For Beginners
If you've heard people talk about phishing scams but for the life of you can't figure out just how anyone could fall for one of those "fish stories" you've heard a thousand times, this article is for you! Or, if you're a business owner and you know a little bit about phishing but want to know more, you'll find this to be a comprehensive guide. Let's not waste any more time, then, and get started!
What Exactly Is Phishing?
Ok, so this is the natural first question; what is phishing, exactly? Well, besides being a cybercrime, there are several different types of phishing and types of phishing attacks. We will go over all of these online scams within this guide, but for now, let's go over the baseline definition.
Phishing is often only a part of a bigger plan involving ransomware, but it represents the social engineering of fraudulent messages sent by email, text messages, or by phone, that attempt to trick people into revealing personal or financial information, or sensitive company information, or to steal login credentials and the like.
These "phishing" expeditions are just what they sound like - they're often sent out as email phishing campaigns to a large number of people, hoping to "catch" one here and there with different "lures".
What's The Point Of Phishing?
As aforementioned, these fake messages in phishing scams are designed to trick people into thinking they're getting the message from a trusted source, and thus revealing the personal information or sensitive information they want to hijack. In this way, these cybercriminals can use this information to either make unauthorized purchases, for identity theft or to gain access to confidential information such as customers' personal data and financial information.
Sometimes, a phishing scam is designed to result in a successful ransomware attack on a business, often by compromising a company network, or by holding sensitive data ransom. Sometimes the point is to install malware that infects an entire system. Other times it could be to perform a DDoS (distributed denial of service) attack on your company. Let's talk about the different types of phishing attacks there are.
Email Phishing
Generic Phishing
You may be surprised to know there are different types of phishing emails with their own subcategories or names. There are what's called generic phishing emails, which are the kind that has been around since the 1990s.
These phishing emails are sent to anyone and everyone, and many can be easily spotted for their bad grammar or English. Typically, these phishing emails purporting to be from legitimate companies, saying your account has been compromised in some way and to click on a link to respond immediately...or else!
Sextortion
A phishing scam that is becoming more common is one referred to as sextortion. In this type of phishing email, you are sent an email that appears to come from you. The hacker claims to have your email password and control of your account, and also claims to have a recorded video of you while watching adult videos.
The hacker claims your camera, unbeknownst to you, was on and recording, and they have the video. In order to get the video before they release it to your contacts, you must pay them a certain amount, typically in bitcoins.
Search Engine - SEO Phishing
Search engine phishing, also called SEO poisoning or SEO trojans, is when the hacker creates a fake website and works to get it to the number one spot on a search engine such as Google for a particular phrase. If they can get you to click their link, it takes you to one of these fake websites, where they have fake or non-existent merchandise, of course!
Then, when you enter your personal information and credit card details, they have enough for identity theft or for making unauthorized purchases, which is what they're after. A fake website can also appear to be things like credit card companies, banks, or a PayPal account. More sophisticated phishing attacks are designed every day.
Spear Phishing And Whaling
Spear phishing emails are a different kind of targeted attack on a certain group or type of people, such as administrative roles of people in a specific industry. Spear phishing targets are often businesses and organizations that may make sense only to the hacker, or it may be because they have a crack or a vulnerability in their security system or network.
It is called spear phishing because they are targeting a specific type of "phish". These types of hackers call it "whaling" when they target the really big ones - the actual business owners and CEOs, for example. These phishing attacks take a bit more social engineering to study the subjects and their recent email activity, so they can really be convincing.
Spear phishing attacks are designed to cripple companies and executives and are surprisingly effective. For them to work, however, they must have access to your system, thus the initial phishing emails that are sent to your employees, typically.
Sometimes they're sent directly to your email, the message could notify you that your business is being sued, or an employee has committed some sort of crime, etc. The goal in some cases is to get you to click a link that when activated, will install malware on your system. The malware can cause harm in different ways from corrupting files to DoDS attacks.
Alternatively, the goal could be to get an employee to reveal your system login information or other sensitive data. Installed malware is often the result of a business email compromise, which happens when scammers pretend to be the CEO or someone in a higher position at the company, so educating your employees on how to avoid these types of phishing scams is essential.
A successful phishing attempt on a business can be devastating and expensive, as it often results in a ransomware attack, where your company's sensitive data is encrypted and held for ransom by these more sophisticated hackers.
Clone Phishing
A clone phishing email is when the cybercriminal uses a legitimate email that was sent to you by a trusted source and makes it look like a simple resend. The phishing email spoof has links in it that have been swapped out with the original links, and most everything has been designed to be a clone of the legitimate one, so the user is more easily tricked.
