What is Phishing?

From packet sniffing to malware, there are many different methods that hackers employ to get access to sensitive information, but sometimes the simplest methods are the most effective.

Phishing is a hacking method that’s been used since the 1990s to extract usernames, passwords, and other sensitive information from users. It’s a relatively unsophisticated technique at its core, that requires no technical skills (phone calls still make up the majority of phishing attacks in Australia), and yet phishing accounts for the majority of data breaches reported to the OAIC

Australians are now the world’s biggest target for phishing attacks and lost over $930,000 due to phishing scams in 2018. So how exactly do these attacks work, and how can you protect yourself and your business against them?

What is Phishing? – A Definition

Phishing is a way of obtaining unauthorised access to systems or data by hackers pretending to be someone or something they’re not.

For example, a user might receive an email that appears to be from PayPal, stating their account has been compromised and they need to click a link and log into their PayPal account for security reasons. In actuality, the email hasn’t come from PayPal at all and the user isn’t logging into their PayPal account, but rather a mock website constructed to gather the user’s login name and password for malicious purposes.

Emails are probably the most well-known form of phishing, but they’re not the only method. Hackers can also conduct phishing attacks over the telephone, by text message or mobile applications, or via social media by pretending to be someone they’re not.

what is phishing

How Phishing Got its Name

It’s no coincidence that “phishing” sounds like “fishing”. ‘90s hackers coined this term of getting AOL users to give them information, comparing it to fishing with a baited hook and waiting until you get a bite.

In this case, the fish is the unsuspecting user who gives up their credentials, and the hook is the fake email or phone call that persuades them to do so. While most users won’t take the bait, there are plenty of other fish in the sea – in other words, send out a phishing email to enough people and one or two of them are bound to fall for it.

Another theory around the origin of the term is that these early hackers used a certain string which looks like a fish (<>< ) in AOL chat logs to reference any illegal activity. As this string is so commonly found in HTML, it was difficult for admins to find.

It’s common in hacker slang to replace the letter “f” with “ph” as in “phreaking” – an early method of hacking in which telephone systems were tapped into illegally by playing pre-recorded tones. Hence, fishing became “phishing”.

How Phishing Works

Phishing attacks disguise themselves as genuine communications and take advantage of people’s fears, motivations, and respect for authority in order to trick them into giving out information that they wouldn’t normally provide.

For example, most internet users are savvy enough to know that they shouldn’t give out their usernames and passwords to just anyone. However if you get an email saying that a company you’ve never heard of has charged your account, your natural response is to click the link in the email to see your transaction details and work out what’s going on. In the initial panic, you’re much more likely to enter your login details without thinking twice to check out if you’re actually on the genuine website.

Likewise, hackers can successfully carry out phishing attacks by pretending to be a member of IT support staff or a line manager in the company you work for. While you wouldn’t tell your password to a random caller, if an IT technician says they need your password so they can lock down your account because it’s been hacked, or they pretend to be your department manager and need immediate access to a client file, you’re in danger. In these cases, you’re more likely to forget all you know about data protection and give up the information because you think you’re talking to someone in a position of authority.

In the modern world where everyone has social profiles, it is also very easy for phishers to find out personal information about you to make their communications more convincing.

This type of social engineering is often much easier and more effective than developing software to directly hack into systems, so phishing is a popular technique with cyber criminals.

Some basic phishing emails are almost laughably ineffective with blatantly fake emails full of spelling and grammar errors. However there have been several high-profile cases of successful phishing and attacks are becoming more sophisticated all the time.

In 2016, hackers managed to get John Podesta, Hillary Clinton’s campaign chairman, to hand over his Gmail password. And in the same year, a number of members of staff at the University of Kansas responded to a phishing email by giving hackers access to their pay cheque deposit details.

Closer to home, a 2017 email scam resulted in thousands of Australians paying out a total of nearly $260,000 to hackers in the form of bogus bills. This particular phishing attack was so successful because it didn’t attempt to extract huge amounts of money from individuals, but rather small, more believable, amounts.

What are Phishing Kits?

A phishing kit is a bundle of software and resources that makes it easy for anyone to carry out a phishing attack, even if they have no technical knowledge.

These kits are readily available on the dark web for as little as $20 and need only to be installed on a server by the would-be hacker. Once installed, the phishing kit enables the user to send out emails containing links to a cloned website, which steals credentials.

Phishing kits typically contain software that makes it easy to clone a website, spamming software to send out phishing emails to thousands of email addresses, and may even include email lists and basic user information. Once installed, kits are typically only used for a day or two before they are detected and removed.

