What is Phishing?

75% of organizations experienced a phishing attack in 2020.
Learn how to prevent malicious emails from harming your business.

Phishing is the term used for a social engineering attack used to trick people into handing over sensitive information which includes login credentials, as well as credit card numbers. 

Phishing occurs once the attacker, masked as a trusted source (such as a bank or notable website), tricks a victim into clicking and opening a phishing email, which is in fact termed as a malicious email, instant message (IM), or phishing text on a mobile device. 

By clicking on the links inside the malicious emails, malware can be unknowingly installed on your system, leading to a costly ransomware attack where sensitive information becomes widely available to the public.

Black hat hackers often use phishing to gather information. Bank email fraud and social security fraud email are both examples of phishing attacks that they use. 

According to recent phishing statistics, 96% of phishing attacks are executed via email, costing organizations worldwide $3.92 million on average in damages with regards to a single data breach.

See How Perimeter 81 can protect you from Phishing

Phishing Definition

Phishing is the fraudulent actions taken by hackers in order to perform a personal information scam.

There are many dangers of phishing, as sensitive data such as usernames and passwords, account and credit card numbers can be handed over, and serious financial loss can occur.

How Does Phishing Work?

Phishing attacks work by getting unsuspecting victims to hand over personal information through deceptive emails and websites.

The goal of a phishing attack is to trick the victim into believing that the information viewed before them is something the attacker wants or needs – such as a request from their bank, or a note from a business colleague, and they need to click this link or download an attachment. 

Phishing stands out as its own form of cyberattack. How phishing scams work is that hackers set up a site that looks legitimate with a fake page.

They then masquerade as a trusted entity, as this is part of their phishing campaign. Malicious actors may pretend to be your bank, your boss, or a company whose software you utilize. 

Often phishing links redirect you over to fake email verification pages that look like a legit email asking to verify such things as passwords.

One troubling statistic is that 74% of organizations in the United States experienced a successful phishing attack, forcing businesses to take counter security measures against such attacks.

History of Phishing

Email phishing techniques and phishing schemes have become more sophisticated over the years. But phishing attacks are nothing new. In fact, the first phishing attack dates back to 1995, when it was thought to have originated.

Five years later, phishing became a routinely used word among millions of people all across the globe, and known as the “Love Bug.” 

In the early ‘90s, the internet relied on dial up, where you had the “luxury” of being disconnected each time a phone rang, not to mention paying a hefty monthly fee for premium services. Some people did not want to pay a fee, and the only ‘free’ alternative was a 30-day free trial through an AOL floppy disk. 

However, once the trial period expired, certain people changed their screen names to give the appearance of AOL administrators. Once they had these fake names, they would spend time “phishing” for log-in credentials, so that they could continue using the internet at no extra cost to them. 

In 2021, there was an infamous AOL phishing scam which threatened to close accounts. It asked for account verification within 3 days or 72 hours. If you have fallen prey to this phishing scam, you will need to perform an AOL password reset.

Although many people today have switched over to Gmail and Outlook as their preferred email source, over 1.5 million people are still paying a monthly subscription service fee for AOL. 

Scammers continued to use these tactics to masquerade as admins from an Internet Service Provider (ISP), emailing the ISP’s customers’ accounts to gain user login credentials.

Once they tricked a certain individual, they could use the internet through that person’s account and were able to send spam from that specific user’s email address.

2000’s Love Bug

Originating from the Philippines on May 4th, 2000, the “Love Bug” began to flood email addresses both rapidly and globally with a message entitled “ILOVEYOU.” The body of this message stated, “Kindly check the attached LOVELETTER coming from me.”

Many thought this was harmless and opened the .txt file which released a worm that created damage on their PC. The worm overwrote image files and created a copy of itself which it sent to all the contacts of the user that was in the address book of Outlook.

“LoveBug” displayed how to make spam send itself, and with this virus, the malware was unleashed on around 45 million PCs. 

The history of phishing spans over 20 years, and has become more sophisticated in evading detection by spam filters, as well as other technology, but the tactics remain quite consistent.

Phishing Attacks: How To Spot a Fake Email

There are several types of phishing attacks, though they mostly occur through email fraud. However, email services such as Gmail often spot such phishing scams immediately and place such phishing attempts in spam email folders.

Here are a few ways to spot a fake email:

1. The Email is From a Public Email Domain

A legitimate organization will send out email addresses that end with, for example, ‘@gmail.com.’ Look for the domain name matching the email’s sender as this will usually indicate it is real.

If you are not sure, type the organization’s name into a search engine like Google. However, check the email domain, as this usually gives away an email phishing scam immediately.

