What Does Phishing Mean and How to Protect Yourself
One of the most pervasive and dangerous threats in modern society is phishing. Even if you don’t know what the word means, you’ve probably been a victim of phishing at least once — perhaps without even realizing it.
What Does Phishing Mean?
Phishing is a form of cyber attack designed to do one of two things: get victims to divulge personal information or download malware on their computers. Phishing attacks are cleverly disguised as legitimate emails or official websites from trusted sources. If you want to avoid becoming a victim, you need to know how phishing works and what techniques phishers use.
How Does it Work?
Today, phishing is easier than ever thanks to the availability of “phishing kits” on the dark web. These kits include all the tools needed to launch a phishing attack — and all a cybercriminal has to do is install the kit on a server, then send out emails to potential victims. They don’t need to guess an email address, either, since mailing lists can also be found on the dark web.
The steps to creating and using a phishing kit are as follows:
- The phishing kit creator clones a legitimate website to make a spoofed one.
- The site’s login page is changed so it points to a credential-stealing script.
- These modified files are bundled together in a zip file, which is the phishing kit.
- The attacker uploads the phishing kit zip file to the spoofed website, where the files are unzipped.
- The attacker sends emails with links that point to the spoofed website.
As an alternative to the link method in step five, the malicious software could be contained in an email attachment.
Types of Phishing
Among the most common phishing attacks are:
- Spear phishing. While many phishers cast a broad net, sending out an email to a long list of people indiscriminately, others target their attacks toward a specific individual or company. Spear phishers use information they have already gleaned about a potential victim — such as their name, phone number, or employer — to personalize their attack and make their email seem more credible.
- Whaling. No one is entirely immune to phishing scams, and that’s the principle behind whaling. In a whaling attack, also known as CEO fraud, phishers put more time and effort into landing a particularly significant victim. For instance, they might research a wealthy CEO extensively to craft a phishing email designed to appeal to them.
- Pharming. As potential victims become more tech-savvy, phishing “bait” becomes less effective. Pharming does away with the bait, relying instead on domain name system (DNS) cache poisoning. This method allows a phisher to redirect victims to a spoofed website even if they entered the correct address into their web browser — without needing a malicious link as bait.
Keep in mind that cybercriminals are constantly honing their skills and inventing new techniques. In addition to email phishing, for instance, people might fall victim to SMS phishing via text message or voice phishing, where a voicemail is left on the victim’s phone encouraging them to call back and verify their identity.
How to Protect Yourself
As phishing techniques become more sophisticated and targeted, it becomes increasingly difficult to spot the difference between legitimate emails and phishing emails. The best way to protect yourself is to stay updated on current phishing techniques. Familiarize yourself with the various forms of link manipulation that phishers often use, such as link shortening and homograph spoofing.
Learn as much as you can about phishing security, and attend any security awareness training your employer offers. If your company does not offer this kind of training, look elsewhere:
- Onguardonline.gov offers tips for identifying and preventing phishing attacks.
- Cofense PhishMe trains employees to recognize and resist phishing attacks.
- FraudWatch International keeps a list of confirmed phishing attacks.
Setting up two-step authentication on websites that offer it, such as your email service, can also help you avoid falling prey to phishing scams. Also make sure your email service uses at least one authentication standard that checks incoming emails and filters out spam. Examples include the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) protocols.
Finally, report phishing attempts you come across to your company’s IT team as well as the company or individual the phishers are impersonating so they can take proper security measures.
Wondering what else hackers are capable of? Check out #WarGames. A modern, interactive take on the 1983 Cold War sci-fi film “WarGames,” this new series from Eko illustrates the great power hackers can wield and the role they play in today’s society.