Introduction to Phishing
Phishing is one of the most dangerous threats to businesses today, and every business is a target. In this section of the Click Armor Knowledge Center, you will be able to learn how phishing attacks work, and get tips on how to deal with them.
What is email phishing?
Email phishing is the most commonly used type of cyberattack. It uses email messages to trick you into doing something dangerous that benefits the attacker. Phishing uses impersonation and other kinds of deceptions to make you believe it is from somebody you trust, and that the action you are taking will somehow benefit you.
Phishing can take many different forms, including simple attempts at deception that most people can spot. It can also occur in much more complex situations that include a sequence of messages. The process of deceiving people into taking some action is called social engineering.
So phishing is really a form of social engineering, like traditional scams and fraud schemes. However, they are launched using email messages. These are typically against employees in businesses, hoping that staff have not had sufficient cyber security awareness training to spot these attacks and avoid them.
What are some phishing email examples?
Here is an example of a simple phishing email, impersonating the Apple App Store…
Simple Phishing Email Message
The above message was an attempt to get you to review a payment made via the App Store. Of course, if you hadn’t made a payment, you might want to know more about this transaction. The problem is, the attachment in this message tries to launch malware on your computer as soon as you open it. The message tries to trigger your fear of losing money through unauthorized payments on your App Store account.
Below is a more sophisticated spear-phishing email that targeted the recipient based on information about some scandal that may trigger their curiosity…
What damage does phishing cause?
The vast majority of cyberattacks begin with, or at some point involve, phishing email messages. Over 50% of businesses have reported being victims of a phishing attack and 91% of security breaches involve phishing attacks.
Phishing attacks can cause various types of damage, from theft of confidential data, to fraud, sabotage and extortion schemes like ransomware. Phishing is often the primary method used to gain initial access or information that can be used later, for many different types of targeted attacks on businesses and individuals.
Compromised confidential information
To gain access to confidential information, an attacker might simply send an email to a person by disguising their email address and asking for it. Or they may also include a link or attachment in the message. By having the target click on a link or attachment, they can potentially launch malware. This may be able to locate files or systems with information it can steal and send back to the attacker.
A link or attachment can also take a target victim to a dangerous website set up by the attacker. This site might be a forged or spoofed site that looks like one the victim would trust. While at that site, the attacker might be able to collect the real username and passwords of the victim’s account.
Other impacts from malware triggered by a phishing email can include a ransomware infection, where the entire computer’s file system might be locked up or scrambled using encryption. The attacker will hold the system hostage until the victim pays a ransom, in order to get a key from the attacker that will unlock their system.
Below is an example of a ransomware message that locks up your system and demands payment within a specific period of time. If you don’t pay in time, the price to unlock the system goes up!
Other kinds of ransomware launched by a phishing attack might be able to scour computers that are on the same network for other kinds of information or systems. This means that the potential damage from one phishing email can become very widespread within an organization and can be very costly.
Paying the ransom usually allows you to regain control of your system, and get back your data. However, only about 20% of victims who report paying ransom get all of their files back successfully.
It’s also important to realize that a ransomware infection usually means that the attacker has had the opportunity to make a copy of all data on your system. So, if you don’t pay, they will later threaten to post the data publicly. This is what we call double dipping because they have a second chance to get paid.
So, the risks from ransomware are so dangerous, it is extremely important that you try to avoid them, if at all possible. And since it is almost always caused by phishing, all employees need to be made aware of the dangers, and how to avoid them.
The more convincing a phishing message is, the more likely it is to fool the recipient. So attackers may choose to put more effort into a targeted attack using something called a spear-phishing message, which may be more profitable for them. The Click Armor Knowledge Center has more information on the difference between regular phishing and spear-phishing.
Who is behind phishing attacks, and what do they want?
Cyber attackers can use various types of phishing messages to achieve their objectives. Most want some kind of financial gain, but others may use phishing and cyber attacks as a way to advance their political agendas, or even to just damage the reputation of others.
But there are a few identifiable categories that most attackers fall into:
Criminals including petty thieves, organized crime rings, corporate competitors looking for economic advantages, and even insiders who work for an organization. Ransomware tends to be the most profitable type of attack used by criminals.
Activists including politically motivated individuals or groups, or those with an agenda that opposes the target organization or person in some way. An example is the group Anonymous, which tends to launch attacks that disable websites or services. They may also steal documents and post them publicly, to cause maximum embarrassment, or damage their target’s reputation.
State-sponsored attackers, including government organizations (foreign, or sometimes domestic) that see political or economic advantage in stealing from or damaging various organizations or countries interests. The actual attackers are usually hired by a government, who ultimately benefits from the attack.