Sometimes this look-alike phishing email will even ask you to click on a link that will take you to a cloned website the hackers have created, so be sure to check the URL. Often, email phishing scammers use a URL that may be one letter or number different from the legitimate website, so check web pages carefully.
Vishing
Other types of phishing are done with regular voice phishing phone calls. This type of phishing attack is referred to as "vishing" with the "v" for voice calls. The caller will claim to be from Microsoft or more likely a financial institution, and may even request that you call another number to enter your personal details for security purposes, like your bank account numbers or credit card information.
When you call that number, it goes straight to the hacker instead, using VoIP or Voice over Internet Protocol technology. Be sure of who you're talking to before ever giving out any sensitive information, especially from your bank account or credit card.
Smishing
If you get a phishing text message, it is likely going to have the same kind of "urgent" message that looks like it's from a trusted source, but is not. These text messages have the same goal of getting you to click a link and/or enter your personal information, typically asking for a bank account number or your credit card details. Smishing phishing attempts (say that 5 times fast!) are gaining popularity, due to the fact that people are much more likely these days to respond to a text message than an email.
Sometimes, the goal is to obtain access to your mobile device's system, so the hacker can obtain your private pictures and files to hold them for ransom. A good rule of thumb is that if you don't know the number sending you an urgent text message, be suspicious! Call the source yourself to ask what's going on, or if it's normal to receive texts from them. Legitimate websites will have no problem answering questions like this.
Snowshoeing And Hailstorm Campaigns
These are 2 more terms hackers use to designate a type of phishing or campaign. Snowshoeing is also called "hit-and-run" phishing because it sends poisonous messages out over multiple domains and IP addresses so that at first, spam filters and security measures don't detect them as easily.
Hailstorm campaigns work the same way as snowshoeing, only the messages are sent over an extremely short time frame, ending right about the time spam filters and security features catch up and get wise. Be sure of the email client before opening a suspicious-looking email.
A Brief History Of Phishing
The history, when asking what is phishing, is actually quite interesting. Cybercrime began somewhere around 1995, and the first incident reported was in 1996, although it was not known by the average person for about another 10 years. The name itself is fairly self-explanatory, but even the 'ph' has meaning.
Back when computers and the internet first began, some of the first hackers were called "phreaks". "Phreaking" refers to exploring and experimenting with telecommunication systems, and phreaks and hackers are often ones and the same. Phishing is a term used to link this with these underground communities.
Remember when America Online or AOL was the premier provider of internet access? Well, this is also where phishing began, since millions of people used it every day. The first way these hackers worked was by stealing users' passwords and then generating algorithms to create randomized credit card numbers that would hit, occasionally.
Then they'd open an AOL account, which was used for all kinds of other spamming, spoofing, and other damages caused to fellow users from there. Finally, AOL put an end to that practice with security measures preventing the successful use of randomly generated credit card numbers. After that, phishing really began. That's when they had to get a bit more creative, to get your personal details!
How To Prevent Phishing Attacks Or Any Other Cyber Attack
This is the most important question; how to avoid these suspicious emails and other terrifying cyber attacks. The real problem here is that these kinds of criminals are the smart ones, and therefore are always adapting and morphing or evolving their scams into more undetectable and elaborate setups to ensure a successful phishing attack. You might be quite surprised to know the statistics on phishing and malware (a portmanteau of the words "malicious software"). A recent report by the AV-Test Institute shows that there are 560,000 new pieces of malware registered every day. SonicWall showed more than 3.2 billion malware attacks just in the first half of 2020.
In addition, 4 businesses every minute are victims of phishing and ransomware attacks. The list goes on, and built-in spam filters and antivirus software don't always catch the threats. So what can you do to prevent a phishing attack on your business? One thing you need to do is always report phishing if you even suspect it. The other thing is, never give out any personal details without checking the source. Additionally, you can hire Blue Oak Tech! Here at Blue Oak Technology Solutions, we have a solution for you, so you can keep your company safe.
Blue Oak Technology Solutions
Blue Oak Technology Solutions has been in business for 17 years, providing technical support and solutions for small to medium-sized businesses in the area. We like to think of ourselves as your offsite IT department, and our clients enjoy customized managed services with excellent, personalized customer service and support, anytime they need it. We would love to help you with your technology solutions too, and we have everything you need to run your business smoothly.
One service we offer is security for your business and computer systems. We have all the security software you need and we monitor your system 24/7, keeping any potential threats from ever even reaching you. We also provide training and education for your employees on how to avoid phishing scams and other cyber threats. With our email services, spam filtering eliminates the majority of these. Choose exactly what you need, and nothing you don't! Alternatively, pay for the services you need as you go, on an "on-demand" basis. Whatever works best for you, works for us! Contact us today to see how we can help your business.