You can take further measures by reporting any suspicious activities to Google. Here is how to report phishing emails to Gmail to be on the safe side.

2. Suspicious Messages

There are different phishing techniques applied via email fraud where messages are sent out such as:

a. Your Account Has Been Hacked

Here the attacker found a group email that was available on the company website. The hacker then uses that list with a carefully disguised malicious message.

b. Password Reset

This takes advantage of users using important websites that possibly deal with their finances. Messages such as “password resets” aim to trick the victim into handing over sensitive and important data – often both a username and password that the hacker can then use to breach a system or account.

c. Payment Request

This email contains enough specific information to the target company to make the victim believe it is truly plausible.

d. Charity Donation

Charity donation scams have been around for quite some time, where the hacker is hoping the recipient will be gullible enough to fall for this, believing they have suddenly been given the opportunity to receive a charitable donation. Your banking details will be asked in this sort of phishing scam.

See How Perimeter 81 can protect you from Phishing

Phishing Email Examples

There are many popular phishing scams out there. Here are just a few:

Facebook Phishing Email Example

Facebook is a hacker’s favorite among known phishing scams. This is due to the fact that Facebook has over 2.6 billion active users, which makes it an easy target. 

Facebook doesn’t only contain a user’s password and login details, but credit card information as well, for those that do business with it, providing a virtual goldmine for any cybercriminal looking to easily cash in. 

Facebook phishing scams tend to scare or entice victims into clicking on a phishing link. However, the most convincing Facebook phishing scam is that of a phishing page. In the first Quarter of 2020, there were 3,733 unique phishing URLs all related to Facebook and even more Facebook phishing emails.

One of the ways an attacker uses phishing via Facebook is by asking the victim to confirm their account. The message warns them that their account will end up being blocked if they don’t update their password. Usually, the attacker will ask an additional question (such as date of birth) to use in the future.

Some Facebook phishing emails do land up in inboxes and they look like the following:

The above email contains a link to be clicked on. Note that it is not highly sophisticated in any way, and the domain name is “nationalwestern.com” which looks suspicious if the mail is coming from Facebook itself. In fact, FB.com is Facebook’s corporate email domain. 

PayPal Phishing Email Example

In a PayPal phishing email, you will often receive a message such as “Dear PayPal Member,” or “Dear PayPal User.” An authentic PayPal email will always address you by your real name (first and last), or the name of the businesses associated with the account.

The above image is an example of a PayPal phishing email message that appears real and even promises “military-grade encryption.” 

This email follows up with a message that “unusual activity has occurred in your account” and the link included must be clicked upon to fill in certain information. It also follows with a sense of urgency that if the request is ignored for an extended period of time, there may be account limitations imposed.

PayPal scams were up at an all time high just a few years ago in 2019, where attacks grew by 167.8 percent in Q1 alone. If you feel you have ever been a victim of a PayPal phishing scheme, you can report it by forwarding the entire email to [email protected].

Amazon Phishing Example

Amazon has 300 million active users which makes the platform’s users desirable targets for phishing emails.

There are several red flags in the Amazon phishing scam which you can clearly see. The “Call our Toll-Free number” cuts off at “Call our Toll-Free…” and requests that you call another number, the address of the package is also clearly incorrect as it has no street name, and there are also typos, one of the most common signs of a phishing email.

Gmail Scams: Don’t Fall For Them 

There are 1.5 billion active Gmail users, making it one of the most popular email services to be hit with phishing emails. There are millions of fake Gmail accounts circling around that send out many Gmail spam attacks to unsuspected victims. 

Threatening emails from Gmail may ask for:

• Your mother’s maiden name
• National Insurance numbers
• Credit card numbers
• Usernames, as well as passwords, and password changes
• Bank account numbers
• Your date of birth

Google, itself, won’t ask for such information in an email.

To Report Phishing Emails

Threatening emails from Gmail may ask for:

1. Go to Gmail.
2. Open the email.
3. Click on “More”, next to “Reply”.

Click Gmail Report Phishing.

How to Block Phishing Emails in Gmail

1. Open the email
2. Click on the three dots on the upper right corner to open the “More” menu
3. Click on “Report Phishing”

Click on “Block” followed by the email you wish to clock.

Microsoft Phishing Emails

There are around 500 million Microsoft Outlook users, which translates to plenty of golden phishing opportunities for hackers. Usually, a Microsoft account team phishing email won’t have the domain @accountprotection.microsoft.com which is the trusted corporate giant’s account team domain.

