Phishing refers to one of the most widely-perpetrated forms of fraud, in which the attacker tries to get confidential and sensitive information, such as login credentials or account information, by impersonating trusted entities and using spoofed emails to lure online users that lack phishing awareness into providing personal information. Phishing can also be used to infect the victim with malware.
Typically, a victim receives a message that appears to have been sent by a known contact or organization. An attachment or link in the message may install malware on the user’s device or guide them to a malicious website, set up to trick them into revealing personal and financial information, such as passwords, account IDs or credit card details.
The world’s increasing dependence on the internet has magnified the challenges posed by scams and tricks. Consequently, phishing is progressively becoming more popular, as it is far easier to entice unsuspecting victims into clicking a malicious link from what appears to be a legitimate email, than trying to break through a computer’s defense system.
The collapse – Google Docs Phishing attack
The most recent Phishing attack took place in May 2017, which targeted Gmail users by gaining control of their email history and spread itself to all the other contacts, and this was confirmed by Google.
This attack affected more than 1 million Gmail users by arriving in their inboxes as an email from a reliable contact that asked them to download or check an attached “Google docs”. By clicking on that attachment, they were directed to a real security page of Google, where users were asked to give permission to the fake app (disguised as GDocs), to manage their email. What made the situation even worse was the spread of the worm, by using the email accounts of infected users to send the email to their contacts and reproduce itself hundred times by a single user.
This strategy of phishing scam is very common; however, the worm that attacked Gmail users was much more sophisticated because of the unusual realistic construction and the trustworthiness that it conveyed among the Gmail users. Google immediately released a statement saying that: “Disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again.” A company which analyzed the data of this attack stated that “The importance of this phish is not how it spread, but rather how it didn’t use malware or fake websites tricking users to give up their passwords,”.
Nevertheless, Google released another statement during that day, claiming that they have secured the accounts of the Gmail users and that there is nothing to worry about. “We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There are no further actions users need to take regarding this event; users who want to review third-party apps connected to their account can visit Google Security Checkup.”
What are the different types of phishing?
Phishing types differ in terms of the groups they target and the benefits they aim to receive. You have probably encountered the simplest type of phishing up until now, which is an email from someone purporting to be a trustworthy source, requiring information that can help the victim in accomplishing something very valuable (mostly money, funds, requests for tax and financial documents, or any other document that can induce the victim into sending the information that the attacker is requesting).Some of the most frequent types of phishing are:
Whaling (CEO Phishing)
The purpose of the phishing attack is to gain unlawful access to information that is valuable to companies or persons. That is why sometimes these types of attacks target people that hold the ‘key’ to important information. They aim to acquire information from executives and people in authority. By gaining access to the email of someone with authority, attackers are able to manipulate employee’s information, initiate wire transfers, or also wreak havoc in almost every department within the company.
This type of attack is one of the most sophisticated ones. That is because they are designed to be highly personalized, and the attacker has information about the victim before even initiating the phishing attack; thus, enhancing their authenticity and legitimacy, and increasing the likelihood of the individual complying with the attacker’s requests. Spear-phishing is less challenging for fraudsters considering the wide availability of information on the internet.
They use the social media presence to monitor your most recent purchases, including here online platforms that you use to purchase things, places you have been shopping and so forth. You can be a target of a Spear Phisher by the information that you provide from your PC or even your phone. These types of attackers might find your page, email address, your list of friends, and they can even go as far as tracking a post that you made about a recent purchase.
By using the information from your latest purchase, they can pretend to be a friend, send you an email and require from you a password to your photo page. If you provide them with the password, they will try to log into the site you purchased from, by trying different variations of usernames. If they do log in, unrepairable financial damages can be caused. There are cases when this type of phishing is used for blackmailing or other serious types of threats.
A highly used version of whaling is the one that focuses on using the email of an executive for the mere reason of having access to the W2s of employees or the W9s of the contractors. Tax season is an exceedingly bad time for these types of attacks, as most organization’s finance offices are accustomed to getting these sorts of solicitations. Such solicitations can be spoofed to originate from the IRS, or even from the CPA office. The requests coming from the high-level executives in a company are most effective; however, seeming to come from IRS, they can ingrain just enough fear to stay away from the investigation.
