So, stop me if you’ve heard this one: A Nigerian prince finds himself in a serious predicament: his father left him a vast sum of money in an overseas account, around 32 million dollars, which he needs to claim within a month.
The problem is that there are a number of signing and lawyer fees that need to get paid before he can legally transfer the money. So he emails you trying to cut a deal: if you can send him the money he needs, (Something around 20-30k) and co-sign on the bank transfer, he’ll send you 30% of his father’s fortune: a cool 9.6 million bucks.
It should come as little surprise that if you decided to take him up on his offer, he’d take your money happily then never contact you again. This is called a 419 scam, and it’s one of the most well-known versions of a phishing scam.
…which is why you almost never see it anymore.
What is phishing?
Phishing, other than being a great word for fish-based puns, is basically any attempt to trick people over an email. The goal can be anything from trying to get people to send you money, hand over sensitive information, or even just download malware unwittingly, and the authors of these attacks will use lies, trickery, forgery, and outright manipulation in order to see them succeed. Because of this, phishing is what we call Social Engineering: a kind of attack that relies on human fallibility rather than a hardware or software flaw in order to work.
Phishing is an attempt to trick someone, usually via email
That said, since most phishing relies on making you click tainted links to download malware or send you to fake websites, a good antivirus will help keep you safe from even the most sophisiticated forgeries.
Everything is AOL’s fault
As long as there’s been language, people have been lying and scamming each other, so in many ways phishing is the oldest cyber-threat in the world. But the first instance of “phishing” as a term was recorded on January 2nd, 1996, in a Usenet newsgroup called AOHell, talking about the rise of scammers and liars on America Online. The word is obviously inspired by the term “fishing”, because it involves trying to bait someone into a trap, but replacing the “f” with a “ph” references another old slang term “phreaking”, which is the study, exploration, and dissection of telecommunication systems. The “ph” was borrowed to link the scams with the dark, seedy underbelly of the phreaking community (called the warez community back in the day) where they originated.
The very first phishing attacks were people posing as AOL employees asking people to confirm their billing address with the company. As this was before phishing became well-known and companies didn’t adhere to the same strictness as they do today, people often fell for these types of scams. AOL eventually became the first company to warn people that they would never ask for that kind of info via an email, but by then the damage had been done. The viability of phishing attacks had been proven, and there was no going back.
All the cool kids are doing it
While ransomware might make the news, phishing attacks are easily the most common, and most frequently successful, type of online threat. Their prevalence is largely due to their versatility: phishing can both be a goal on itself as well as a delivery method for other attacks. Combined with the fact that people still fall for them every day, hackers have no reason to fix what ain’t broke.
Here’s some hard data for ya:
- Email is the #1 delivery system for all malware.
- The frequency of spam has increased 4 times since 2016, and over half of them are malicious.
- 76% of organizations reported being victim of a phishing attack in 2016.
- A global survey conducted last year indicates two out of three people have experienced a tech support scam in the previous 12 months, according to the Microsoft Digital Crimes Unit.
- Cyber criminals are creating an average of around 1.4 million phishing websites every month with fake pages designed to mimic the company they’re spoofing.
So it’s like spam, right?
While phishing and spam oftentimes overlap, the two are still very distinct beasts. Spam is any unwanted or mass-produced email that tries to clutter up your inbox, whereas phishing has a very specific, very illegal goal. Phishing emails can be spam, and to the common layman like me, it typically is. But if you happen to be a CEO, or a business owner or, say, a campaign chairman, then it’s very possible hackers hand-crafted a unique phishing scam for you specifically, in which case it couldn’t be classified as spam. By the same token, spam is annoying but not illegal or really ‘wrong’ on its own. Like many things in life, spam is as good or as bad as the people who use it: no matter if you’re a local business trying to spread words of your low rates or a hacker trying to spread his world-ending supervirus. A popular tool for phishers, as we’ve seen, but the two terms still can’t be used interchangeably.
What happens if I’m hooked?
The effect of being scammed by a phishing email depends on exactly what the scammer wants to take from you. In the example at the start of this article, it’s pretty straightforward: they want your money. That said, some of those scams will also ask for “proof of authenticity” by asking you to scan and send them your passport, driver’s license, and more, which would mean they could steal or sell your identity. But since those types of scams are less popular these days, it’s unlikely anyone will be falling for that.