The Microsoft corporation security department has the Microsoft Security Response Center that is part of the defender community. It helps protect Microsoft customers from falling prey to Microsoft security alert scam emails, new Microsoft scams, as well as Office 365 phishing emails.

FBI Scam Email

Scammers often turn to spamming targets with emails pretending to be from government agencies, such as the FBI. There have been emails where targets are asked to pay some money in order to get a “clearance certificate from the United States Department of Homeland Security”, or they could face criminal charges.

Very often, these fake messages ask the targets to provide personal information. Smishing is the term used for scams that occur through text messages and targets are often attacked with fake FBI text messages or emails that appear as such:

[email protected]
[email protected]
[email protected]

The FBI scam email contains variants of the W32/sober virus, which if downloaded, can allow the attacker to upload and execute arbitrary code on the infected machine or prevent firewalls from running properly.

Phishing Tools: What Hackers Use

The question remains, do attackers have to be sophisticated or have extensive knowledge with regards to sending out phishing emails? The answer simply is no.

There are many website phishing tools that can help create a spoof email address, and crack passwords. In fact, an online phishing tool can simply be purchased quite cheaply and wreck all sorts of damage on an unsuspecting victim’s computer. 

Here are just a few passwords cracking software tools that attackers use, or “the tools of the phishing trade”:

John the Ripper

This password cracking software tool is free and was originally created for the Unix OS. It is able to run on 15 different platforms and is exceptionally popular, as it combines many different password crackers in one package. It auto-detects password hash types, and also comes with a customizable cracker. 

The pros of this is that it is able to crack many different password types and is available for 15 operating systems, while the cons are that it takes time to set up, and requires technical knowledge on how to use the command line.

It recognizes multi-core processor architectures and performs very well on modern architectures with no need for further modification. John the Ripper Pro goes for $39.95, and a further $89.95 with upgrades in the future at no extra cost. A license will set you back $185 and it comes with email support. 

Aircrack-ng

Aircrack-ng is a network software suite containing a detector, as well as a packet sniffer, and WEP, and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs.

It is able to sniff 802.11a, 802.11b, and 802.11g traffic and functions using any wireless network interface controller which has a driver that supports raw monitoring mode.

It runs under macOS, Windows, and Linux, among others. It is free software with no license fee.

Ophcrack

Ophcrack is able to crack Windows passwords by utilizing LM (LAN Manager) hashes through rainbow tables, which are databases used to gain authentication by cracking the password hash. Ophcrack is an open-source (GPL licensed) program that is free.

It is able to crack most passwords in just a matter of minutes and is available as a LIVE CD

Nmap

Gordon Lyon (pseudonym Fyodor Vaskovich) created Nmap (Network Mapper), which is a free open-source network scanner.
It is able to discover services, as well as hosts, on the network of a computer through sending packets and analyzing the responses. It works on Linux, macOS, Windows, and BSD.

Different Types of Phishing Attacks

There are many cleverly disguised phishing attack techniques, however, the most popular ones are: 

1. Phishing email threats 
2. Spear phishing
3. Vishing
4. Angler phishing
5. Pop-up phishing
6. Evil twin phishing
7. HTTPS phishing
8. Whaling/CEO fraud
9. URL phishing
10. Smishing
11. Pharming
12. Clone phishing
13. Watering hole phishing
14. Barrel phishing

Below we describe some of the above phishing attacks in more detail:

What is Spear Phishing?

A spear-phishing attack is an advanced targeted impersonation attack – where a hacker impersonates a trusted service that could be a colleague or external partner in effort to extort funds, deploy malware, or steal credentials.

Warning Signs of Spear Phishing

There are certain clues to look out for that indicate a spear phishing email, namely:

The Target

A spear phishing attack is usually aimed at a specific person. They often pretend to be trusted colleagues or entities that the specific target trusts.

In fact, a hacker will take the time researching their targets in order to gain access to their name, where they work, their job title, and relationships with colleagues.

If you are able to access company funds, are a new employee, or have access to sensitive data, you’re a prime target.

The Intent

The spear phishing email will have a purpose behind it – the attacker wants the target to perform an action. This includes anything from wiring funds, sharing credentials or sensitive company files, or even downloading dangerous malware.

The request for action will often have a sense of urgency about it: using phrases like “Please pay this quickly.”

Hackers aim at exploiting your willingness at cooperating swiftly and under pressure, and should you receive the email out of office hours, you won’t often have the quick access to receive confirmation from a manager or even from your boss.

Sender Identity

Hackers pretend to be people that hold positions of power, or companies and services that the target trusts. Always keep in mind to question the requests you are being sent if they are “normal,” or the regular requests you receive. Ask questions such as, “would a CEO email a junior or new employee directly?”