Phishing to deliver ransomware
Even though the primary goal is gaining access to information, this type of attack is used to also get financial rewards by including ransomware in the delivered emails. In 2016, it is assessed that the majority of phishing emails comprised some type of malicious links that could lead to ransomware. These types of ransomware lock the files and photos of the users that fall into the trap of phishing email, and in most cases, the victims are required to pay in exchange for regaining access to their files.
SMiShing & Vishing
In this type of phishing attack, the attacker will send a large paragraph (SMS), to hundreds of people stating that “Your credit/ debit card has been deactivated due to suspicious activity. Please call our toll free number to verify your details”. Evidently, this type of attack may be an effective approach to persuading the victims and making them believe that this is an emergency situation and information asked has to be provided instantly.
Vishing is almost identical to the SMS tactic, as it involves the obtainment of information from users through the phone. The only difference is that in vishing, attackers call users directly on their phones asking for their sensitive information by using an urgent scenario like the debit/credit card situation mentioned above.
How to evade/assess phishing attacks?
Learn how to identify suspicious Phishing emails by noticing unusual activity such as a duplicate image of a real company, copying the name of a company and using it as bait.
- Check the information source, and never respond to requests asking for passwords through email (banks never ask for passwords by email).
- Do not go to your bank’s website by clicking links from emails, since they can easily direct you to a fraudulent website and steal your sensitive information.
- Install a good antivirus on your computer in order to prevent these forms of attacks. Also, you should continually update your operating systems along with the web browsers which include the latest frameworks for phishing attacks protection.
- If you need to enter your sensitive data in a website, it must include the ‘https: //’ as this is considered to be more ‘safe.’
- Avoid/delete emails claiming that you are about to receive money from anyone outside your country, as such emails have a 100% chance of being false and a trap for phishing attacks.
- Check the accounts that you regularly use in a periodical manner to see if there is any unusual activity, be that on bank accounts, online purchase accounts, personal work account etc.
In cases of suspicious activity in your bank account, some bank’s policies include declining suspicious transactions, and also have their fraud prevention teams contact you and investigate if the purchase was conducted with your consent. Also, whilst noticing unusual activities in your account, some banks also use the ‘freeze accounts’ option, which means that you are unable to use the account until they are assured that your account has not been subject to unauthorized access.
How to repair the damage after being attacked?
If you are a victim of a phishing attack, you need to do a detail oriented damage control, be that on your computer, phone, or in one of your bank accounts. If you believe that together with the phishing attack there was a ransomware infection, the first step is to immediately shut down your computer and get some professional help. If the attack occurs at work, inform the IT department as soon as the attack takes place.
The ransomware can be spread into the whole servers of the company and can endanger or damage crucial information or data. That is why, you need to take immediate and rapid action by notifying the competent people, in this case, the IT guys, to help you lock up and back up data that is vital to the company before it’s too late.
Further, immediately after you call the IT department, you need to log in online from a different source or computer and begin changing your bank passwords, purchase accounts and so on. By doing so, you reduce the risk of data loss, financial damage, and intellectual property theft. Thus, firstly you need to secure your financial accounts, and then move to your email addresses and social media accounts.
Phishing attacks on the rise?
At the beginning of 2016, a report from the APWG (Anti-Phishing Working Group) identified 123,555 phishing websites. Further, they discovered that in the last quarter of 2016, 95,555 ‘templates’ of phishing email campaigns were reported and received by their customers. The report also conveyed that phishing attackers had a preference of baiting for companies in the financial sector with a whopping of 19.6 percent. This report exemplifies the undeniable fact that the number of phishing campaigns is growing each and every day. This is a result of the well-organized development of phishing attacks that is possibly due to the user’s lack of awareness.
Generally, phishing attacks unveil the fact that users are not well informed on how such attacks operate and the methods employed to successfully commit fraudulent acts. You can always help your friends or colleagues by enhancing their awareness of scams such as phishing and what they can do to avoid it. Further, regular awareness sessions in companies are more than necessary. Considering that these types of scams are constantly evolving, we have to hold continual and updated awareness sessions.