Some cyber attackers act as mercenaries and will offer their services to anyone who will pay them.
Regardless of their motivations, most attackers will use similar social engineering tactics, including phishing emails to gather information or launch their offensive attacks. So, even if you don’t think you have anything of value to an attacker, you can be a stepping stone in their attacks, without even being aware of it. Security awareness training programs should advise employees that they must always be vigilant about being targeted. But this can be hard for employees to do effectively, if they don’t understand how they might be targeted.
Test your email phishing skills for free.
What are phishing attackers trying to do?
The primary things a phishing email message is designed to get you to do are:
1. Click on a link in the message that takes you to a website they control; and/or
2. Launch a program on your computer (malware like a virus or trojan horse program); and/or
3. Convince you to take an action like providing information or performing a transaction (usually fraudulent)
By taking you to a website that they control, an attacker can try to convince you that the site is one you should trust. It could be a forged or “spoofed” site that you think is one you normally use, like LinkedIn, Google or Facebook. Or it could be impersonating some other less used, but trusted organization, such as a government department or a supplier.
Once you are at a spoofed website, the attacker may try to gather your username and password from a login page, or it may ask you to complete some information in order to confirm a transaction. Often, a phishing message will say that you need to “verify your identity” by following a link and logging in. This might allow them to collect your login information and will then tell you that the login failed. After that, they will forward you to the real site, where you can log in without any clues. It can hard to tell if you really did type in the wrong login information initially. So, you may not notice that you just gave up your password to an attacker.
Another reason an attacker may take you to a website they control is to try to launch malware on your computer. It is easy for them to gather some basic information from your browser when you are at their website. They can often learn clues about the versions of software you are using, such as Microsoft Windows or Office, and other programs like Adobe Reader or even your security software. Their goal is to find programs with known vulnerabilities that will allow them to break through and launch a successful malware infection on your computer.
Whether it’s by launching malware from a website or by getting you to open a program via an email attachment, there is a chance they will be successful, even if you have security software in place. Every piece of software tends to have security vulnerabilities at some point in time, and attackers are always trying to learn about how they can exploit them.
How does email phishing work and how can you fight it?
In its simplest form, phishing simply tries to trick you into clicking on a link or attachment, or into taking some other action. This all depends on you not realizing that you are being tricked. Once you click on a link or attachment, the attacker gets closer to the result they want.
The attacker may send simple phishing messages to a large number of email addresses that they have collected, bought or stolen. Because it is free to send an email, some attackers send millions of messages every day, hoping for a few people to fall for them.
There are many ways attackers can create email messages that you might trust. They will constantly be creating new messages, meaning that you always need to be careful about which messages you decide to trust.
Why does phishing work so well?
Some phishing messages don’t work very well at all. In fact, they look silly to most of us. You might wonder why they even bother to send them. But as we noted above, they can send millions of messages per day. And it may only take a few people falling for them to make the attacker enough money to keep doing it. But this is not very efficient for the attacker.
Other attackers use more creative and convincing messages, which may take time to create. In fact, some will actually do research on their targets, to make it more likely that their attack will not be detected, and that the victim will take the desired action. This targeted approach is known as spear-phishing.
The most effective method attackers use to get people to trust them is to try to create situations called pretexts, which seem believable to the recipient. The most important thing an attacker will do is try to cause an emotional reaction by the victim. They want their target to bypass their logical process of checking to see if the message is legitimate.
Examples of the kinds of emotions that attackers often use include:
Almost any emotion you can imagine can be leveraged by an attacker to create a situation that “pushes your button” if they know enough about you. For example, if they know you support certain kinds of charities, they can impersonate a fundraiser. Or if they know you like to gamble, they can entice you with a “sure thing” from a friend of a friend.
This is really why phishing is so successful. You never actually see the attacker, and all you really know about them is usually what is contained in the email. They may even use other social engineering tactics like “softening up” with a phone call or harmless email that doesn’t ask for anything up front. This is all designed to build your trust.
What are the important parts of a phishing email message?
Usually, there are five parts of any unexpected email message, or messages from people you’ve only recently connected with that you should examine to look for clues:
1. Sender name and email
2. Subject line
3. Body text
4. Hyperlink (or just “links”) in text and images
5. Attachments (like pictures or documents)
Each of these elements of the message can be used by an attacker to convince you to trust them. But there are often clues in one or more of them that can be checked. Sometimes, if the attacker is really good, they might be able to hide the clues well, and other times, even legitimate messages may look suspicious. But it is important to know what to look for, as a minimum, to reduce the risk of being tricked by a phishing or spear-phishing email.
