Phishing 101: A Beginner's Guide on Phishing Attacks

Phishing can be described as a type of cybercrime in which the victims are contacted by email, telephone, or message by an individual or group of persons posing to be a legitimate institution.

The aim is to lure the victims into providing sensitive data like personal information, bank details, credit card details, and passwords. The data is then used to identify significant targets and defraud these victims. 

Phishing has been occurring for years: the first phishing scams happened in the 90s with people impersonating AOL admins. These people collected log-in credentials from their victims so that they could access the internet for free.

In May 2000, another phishing scam called the Love Bug started in the Philippines. You would receive a message in your mailbox titled "ILOVEYOU." Then, the body of the mail would instruct you to tap on an attachment, which would then release a virus on your system. Since then, phishing has evolved in complexity and usage over the years.

It's Monday morning, you are sorting through your emails and clearing your spam folder. Out of curiosity, you open an email, and the content is shocking. Someone claims to be a representative of your bank.

Your account will soon be deactivated, and you are required to click on a link or provide sensitive bank information so that you do not lose your bank account. This is how phishing happens: like a random message written for you to give out your data.

Phishing in general uses manipulation as its main tool. The messages often sent by text messages, emails, or even social media messages are written with the intent to cause fear and a sense of urgency. Targets are identified on public sources of information like social media.

Once the target names, job titles, personal details, and email addresses are identified, believable messages are crafted and sent. These messages often include a malicious link, attachment, or a call to respond with sensitive information.

The intent of phishing may be to install malware, redirect victims to a fraudulent website, obtain passwords and bank details, and defraud targets. Phishers often employ different tricks to defraud their victims, and they try to appear as legitimate as possible. They may use company logos, mimic official emails, and hide URLs just to defraud their victims. 

There are different types of phishing: I have compiled a list of the most common types of phishing scams and how they occur. The types of phishing are:

•Email phishing: This is the most common type of phishing in which the victims receive emails informing them that their personal accounts have been compromised and immediate response is required. Email phishing aims to create a sense of urgency and make the victim click on a malicious link that leads to a fake login page. Sensitive personal information is delivered straight to the scammers.

•HTTPS phishing: In HTTPS phishing, hackers may gain access to secure conversations by using expired SSL certificates or strip away the encryption from secure websites by downgrading HTTPS sites to HTTP. Fake websites similar to organizational websites are then created, to be linked in emails. The phishers then send fake emails using organization IDs to employees, infiltrating organizations and stealing valuable data.

•Spear phishing: Spear phishing is used in targeting specific individuals, groups, and organizations. Spear phishing often involves research on the target and publicly available sources of information. The goal of spear phishing is to gain access to an individual account or impersonate high-ranking staff as well as staff in possession of confidential information. An email including the target's name, rank, and an attachment is usually sent to carry out spear phishing.

•Whaling: Whaling is a type of spear phishing that is usually directed at top-level executives. The scammers pretend to be legitimate sources, and they encourage victims to share sensitive information or wire large amounts of money. Whaling often occurs as an email from a trusted source like a company contact, partner, vendor, or customer account. The email often includes personal data or references gleaned from the internet to appear trustworthy. The email may include links to a fake website that collects information or installs malware. Alternatively, the email could include requests for sensitive data like payroll, tax returns, bank account numbers, or for a money transfer via wire to a specific account. Whaling is done to steal data or money from top-level executives.

•Smishing: Smishing, otherwise known as SMS phishing, is a form of phishing in which victims are deceived to click a link or provide private information through text messaging. Smishing is done with the use of basic target information such as name, age, and location. If a link is included in the text message, it may lead to a fake website or malware designed to compromise the phone. The malware may be used to snoop on the users' phone data or send sensitive data to an attacker-controlled server. Smishing comes in different forms: from messages stating that you are in trouble, to messages showing you have won a parcel.

•Vishing: Vishing or voice phishing is a form of phishing in which the victims are manipulated into revealing personal information like bank details and credit card numbers through phone calls and voice messages. In most cases, the scammers pretend to be from reputable organizations like banks, tax departments, police, or the government. Vishing is done by using threats and convincing language to make the victims believe that they have to call back immediately or face the risks of being arrested and losing bank accounts.

•Angler phishing: Angler phishing is a type of phishing in which scammers masquerade as customer support staff using social media platforms and accounts. Angler phishing usually targets disgruntled customers that complain about an organization's service on social media. These customers are tricked into revealing their data when a fake customer staff sends them a direct message. The message will request personal information or link to a fake site that then installs malware or collects sensitive data from the unsuspecting customer.

•Clone phishing: Clone phishing uses a legitimate or previously sent email that contains links. The clone is similar to the legitimate email but the links included are malware links. The clone email is then sent as a resend from the original sender to the victims. When victims click on the clone email link, the hacker can forward the same email to contacts in the victim's mailbox. It is the most difficult type of phishing to identify: clone phishing has numerous victims.

