This type of cyberattack is an email-based attack that uses disguised emails to trick the recipient into clicking on a link or opening an attachment. The goal is to make you believe it’s from a trusted person, company, or bank. Phishing messages are one of the oldest types of cyberattacks and have been used since 1996; they’re still around today with new techniques becoming more widespread than ever before. If you want to avoid this kind of attack, always be aware in order not to fall for phishing tactics.
There are a couple of ways phishing attacks can be divided. One way is to categorize them by their purpose:
- One example would be if the website that was spoofed looked like it came from someone else.
- Another option involves classifying a phishing attack as “push” or “pull”. Push techniques involve sending an email and pulling techniques involve scanning for vulnerabilities on unsuspecting victims’ websites, which then send back fake login credentials.
This scam typically targets users of banks, as the attackers want people to enter their username and password. These messages are tailored to look like emails from major banks that have accessed your account by mistake; by spamming out these messages, the attackers ensure that at least some recipients will be customers of those banks. The victim clicks on a link in the email and is forwarded to a malicious site designed to seem just like its bank’s website, so they can enter their details there. This allows hackers access into victims’ accounts.
Spam is the term that refers to unsolicited email or text messages. This includes phishing emails, which aim to deceive victims into infecting their computer with malware by sending them an attachment purporting to be a resume. These attachments can often be .zip files and Microsoft Office documents containing malicious embedded code rather than resumes themselves. It’s estimated that 93% of spam/phishing emails in 2017 contained ransomware attachments-that is, they basically demand a ransom payment for not revealing what’s on the attached file (which likely appears as gibberish), but otherwise doesn’t do anything harmful unless you click on it anyway.
A phishing email can come in many different forms. Sometimes they are sent to millions of potential victims just hoping that someone will log into a fake version of a website, or even worse, click on an attachment or link within the email. According to Ironscales, one popular target is Macy’s with “tens-of-millions” at risk each year.
Spear phishing is a type of cyber-attack where the attacker tries to trick someone into giving up sensitive information by crafting emails that seem like they are coming from somebody trustworthy. The spear phisher identifies their targets (sometimes using the information on sites like LinkedIn) and uses spoofed email addresses to send messages that could plausibly be sent from co-workers or other trusted sources, such as managers or HR representatives requesting money transfers due to an emergency.
Whale phishing is a form of spear phishing directed at CEOs and other high-value targets. These scams target company board members, who are considered particularly vulnerable because they have so much authority within the company, but since they aren’t full-time employees, often use personal email addresses for business correspondence which doesn’t offer the protections offered by corporate email.
In some cases, phishing scams have succeeded well enough to make waves. One of the most consequential hacks in history happened in 2016 when hackers managed to get Hillary Clinton campaign chair John Podesta’s Gmail password by using a fake email asking him for it. The “fappening” attack was originally thought to be caused by Apple Inc.’s iCloud servers weakness, but actually was the product of multiple successful phishing attacks which granted access into these personal emails/photos and social media accounts that people would never expect someone else would know about or have access to like their bank account information. In 2016 University of Kansas employees responded with confidence after receiving an email requesting they provide their paycheck deposit information only for them not even getting paid because they had provided this confidential data from one such scammer who pretended he worked at Microsoft Corp., so please beware: Never trust anyone you don’t already know personally.
There are a number of steps you can take to avoid being phished, including:
- Always check for the spelling of URLs in email links before clicking or entering sensitive information.
- Watch out for redirects that send people a different website with identical design.
- If you receive an email from someone whom you know but it seems a little fishy, contact them with a new email rather than just hitting reply.
- Don’t post personal data like your birthday publicly on social media, this is how phishers get hold of your information easily and quickly