It’s important to look at the From: and Reply To: email addresses, as this can give you clues as to whether the email you’ve received is authentic. However, sophisticated hackers can easily impersonate domains, as well as display names, so take extra precaution.

Payloads

Many (but not all) spear phishing attacks will have malicious links as well as attachments that appear “harmless.” These can include malware, ransomware, as well as fake invoices. 

Tech giants are not immune to fake invoices themselves. Amazon was duped out of $19 million for items never purchased and popular Shark Tank investor and real estate mogul, Barbara Corcoran herself was scammed out of $388,000 from invoice fraud. 

At times, hackers may initiate regular conversations with no requests nor attachments whatsoever. They will masterfully take their time, gaining your trust, so that after weeks or months, their true intent will surface in the form of a malicious request which won’t cause any sort of internal alarm – and very importantly, will be harder to detect with security software in place.

 How Do Spear Phishing Attacks Differ from Standard Phishing Attacks?

Spear phishing is targeted and personalized to a specific person or organization. Standard phishing emails send bulk emails to huge lists of people hoping one (or more) will bite the “bait.”

Spear Phishing Examples

In this spear phishing example, the hacker is impersonating GoDaddy and looking for credential verification. This attack method can create havoc, as the target’s website can be taken over, and the hacker can gain instant access to other users’ information that is displayed on the backend of the target’s website.

Example 2

In this spear phishing email, the hacker has created a template that resembles a Microsoft File Sharing notification. The hacker is after the target’s credentials, and if the target clicks on the “Preview Online” button (a malicious link), they will be taken to a fake website. 

Should the target type in their credentials, they will not actually login to Microsoft File Sharing; instead, the hacker will have access to this information and will be able to access the target’s account.

Barrel Phishing

Barrel Phishing Definition

In a barrel phishing attack, a hacker makes emails that look like they’re from a valid company and sends these out to a large group of people.

Barrel phishing emails look legit and can be very difficult to spot. The attacker will be happy if only one target clicks on the bait. A single attack can wind up costing an organization $3.7 million per year.

Clone Phishing

Clone phishing is a form of phishing where a hacker will copy an authentic email sent from a trusted organization. What the hacker does in his or her version of the new email, is alter it by replacing a link, or adding it, so that when it is clicked on, it redirects to a fake and malicious website.

Whaling Attack: Organizations Beware

Whaling attacks fall under sophisticated business phishing scams. In this whaling fraud, a big “whale,” in other words, a big executive like a CFO or CEO is the target. A whaling email is sent out to encourage the target to make an action, such as sending money through a wire transfer. For this reason, it’s essential for major executives to use a Corporate VPN with high-end encryption and user-based role permissions.

See How Perimeter 81 can protect you from Phishing

Spam vs Phishing: How To Tell The Difference

Spam usually floods inboxes offering unwanted products and services to a large number of people. Phishing is more targeted and is more malicious in nature, aiming for targets to bite the “bait” and give up sensitive information. 

An entertaining TED talk by James Veitch at TEDGlobal Geneva describes such a spam email example where he entertained the attacker with a slew of emails promising curiosity. 

A spam website is usually a web page that has content made to improve search rankings with no real value to the user whatsoever.

How To Report Phishing Emails

If you need to report phishing emails as you suspect the links inside them may take you to suspicious websites, or even want to report spam, the different email service providers give you easy options to do so.

Where to report phishing in Gmail:

1. Open Gmail
2. Open the phishing message
3. Click on More, next to Reply
4. Click “Report Phishing”

How to report scam emails in MS Outlook:

1. Select the scam or phishing email 
2. Select Junk in the toolbar and select Phishing in the drop-down menu
3. Select Report and this will send Microsoft a phishing email notice. The email will then be moved to Junk Email

How to Identify Phishing Attacks

Main Characteristics of Phishing Messages that are Sent:

Threats or a Sense of Urgency

In this phishing attack, you will receive an email that urges you to act quickly. For example, you will be told that suspicious activity has taken place within your account and you need to update your password. 

You will then be told to act within 72 hours or your account will be closed. This sense of urgency pushes you to act quickly, thus giving the attacker all the information they need to take hold of your account.

Request for Credentials, Payment Information, or Personal Details

Here, you will receive an email that asks for usernames, passwords, credit cards, and other payment information, in addition to personal details.

You may receive an email from a company where you have just made a purchase, such as Samsung, letting you know that your account has been compromised, and if you don’t confirm the details of your credit card, your account will be deactivated.