Website owners should have proper security operations and vulnerability management systems in place to detect if unauthorised software is uploaded to the server.

Types of Phishing

There are several different types of phishing attacks that a hacker might employ, depending on the type of information he wants to extract.

Spear phishing targets a particular individual or organisation, using information that has been gathered from social profiles and other online and offline sources in order to appear more genuine. For example, a spear phishing email might name your manager, or reference a client project you’ve just finished working on, or may even spoof the email address of one of your colleagues as the sender.

Whale phishing is a type of spear phishing that specifically targets CEOs or company board members (the big fish or the whale), in order to have the best chance at accessing large sums of money or highly confidential information. A typical whale phishing attack would appear to come from someone in a position of high authority in the company and instruct the recipient to authorise a large payment, which ends up going straight to the hacker.

Pharming tricks users into entering their details on a fraudulent website by making it appear as if they’re on the genuine website. Users click on a link in the email which seems to go to a legitimate site, however, the phisher has used a technique called DNS spoofing to redirect the user to a dummy site.

Clone phishing re-uses previously sent genuine emails that contain a link or file attachment. The hacker creates a clone of the original email, replacing the links or files with links to fraudulent sites or malware.

The evil twin attack involves setting up a Wi-Fi access point with a name that makes it sound like an official Wi-Fi network. When users connect to this network, the hacker can intercept all information that is sent over it, including usernames and passwords. Hackers can also specifically request information from users, for example in the form of a login screen that needs specific personal information before you can access the network.

Voice phishing is a type of phishing attack that takes place over the telephone or VoIP services. Hackers might leave a voicemail pretending to be from the bank instructing users to call a telephone number to verify their identity. When the user calls this number, they’re in fact giving their credentials directly to the hacker.

SMS phishing works in a similar way, but uses text messages to convince users to access fraudulent websites, install malware, or disclose their credentials.

How to Prevent Phishing

Education is the best form of defence against phishing, and so all individuals and employees in an organisation must understand that they should never give out their password or other sensitive information, no matter who asks for it.

Phishing emails can be quite sophisticated these days and look exactly like the real thing, so it’s good practice to never enter login details from a link clicked in an email, or at least to check the URL that it takes you to so you can make sure you’re on the site you think you’re on.

However, this is not foolproof – phishing attacks have become more sophisticated and hackers can now use JavaScript to place a fake URL over the actual address of the website you’re visiting. A less sophisticated version of this URL spoofing uses a website URL that’s very similar to the site they’re imitating, often utilising foreign character sets. One real-world example of this is a 2018 scam in which victims were sent to mygovau.net to make their Medicare payments, instead of the real site at my.gov.au.

In some cases, websites are hacked and the cloned version of the website is uploaded to the actual server, making it practically indistinguishable from the real thing.

Gmail and some other email systems have in-built phishing detection now and can warn you if a message you receive might not be genuine, however, they are never 100% effective.

Using a web security gateway is another way to prevent users from clicking on malicious links. These services check requested URLs against their database, which contains a record of all sites known to distribute malware or be involved in phishing scams.

Malware attached to email is another common form of phishing attack. While most users now realise it’s not a good idea to run executable files from an email they don’t recognise, hackers can easily get around this by gaining access to a genuine email account of one of your contacts, or sending a Microsoft Office document with malicious embedded code. Good antivirus software should prevent accidental malware installation via email.

If you receive an email from someone you know but it seems suspicious, create a new email to ask them about it first – don’t just hit reply.

Likewise, you can learn to spot some of the warning signs that you’re reading a phishing email from a company. Be extra suspicious of anything to do with your account, asking to reset your password, saying your account has been suspended, stating attempted delivery of a parcel, or anything financial such as invoices or refunds.

Technology is improving when it comes to detecting and protecting against phishing attacks, and cognitive security powered by AI can now be used to detect phishing websites up to 2.5 X faster than traditional methods. As with any aspect of cyber security, it’s a cat and mouse game between the hackers and the cyber security experts as both attacks and technology become more sophisticated.

Protect Your Business Against Phishing Attacks

Phishing attacks are still on the rise and Australian businesses continue to lose hundreds of thousands of dollars every year due to scams that are totally preventable.

To protect your business against these attacks, it’s vital you invest in staff training so that employees can learn to recognise the warning signs of a phishing attack.

As well as proper security training, make sure you have robust cyber security services in place and adhere to data protection best practices to mitigate damage in the event of a breach. Using managed security services like GA Systems for intrusion prevention systems and to deploy your enterprise firewalls means that your risk of incurring damages from phishing and other malicious attacks is minimised.