The more common type of phishing attacks are ones that try to dupe you into handing over a username and password, either by linking to a fake version of a site you trust and asking you to log in or requesting you send it over email (see below). In these cases, not only do you compromise that account specifically, but if you’re one of the roughly 84% of people who reuse their passwords, you risk compromising all your other accounts too.
Finally, if you fall for a phishing attack that asks you to download a malicious attachment, and your antivirus somehow doesn’t stop it, then congratulations, you have an infected computer. What happens next largely depends on what the malware is supposed to do, but it could be anything from stealing your data, holding it ransom, deleting everything, or just “borrowing” your processing power to mine bitcoin.
Types of phishing attacks
There are plenty of different types of phishing attacks, but they all rely on the same basic mechanism: exploiting human trust, ignorance, or apathy in order to get us to do something we really shouldn’t be doing.
Spear phishing — Shooting for the stars (literally)
Some phishers are content to steal the money, data, and security of anybody they can catch in their net. But others have more ambitious goals: either for personal, political, or financial reasons, they decide to target specific, high-profile people. This is called spear phishing, both because it’s more precise and because it often targets “Whales”, who are high-level politicians, celebrities, and CEO’s, all of whom have access to valuable data (and lots of that cash money).
Spear phishing is a precise attack on a specific, high profile target like a CEO, aka a "whale"
By imitating a known contact, an employee, a friend, an associate, or even another organization, Spear Phishers send carefully crafted, well-researched, and oftentimes extremely specific emails to their targets. Usually, the end goal is to get them to download some malware that will give them access to the system, but a username and password could also give them administrative powers over the network, which would be equally disastrous.
If hackers want to spear phish a whole company or organization, they’ll likely try a waterhole attack, which the attackers follow the organization to a site it uses often (most commonly Whatsapp, Facebook, or Slack) and sends out phishing links that way. These, much like the largely personal emails sent to individuals, tend to be well-researched and hard to distinguish from more authentic messages.
Because they’re so personalized, these attacks are about as successful as the old AOL attacks from the days of old, and are the cause of 91% of successful hacks against organizations.
Clone phishing — Evil twins
We all get official emails from our service providers, including hackers. And whereas we see an annoyance or a chore, they see opportunity. Clone phishing is when a hacker copies a legitimate email sent from a trusted organization, but replaces or adds a link that leads to a fake, malicious website. Then, they send that email out in masses and see who clicks.
Sometimes the link will lead to an infected site, but it’s more common these days to simply try to pilfer your username and password with a fake login screen. That way, they can access whatever account you were trying to log into… and whatever other account that uses the same password (hence why you should never use the same password twice).
If malware on your PC or router redirects you to a fake site, that’s called pharming. Similar name, but outside the objective of stealing login credentials (and the “Ph” in the name) there’s not much in common between these two attacks.
419 scams — the deal of a lifetime
Despite being named after the section of the Nigerian criminal code dealing with fraud, a 419 scam can come from anywhere in the world. Traditional and well-known to the point of worthlessness, these use elaborate stories to try to con you out of cash, as well as possibly steal your personal details for some good ol’ fashioned identity theft.
These days, scammers start as pen-pals or long-distance partners before “misfortune” strikes and they suddenly need money
In the past, these used to be far more common, and the stories involved usually involved a promise of greater rewards if you paid some comparatively small amount. These days, targets tend to be befriended beforehand as pen-pals or long-distance partners, before some “misfortune” strikes and the scammer suddenly need money, exploiting their victim’s charitable nature. These new scams are certainly similar to phishing, but they’re technically more like “catfishing” or “spoofing”, so we won’t go into much more detail here. Still, for the history, they warrant a mention.
Phone phishing — more like PHONE-IES amirite?
Most phishing attacks happen in your inbox. But not all. Sometime phishers will call or text pretending to be from your local bank or the police, claiming that there are problems with your account they need to clear up. Once you hand over your account numbers and PIN, they go ahead and drain your account, which is the opposite of the problem you were aiming to solve. This is called phone phishing, or Vishing, for “voice phishing”.
