised, a service is about to be terminated due to your inaction, or your banking account is overdraft.
- Messages spoofing popular websites or companies. In case you receive a message from a trusted organization, a coworker, or a friend requesting you to do something, pay attention to:
- Any request for personal information;
- An offer too good to be true, or some money you should receive or send;
- Any action you didn’t initiate.
Anything which doesn’t look right should arouse your suspicion. Even emails seemingly coming from specific types of organizations, such as charities or government agencies, can be dangerous. Attackers often take advantage of current events and certain periods of the year, such as:
- natural disasters (e.g., earthquakes, hurricanes, etc.);
- epidemics and health scares (e.g., Covid-19);
- economic concerns (e.g., inflation);
- political elections or events (e.g., the war in Ukraine);
- retail good deals;
How to protect yourself and your company against phishing
- Be wary of emails asking for confidential information – especially information of a financial nature. Legitimate organizations will never request such information via email, phone calls, or other means. Instead, always pay attention to the sender’s email address. It may imitate a legitimate business with only a few characters altered or omitted.
- Never open a suspicious attachment, as it is a standard delivery mechanism for malware. Phishermen like to use scare tactics and may threaten to disable an account or delay services until you update certain information. Be sure to contact the merchant directly to confirm the authenticity of their request.
- Watch out for generic-looking requests for information. Fraudulent emails are often not personalized, while authentic emails from your bank often reference an account you have with them. Many phishing emails begin with “Dear Sir/Madam” or other generic greetings/signatures, and some come from a bank with which you don’t even have an account.
- Don’t get pressured into providing sensitive information, and never submit them via embedded forms within email messages – a very common phishing practice and widely pushed onto your junk/spam folders on a daily basis.
- Never use links in an email to connect to a website, as they could be spoofed hyperlinks. The links not matching the text that appears when hovering over them should raise a red flag. It also includes the use of UR-shortening services. Instead, open a new browser window and type the URL directly into the address bar (or check where that short link leads to, e.g. see links below). Often a phishing website will look identical to the original, e.g., https://wwwpaypal.com/ is different from https://www.paypal.com/. Similarly, https://www.paypaI.com/ (with a capital letter “i” instead of a lowercase “L”) is different from https://www.paypal.com/ – look at the address bar to make sure that this is the case (and the connection is secure – such as https://).
Even more tips to protect yourself
- Make sure you maintain an adequate environment to combat phishing. Use anti-viruses and trusted browsers. Keep all your software up-to-date. Use encrypted services such as Mailfence to communicate and further safeguard your privacy.
- Use Password managers that auto-fill passwords to keep track of which sites those passwords belong to. If the password manager refuses to auto-fill a password, you should hesitate and double-check the site you’re on. Read this blog post to avoid bad password habits.
- Always be suspicious – Phishing emails try to freak you out with warnings, then offer you an easy fix if you just “click here!” (or “You’ve won a prize! Click here to claim it!”) When in doubt, don’t click. Instead, open your browser, go to the company’s website, and then sign in as usual to see if there are any signs of strange activity. If you’re concerned, change your password.
- Always use 2FA (two-factor authentication) when a service provides it.
- You can check-test a particular link before opening it on where it leads to: Where Goes, Redirect Detective, Internet Officer Redirect Check, Redirect Check, URL2PNG, Browser Shots, Shrink The Web, Browserling.
- Last but not least, learn about new trends in phishing. You can start by reading our Email security and privacy awareness course. It is simple and accessible for all, yet informative.
What should you do if you’re a victim of a phishing attack?
If you have fallen for a phishing attack, check out our blog post on hacked emails.
You can also report the phishing attempts at:
- Google – report phishing or badware
- US-Cert.gov – report phishing
- Consumer.ftc.gov – report phishing
In the future, try to always protect your computer by applying these 10 tips.
How Phishing is evolving : 2023 phishing trends
Nowadays, phishermen often work for large criminal organizations having substantial resources to improve their techniques and multiply their attempts. As a result, attacks are becoming more sophisticated and harder to detect.
Here are the phishing trends emerging in 2023:
1/ Cybercriminals use more often mobile devices and personal communication channels (social media accounts…) to contact their victims. Indeed, SMS has become a popular way to get in touch with potential victims. (see our article dedicated to Smishing)
2/ Brand spoofing is getting more sophisticated and harder to detect.
3/ Spear Phishing campaigns require a lot of preparation. For this reason, hackers used to mainly target big organizations, more apt for providing big rewards (this is called “big game hunting”). But nowadays, due to the optimization of phishing techniques, smaller companies are targeted as well.
4/ Hackers target cloud access.
5/ Sometimes, cyber pirates are willing to pay to obtain user credentials.
6/ Even aspiring phishermen can use these sophisticated techniques, thanks to RaaS (Ransomware as a service). RaaS provides them with a toolbox full of all services and coding bits necessary to launch a ransomware attack against a fee. These tools include the phishing emails templates often used to initiate a ransomware attack.
7/ A new range of cybercriminals, Initial access brokers, or IABs, are now focusing on getting login or email credentials. They try to steal them by breaking into the information system of organizations. They can sell them to other cybercriminals whenever they manage to get them. These will be able to launch very dangerous phishing campaigns with these credentials, since they are legitimate.
Cybercriminals, often backed by governments or very powerful mafias, are moving very fast, and their creativity is limitless. They are constantly finding new tactics and new vulnerabilities to exploit.
On the other side, we (users) tend to multiply the number of connected devices… which provide new doors for possible attacks. Therefore, it is important to keep up with cybersecurity.
Most of all, you should rely on common sense. You can’t win a contest you didn’t enter. Your bank won’t contact you using an email address you never registered. Know the warning signs, think before you click, and never ever give out your password or financial info unless you’re properly signed in to your account.
By the way, having an encrypted email suite like Mailfence is crucial to secure your communication and help you to avoid all sorts of scams.
In fact, Mailfence has been designed to protect you from cyber threats and privacy breaches, including phishing. In addition to its end-to-end encrypted email, it includes digital signatures and 2FA. Oh, and it’s not only an email solution but also a collaborative office suite.
Why not give it a try now ? Subscribe now to a free account and start your journey towards more secure communications.
Share This Article
Salman works as an Information security analyst for Mailfence. His areas of interests include cryptography, security architecture and design, access control and operations security. You can follow him on LinkedIn @mohammadsalmannadeem