 Inconsistencies in Web Addresses

You will notice, when receiving a phishing email that there are inconsistencies with regards to web addresses. The URL doesn’t look familiar, or appears longer or shorter than they would normally appear. 

You need to keep an eye out for this.

Often shortened URLs will be sent to bypass SEGs (Secure Email Gateways) in order to redirect victims to a phishing landing page after delivery of the email. You can test the web addresses with a redirect checker like https://httpstatus.io/.

Message Style

Often in a phishing email, inappropriate language or tone is used. This is especially evident in phishing emails that appear to be from colleagues where the language and tone used is not that of the company’s or your colleague’s basic style of expression.

Unusual Requests

These are instances where you will receive messages with requests that are very irregular, unusual, and out-of-the-blue. For example, the CEO is asking you, a developer, to purchase things online for a surprise party at the office, later this week and must send funds over to a “partner” to do the buying.

Linguistic Errors

This is a very obvious phishing email with grammatical and linguistic errors. These email messages will often misspell common English words and not phrase words in their correct order.

Most phishing emails originate from Eastern Europe, the Americas, and Asia, as well as Iran and Kazakhstan, among others.

How to Prevent Phishing Attacks: 5 Helpful Tips

Here are 5 phishing prevention tips you can follow to minimize threats:

Don’t Click on Suspicious Links

It is best advised to not click on links in emails and texts that look suspicious or are unsolicited. Phishing security awareness and training should be a mandatory practice for all businesses and organizations, regardless of size or sector.

Change Passwords Regularly

It’s really easy for attackers to gain access to your passwords through free cracking tools. Make sure to change passwords every 3-4 weeks and to make sure your sensitive data is not compromised.

Use special characters, upper and lowercase letters, and numbers, and implement two-factor authentication (2FA) to add an extra security layer.

Use a Data Security Platform

Whether in the office or working remotely, it’s best to use a cloud security platform that views your device and system’s security as their top priority. Make sure you also back up your data at all times.

Continuously Update

Although updates can take time, it’s vital that you continuously update your OS and applications. These updates often block malware, such as the latest Windows 10 OS update that automatically detects and blocks certain forms of ransomware.

Install Firewalls

Firewalls work very effectively in preventing attacks from external entities. They act as an important shield between you and an attacker. It’s best to use desktop and network Firewall as a Service to boost your security and reduce the infiltration of hackers into your system as an added anti-phishing security measure.

Those are just a few examples of phishing defensive measures in cryptography and network security.

Phishing Training for Employees

Phishing awareness training is extremely important for employees, especially new employees, to learn all about avoiding phishing emails and protecting against phishing attacks. 

CISOs and other security leaders must implement phishing email training to educate all employees on the dangers of phishing. A few helpful training tips include: 

• Quizzes on how to identify phishing attacks
• Show actual data breach cases and explain how to recognize fake emails and messages
• Encourage continuing education by inviting cybersecurity thought leaders to lecture at your organization or by offering to pay for online courses from Udemy or other educational sites. 

No employee wants to find a malicious phishing message lurking in their company’s inbox. Clicking on a link or attachment within that message can unleash a “can of (malicious) worms” on the entire infrastructure of the company’s network and not only cost them their job, but worse, cost your organization millions of dollars to repair.

Implement Email Security Solutions

It’s important to implement an email security solution, especially if you run a large company with sensitive data being passed through emails. DNS filtering helps against visiting unauthorized websites that could be malicious.

Conduct Phishing Attack Tests

It’s important to send out phishing attack testing to see how employees react and respond. It shows who are the weak links in the organization when it comes to email “gullibility,” so that these employees can be trained further in how to spot and react to such emails.

See How Perimeter 81 can protect you from Phishing

How Perimeter 81 Prevents Phishing Attacks with Zero Trust

Perimeter 81 helps organizations of all sizes protect against phishing attacks by implementing a zero trust framework with user-defined permission roles for the purpose of limiting user access to sensitive information, making it much easier to avoid phishing emails and costly data breaches as a result.

This way less phishing attacks will occur and your IT department can sleep a bit easier at night.

How Perimeter 81 Prevents Phishing Attacks with Zero Trust

Secured Remote Access:  The Perimeter 81 Cloud VPN allows employees to securely access an organization’s private network from multiple devices, from various locations through public networks and even share data remotely. 

Encrypt Transmitted Data: The combination of data encryption and tunneling protocols means that all transmitted data, regardless of device or location, is completely encrypted.

Automatic IP Whitelisting: Save time and boost productivity by whitelisting and segmenting employee access to specific cloud resources.