Phishing can happen over the phone too
While not as successful as email phishing, phone phishing is on the rise. In addition to pretending to be your bank, fakers can also pretend to be the IRS, tech support, or a utilities company. Nothing’s off the table, really.
Special delivery: it’s malware!
On top of trying to steal your data, as we’ve discussed, almost every type of phishing can be used to deliver malware to someone’s system. A link can lead to a compromised website, an attachment could be malware. Heck, even a google document or a spreadsheet can be malware now, thanks to the rise of fileless attacks – which takes software that’s trusted and safe and turns it malicious by re-coding its internal mechanisms.
The kinds of tricks people can use have only grown as more devices and services get introduced into our lives. People have used misleading Google Doc invitations, Dropbox sharing, fake invoices, bills, faxes… whatever they can think of to get you to click on and download the file. As we mentioned, it’s so common and so effective that it’s easily become the method of choice for delivering malware, tricking millions of people around the world every year.
The good news, however, is that malware can’t use social engineering to get past a good antivirus. So while phishing can get malware into your inbox, AVG can keep it from doing any damage. But we’re getting ahead of ourselves.
Examples of phishing emails
The problem with phishing attacks is that they’re both so common and so unique to the time and circumstances around them, that each individual example can be fairly mundane. We’ll dissect a common phishing email below, but there are still plenty of times when phishing wound up on the news. Let’s take a look, shall we?
Taking phishers to court
We already wrote about the very first phishing attacks over on AOL, imitating members of the staff in order to get people’s payment info. But AOL had another first in the world of phishing: in 2004, the U.S. Federal Trade Commission filed the very first lawsuit against a suspected phisher, a Californian teenager, who was supposedly using a fake version of the AOL website to steal people’s credit card info. One year later, Senator Patrick Leahy introduced the Anti-Phishing Act of 2005, which solidified the law regarding the criminality of fake websites and emails, with offenders getting fined up to $250,000 and jail time of up to five years.
Going big in the UK
In what’s been called “The biggest case the Met Police’s Action Fraud Unit has dealt with”, three men were arrested in 2013 after having scammed 59 million pounds from bank customers in over 14 countries using over 2,600 fake pages that mimicked banking websites. Living in plush hotels within the UK, they were eventually caught when using hotel Wi-Fi to log into servers storing compromised banking details. (If they had known the dangers of open Wi-Fi perhaps they would have eluded capture. Use a VPN, criminals!). Each man was sent to prison for a total of 20 years, and the data of nearly 70 million banking customers were recovered soon afterwards.
Operation Phish Phry
Not only did this two-year investigation lead by US and Egyptian authorities rock the world’s best code name, it also lead to 100 people being charged for using phishing scams to steal account details from thousands of people in 2009. While they had been in operation, the crooks had managed to steal 1.5 million bucks.
At the end of the day, some of those charged would spend around 20 years in jail. Others would get off easier, but everyone patted themselves on the back for a job well done in this international phishing investigation, which has been called the biggest international case ever conducted.
And here’s a fun fact for you: The FBI director who oversaw it? Robert Muller. Yep, the very same.
Stay on Target…
The Target hack from 2013 drew international eyes when it was uncovered that the data of over 110 million customers had been compromised, leaving the company to scramble in order to secure its holdings and warn the affected customers. But what you might not know is that it all started due to a phishing attack. But not against Target itself: rather, the hackers phished a Pittsburg-based heating, ventilation, and air conditioning contractor, who was connected to Target’s system thanks to their close partnership.
The Target hack — one of biggest data leaks in history — started with a phishing attack
After network credentials were stolen via an email phishing scam, malware was injected into the system that spread to Target and snagged credit card data from thousands of cash registers.
This is also one of the first cases where executive mismanagement could directly be blamed for the incident. Both the CEO and CIO of target were fired for knowing of the flaws in their security but failing to address them properly. Good to see Karma go full circle, but that was small comfort for the millions hacked.
And now things get political
Perhaps the biggest phishing scams from last year came from the United States political scene when Hilary Clinton’s Campaign Chairman John Podesta fell for a phishing email which lead to the leak of her private emails. Often cited as a pivotal moment in the 2016 election, the hack revealed personal and professional information about the former candidate and sparked both a discussion about cyber-security and an investigation into the culprit. But the other side of the political spectrum has had phishing problems too: Gizmodo showed how vulnerable Trump’s White House is by phishing his entire staff, showing how eight people (including advisor Newt Gingrich and FBI director James Comey) fell for their email.