Do you know what to look for in phishing emails? Test your phishing awareness skills right now with our 3-minute gamified assessment.
What can you learn from the email sender information?
Every email has information about who sent it to you. Very often, the name of the sender is just a text string that has a person’s name. But every email contains the email address of the sender, like firstname.lastname@example.org, which can usually be used to reply to the sender (but not always).
The important things to know are:
1. Do you know the person who the sender claims to be?; and
2. Does the sender’s real email address match what you would expect from that person?
Just because the name of the sender is somebody you know doesn’t mean that the message is actually from them. The first thing to do is “reveal” the actual email address. To do this, you can almost always click on the sender’s name (or double-click, if necessary). Sometimes all you need to do is hover your mouse over the sender’s name to see the real email address.
Email addresses can be complicated, and may not look as expected, especially when they come as notifications from websites or business organizations you trust. They may use special email services that have odd or complicated information in the sender address. It’s best to compare these addresses with ones you know are safe before considering trusting them.
One of the most common ways attackers use sender email addresses to trick people is by using foreign “domain registries”. This means that everything about the email may look normal, but if it was registered in a country you don’t recognize, you might not catch it unless you know what to look for. Russia (.ru) and China (.cn) are commonly used country domains for phishing emails, such as email@example.com rather than firstname.lastname@example.org .
What can you learn from hyperlinks?
The ability to put hyperlinks in emails makes it possible for attackers to somewhat hide the website where they want to take you when you click on it. Links have two parts: the “anchor text” which is what you can see in the text by looking at it, and the “link target”, which is the URL where the link will take you.
Most people know that by hovering their mouse (in a desktop computer brower) over the visible anchor text of a hyperlink they can see the target link. This lets you examine the URL where the sender wants to take you.
On a mobile device, you can usually see the “link target” URL by pressing and holding the highlighted anchor text for a couple of seconds. This should pop up the full URL for you to examine. But you have to be careful not to “tap” the link, which will actually take you there.
Much like email addresses, the domains used in target links can tell you something about the website where a sender wants to take you. You need to check and make sure that the link is going to reputable URL that you would expect, rather than someplace in Russia or China.
What can you learn from attachments?
Attachments are a more direct way that attackers can trick you into launching malware. It is less common, since many security software programs can detect whether or not an attachment is dangerous. But there are always some that can get through. So you do need to be able to analyze attachments. You should always be suspicious of attachments you aren’t expecting.
Many malicious types of attachments can be identified because they have filenames that end in “.EXE” or “.BAT” or “.ODT”. But there are also various types of files that will be opened automatically by software you already have, such as “.DOC” or “.PPT”. These will launch the program and try to load the file as an input document. But some vulnerabilities in trusted software can allow “malformed” files to trigger an infection, even on computers with security software running on them, or that don’t allow software to be installed. This is why opening unexpected attachments can be so dangerous.
What can you learn from the subject line?
Sometimes an emotion-triggering subject line can be all it takes for you to let your guard down. If you just learned that your employer has put in place a new vacation policy that affects you, there’s a chance you will open the attachment or click the link, just to see what it is, without thinking that it might be a phishing email.
What can you learn from the body?
Similar to the subject line, any message in the body of an email that produces a quick emotional response from you is likely to cause you to let your guard down. If you receive an email with a message that makes you angry or frustrated, you need to step back and think clearly before proceeding… could this be a phishing message?
Even if the message contains information that you think only the apparent sender would know, it could be the result of a well-crafted spear-phishing attack.
How can you verify it is legitimate, if you aren’t sure?
The best way to verify a message that doesn’t have clear clues, but leaves you uncertain, is to try to verify with the person or business that sent you the message that it is really from them. This could be simply a phone call or an email to a known email address. Often, people who send legitimate messages that look suspicious to others appreciate knowing about the confusion, and those who really are being impersonated need to know as soon as possible.
What kinds of phishing attacks should I prepare for?
There are many types of phishing messages, from simple scams to spear-phishing emails that are very elaborate. There are even phishing messages that target users within online communities or social networks.
Some sophisticated attacks may exploit hacked accounts that attackers have gained access to, and they can be used to launch attacks on other people. So, even messages that look like they come from a real co-worker’s account can be a real attack.
So, the rules for spotting the various types of phishing messages can vary and take more time to learn. Your cyber security awareness training program should cover topics such as “whaling”, “ice-phishing” and social network messaging attacks.
What can you do to stay current?
Your organization’s security awareness training should be providing updates that teach you about the latest types of attacks, so you can be prepared to spot them and avoid them. You can also check this Knowledge Center to inform you of new kinds of phishing attacks to be aware of, and how to spot them.