•Evil twin phishing: Evil twin phishing involves the set up of a Wi-Fi access point that disguises as a legitimate one to gain access to sensitive information without the victim's knowledge. Scammers observe the details of a legitimate Wi-Fi access point and create an identical access point with the same name. Victims connect to the Wi-Fi access point and the evil twin Wi-Fi becomes their wireless AP. Hackers can then intercept sensitive data such as login information, bank details, or credit card information.

•Social media phishing: Social media phishing is a form of phishing that employs the use of social media platforms such as Facebook, LinkedIn, Twitter, Instagram, etc., to deceive victims into revealing sensitive data. On some occasions, these phishing scams occur when victims receive messages asking them to pay for followers. On other occasions, the messages could include malicious links to a fake social media login page. On login, the victim's credentials are saved for impersonation and access to financial and personal information.

•Pharming: Often described as a combination of the words phishing and farming, Pharming is a scamming method in which malicious code is installed on a computer or server with the intention of misdirecting users to fraudulent websites. Pharming can be done by sending codes in an email. These codes modify local host sites that convert URLs into the IP address that the computer uses to access websites. Even if users type in the correct web address, they are directed to a fake website where their sensitive information is given to scammers.

Phishing scams are quite popular: according to the 2021 Verizon Data Breach report, phishing is involved in 36% of breaches. In addition, this report disclosed that 95% of business email compromise losses were between $250 and $984,855, with the median loss set at $30,000 for business email compromises. This shows that many individuals and organizations have lost a significant percentage of their funds to phishing scams.

In 2019, Avanan's analysis of 55.5 emails revealed that one in every ninety-nine emails is a phishing email. It is further worrisome that more than 70% of these emails are opened by their targets; between October 2013 to May 2018, compromised business emails cost companies a whopping  $12.5 billion.

Phishing, in general, has many negative effects, especially on businesses. These effects include loss of funds, loss of sensitive data, loss of intellectual property, damage to brand reputation, loss of productivity, disruption of work activities, and installation of malware. Apart from all these effects, customers can lose trust in the business and the products that the organization is trying to sell.

The effects of a phishing attack may depend on the motive of the scammer: impersonation, fraud, or even fun. If the phishers successfully install malware, it is likely that they may extort the organization or individual. If bank details or credit card information are revealed, individuals may lose their life savings. Phishing does not just result in monetary loss: it can create a sense of insecurity while using computers, mobile devices, and social media.

Preventing phishing attacks involves a two-way mechanism: identifying phishing attacks and taking active steps to prevent them. Knowing how to identify phishing attacks is the first step in preventing them. The key point is to be careful: look out for key signs of phishing.

Signs like first-time email senders, urgent requests for personal information, generic greetings, spelling errors in messages, unsolicited attachments, strange links in messages, and strange domain names are clear markers that something is wrong.

You should ignore any emails, phone calls, or messages asking for your personal information like bank account details, card details, and company data if you handle sensitive data at your workplace.

Preventing phishing involves taking active steps to protect your data from falling into the hands of scammers. The first thing to do is avoid clicking any suspicious links sent in your emails and messages. Then, you should install anti-phishing browsers on your web browsers. In addition, install anti-virus software on your computer.

All your browsers and software should be kept up to date to prevent breaches in data that expose your data to phishers. Use protective firewalls on your computer: a desktop firewall and a network firewall to protect your system from hackers. You should also remember not to use sites that are not secure: as a rule, stick to HTTPS, not HTTP sites.

At the end of the day, even after employing these tactics, no one is completely safe from phishers. However, you can reduce your risk of becoming a victim.

On some occasions, after all your attempts to protect yourself from being a victim of phishing, phishers can still crack your defenses. You should not blame yourself; the solution lies in reporting the phishing. Reporting phishing may help law enforcement agencies catch the cybercriminals, provide a safety net for your losses, and prevent others from becoming victims of phishing.

In the USA, the Federal Trade Commission website has outlined how to report a phishing email. You are to forward the phishing email to reportphishing@apwg.org and report the crime to the Federal Trade Commission under the complaint section. You are also to contact the organization or individual that was impersonated and notify customers and staff in your organization.

The US-CERT organization partners with the Anti-Phishing Working Group (APWG) to collect phishing email messages and website locations. You can report phishing to APWG by emailing phishing-report@us-cert.gov.

In the United Kingdom, the National Cyber Security Centre (NCSC) has the right to investigate and remove scam emails and websites. All you need to do is send an email or screenshots to report@phishing.gov.uk. If you get a phishing text message in the UK, forward the message to 7726.

For organizations like Google and Microsoft, you can report phishing messages and emails on their websites and applications. All you need to do is click on the message, then the More and Report buttons. When you report these phishers, their emails are blocked and other people are safe from phishing attacks.

Nonetheless, it is better to prevent phishing than to have to report a phishing case. Therefore, you should stay vigilant and send that suspicious-looking email to spam. Right now!