How to spot a phishing email
Because the objective of phishing emails are so varied, the “look” of each one is pretty different too. While we’ll look at a few examples, most of them have the same basic ‘attributes’:
- Poor spelling/grammar
- Strange links/attachments
- Unusual or misspelled return addresses
Unfortunately, these attributes aren’t found in spear phishing emails, which are designed to fool specific people or organizations, so they are neither vague nor do they strategically employ the poor spelling and grammar of other, more common phishing emails.
But let’s not get ahead of ourselves.
This would be a quintessential example of a clone phishing email, and it has all the tells: for one, you are not addressed directly, and no personal tells are included in the body of the email. To prove authenticity, emails sent by actual services will include your name, your account number, or some other information that they have to show they’re the real deal. This email lacks that entirely.
But the second, more obvious tell is the email link: it goes to an http site, which is unverified and unsecured. Any authentic link would lead to an HTTPS site, but sometimes they’ll try to hide the link using hypertext: But you can always roll the mouse over to see where it leads. That said, the safe thing to do if you ever receive such an email is to not click the link, but visit the page directly from your web browser. That way, you can be sure you go to the authentic site.
The above email also shows off some of the other marks of a phishing email: bad grammar. No, that isn’t strictly because all hackers flunked out of high school English. Oftentimes poor grammar and spelling is intentional. The hackers reason that if someone fails to notice spelling or grammar errors, they’re careless and perhaps even a little dumb, which means they’ll react slower to having their details stolen, if they notice at all.
Let’s look at the other most common type of email…
Malware delivery emails
These are delightfully straightforward. This is an example of the recent Google Doc malware, which we discussed in passing above. The minute you click on the “Open in Docs” button, you’re inviting malware into your computer. Let’s look at another:And others are even less subtle: These emails aren’t really trying to “trick” you: common sense and a bit of critical thinking would lead most people to just delete these. Rather, hackers are exploiting apathy and curiosity in equal measure: the same tools they use to get people to plug in infected USB drives.
Still, their marks are very telling: for one, the files extensions in the last two emails are obvious signs. There’s no reason a scanned image should be a ZIP file, and no one has to send you an HTML page to troubleshoot account issues. The senders, too, are pretty strange: I’m pretty sure no one at buzzfeed needs you to collaborate on any articles, and “email@example.com” isn’t the most believable username out there. For the second, the return address is more convincing, but would their customer support really have the .com in their name? If you’re unsure, you can always check the website’s contact page.
But of course, you should never be downloading anything you aren’t sure about. That’s the number #1 tip for emails, and in life, in some respects.
Spear phishing is a trickier beast.As you can see, a well-made spear phishing email avoids many of the previous tells. It’s directed to a specific person, it uses an HTTPS website, and there are no grammar or spelling mistakes to be found. In this case, the big tell would be the sender: Google ArAutoBot, which should make someone raise an eyebrow. But if you’re busy at work and you’re only glancing, that would be an easy detail to miss.
Sometimes, the fake accounts will be harder to spot: using characters from other languages that look identical to English characters can mean someone technically has a different URL, but it looks exactly the same. For example, using a Greek capital A rather than an English one: looks identical to a human, but to a computer they appear very different.
The customized nature of these emails is part of the reason they’re so successful. Better planning, such as warning someone before sending an email or double-checking what exactly the attachments or links are before opening them, could prevent these attacks, but for many the risk of phishing attacks doesn’t seem to be worth the trouble of preparing for them. Which is the whole reason hackers love to use this tool so much.
Help! I have a phishing email in my inbox!
If you have an email address, there’s an overwhelmingly high chance you’ll eventually open it up and discover a phishing email in there. However, there’s no cause to panic: we’ve compiled an easy-to-follow list of steps to take if or when you find yourself in that situation.
Step 1: Delete it
And you’re done!
