Phishing is the most common form of cyber attack worldwide, with 78% of Danish businesses surveyed being hit by phishing attacks in 2021 (Cybercrime Survey 2021). You can fall victim to phishing attacks in both your personal and professional life, so it is important to know what phishing is and how phishing attacks are carried out.
Phishing as a cyber attack
Phishing is a type of cyber attack where hackers trick their victims into giving up personal information or allowing them access to their computer system. The personal information is usually name(s), address(es), passwords, credit card information and social security numbers. Phishing is a social engineering attack, as hackers often manipulate their victims through a variety of behavioural techniques and exploit victims' impaired judgement.
Most phishing attacks consist of e-mails (e-mail phishing), supposedly from companies or public bodies. This could be banks, tax authorities, streaming services, social media, software providers, etc. In the emails, the victim will be tricked into clicking on a link that will take them to a fake phishing website. The website will look like the real company's website and the victim will be asked to enter personal information. The link may also contain malware which will be downloaded to the victim's computer. These emails are not targeted at specific individuals and are sent to as many people as possible.
Typical examples of content in phishing emails are:
- Your account has been blocked
- Your password needs to be updated as it is about to expire
- You have won a prize or received a gift card
- You need to transfer money for an invoice
- You need to validate your account or login details
- Your package cannot be shipped or you have not paid for shipping
Phishing attacks can stand alone or be part of a larger attack, such as ransomware or APT (advanced persistent threat) attacks.
The consultancy PwC publishes an annual Cybercrime Survey, which examines Danish companies' views on IT security and cybercrime. In their 2021 survey, 402 business leaders and IT specialists from Danish companies participated. 78% of them reported that they had been hit by phishing attacks in the past 12 months.
Types of phishing attacks
Phishing attacks are becoming increasingly sophisticated as hackers become more professional and their technical skills grow. There are different types of phishing, targeting both individuals and businesses.
Watch out for the spears
Through spear phishing, hackers can directly target specific companies or employees. The phishing emails are tailored to the specific victims using personal information. This information can be retrieved from Google or social media through Open Source Intelligence, which is publicly available information. Spear phishing often targets people working in financial departments.
The big catch
Like spear phishing, whaling attacks target specific individuals, specifically high-level employees or executives within a company. Conversely, hackers can also impersonate a senior employee of a company to trick employees into giving up confidential information. This is called "CEO fraud".
Cloning your emails
Clone phishing is a type of attack where hackers gain access to the victim's inbox. Here they find legitimate emails with links or attachments that they create a clone of. The clone mimics the legitimate email completely, except the link or attachment is replaced with a fake link or file containing malware.
Vishing and smishing
Vishing, or "voice-phishing", is a variation of email phishing carried out through telephone calls. As with email phishing, hackers impersonate an employee of a company or government agency who needs some information from the victim in order to perform a specific action. Smishing, or "SMS phishing", is also similar to email phishing, except that hackers use SMS as the medium to carry out the attacks.
In pop-up phishing attacks, hackers use pop-up banners on Internet browsers or notification features on legitimate websites. They install malware in the banners or notifications, which infect the victim's computer when they click on them.
Phishing on social media
In recent years, social media has become an increasingly popular place for hackers to carry out phishing attacks. When hackers use social media it is called angler phishing and it is similar to vishing and smishing as hackers use notifications or chat features to send their fake messages.
Hackers (ph)isch for your information
You might be wondering why phishing is spelled with "ph-" instead of "f-". You've certainly never gone phishing with your dad before. Phishing comes from the English word "fishing", as hackers fish for your personal information by casting a digital net of emails, text messages, phone calls and more. The term phishing was coined around 1996 by American hackers. The use of "ph-" is a reference to some of the first hackers in the US who carried out an early form of hacking called phone freaking, and they were subsequently named "phreaks" (phone freaks).
How to avoid becoming a victim of phishing
Although hackers are getting better at creating convincing phishing attacks, there are still a number of ways you can protect yourself or your workplace. Here are a few reminders to keep in mind every time you get an email.
Always be aware of unknown senders. If you don't know the sender of an email, it's usually best to avoid responding to the email. If you are unsure whether it is a legitimate email, you can contact the sender. This should be done through a phone number or email address you find through a search engine.
Check the URL. Hackers use link manipulation to make links look legitimate. Often they spell a company's domain slightly differently, e.g. faceb00k.com or use subdomains. They may also change the link text displayed to hide the fake link. By hovering over a link, you can see the URL and check if it looks right.
Be careful about downloading files from emails. If you don't expect to receive a file, or if you don't know the sender of the file, it's usually a bad idea to download it.
What information should you provide? Hackers can make phishing emails look legitimate, both graphically and in terms of content. It is therefore easy to be fooled. It is always important to read the content carefully. If you are asked for confidential or sensitive information, the email is not from a legitimate company or government agency - they would never ask for that kind of information in an email.
Use search engines instead of links. If you are in doubt whether a link is a legitimate link, use a search engine to find the company's website that the link supposedly takes you to.
Use antivirus programs. Antivirus programs can scan email attachments and determine if they are safe.
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.