…okay, fine, there’s a bit more to it than that. While a normal phishing attack is inevitable and ignorable, if you happen to catch a spear phishing attempt in your inbox, then it’s essential you report it to your manager and to IT, if your business has one. No hacker will be content sending only one email, and will likely target multiple employees across weeks, months, or even longer: so it’s important to not only prepare everyone to stay on guard, but also to uncover if another, less-informed employee accidentally took the bait. The sooner any holes in security can be patched, the less damage you’re likely to suffer.
You can also report common phishing scams to the United States Federal Trade Commission if you want, at OnGuardOnline.gov, which also has some nice information about scams, phishing or otherwise. It’s possible your report could lead to some arrests, if you’re lucky!
How can I avoid phishing attacks?
As I mentioned above, phishing is an unfortunate reality: an anti-spam will reduce the number of emails you get, but it’s likely a few will slip through the cracks. But rather than worrying about keeping your inbox free of these annoyances, it’s better to simply stay alert of their dangers, and arm yourself against any possible repercussions if you happen to slip up and fall for their deceptions.
The number one way to avoid phishing emails is to simply remember to check any email you find even slightly suspicious.
- Check the spelling and grammar
- Make sure the links are safe, or just use your web browser
- Pay attention to file extensions
- Look at the return address and sense check it
- Ensure everything is specific and the sender can prove their identity
It takes only a few seconds of double-checking, but it can save you a lifetime’s hassle. So don’t slack on it!
Use an anti-spam
Most every email provider has some kind of anti-spam built in, but they’re not always the best. Getting an external spam filter can help pick up the slack and grab any of the sneaker phishing emails, but oftentimes they only work with desktop-based inboxes.
Think before you give an email address
A “loose” email address that’s publically known will invite phishing emails. It’s often a good idea to have two or more email addresses: one for signing up to websites and making accounts, and another for private or professional use. That way, most phishing emails should head to the former account, which you’ll barely be visiting anyway.
Good ol’ security software
As we mentioned before, a phishing email will get a virus to your doorstep, but that’s all: it won’t let the malware slip past any antivirus you have on your PC or phone. So something as simple as, say, AVG AntiVirus Free, will keep your computer safe if you accidentally try to download deceptive attachments. Good protection can also keep you safe from fake websites, which will check each one for a proper, authentic security certificate: and that means you’ll never get the chance to visit that fake website the hackers worked so hard on.
A note on “Vishing”
Obviously, the measures we’ve listed above don’t apply if you get “vished”, but that doesn’t mean there aren’t things you can do to protect yourself. For one, Apple, Microsoft, and other tech giants will never, ever call you because of a “problem” with your device, especially not with “independent agents”. So if you ever get a call like that, feel free to either hang up or mess with the person on the other end. Make the most of the situation. And if you are called by someone like a bank, they’ll always address you by name, and while they might ask verification questions to make sure you are you, they won’t ask for a PIN, SSN, or any other compromising number. Same applies if someone calls you claiming to be the police: they’ll never need you to verify your banking details over the phone.
Tech giants will never call you because of a "problem" with your device, so feel free to mess with the unwitting scammer
Likewise, if someone claims to be part of the IRS or some other organization whom you “owe”, but asks that you pay with wire transfers or prepaid cards, then you know you’re dealing with a scam. Those methods of sending money are impossible to track, which is exactly why scammers like using it.
And if you’re still unsure? Just hang up and call back. But call back using the number on the organization’s official website. Any real organization would have no problem with you doing that, only scammers would protest.
Stop me if you’ve heard this one before:
A 29-year-old professional roofer logs into his email account after a long day of work, and in sussing through his emails, he comes across an unusual one: a stranger is asking him to collaborate on a google document. He’s slightly intrigued by who the sender is, and the voyeur in him is intensely interested in seeing what’s actually on the document.
But before he clicks on the “Open in Docs” button, he pauses, and merely rests his mouse over it. He looks at the URL that pops up in the corner, and realizes that wherever the link goes, it most certainly isn’t a google document. Sighing a breath of relief, he promptly deletes the email and goes on with his business.
Maybe not as exciting and dramatic as a Nigerian prince’s lost millions, but this is the story we want to be hearing more of: people exercising common sense and restraint when dealing with the weird, curious, and probably dangerous things on the internet. Because with a little foresight, and a little caution, the biggest, most popular tool in the hacker’s toolkit is absolutely worthless.
And isn’t that the most empowering feeling in the world?