Phishing attacks are among the most common methods used by cyber criminals to steal personal information. Surprisingly, many people are unaware of just how much of a threat these attacks pose. In essence, phishing attacks use a malicious email or website (designed to mimic or replicate real, reputable entities) to trick a person into divulging private or personal information such as usernames and passwords. They may vary in sophistication and plausibility, but the purpose of the attacks is invariably the same.
Alarmingly, while they were once easily identifiable by even passingly-competent tech users, modern phishing attacks are incredibly convincing. Combined with the sheer volume of digital media we use on a daily basis—social media, work and personal email, subscription services to name a few—we’ve never been more likely to inadvertently fall prey to an attack. With that in mind, it’s more important than ever to be informed about phishing and all the forms it can take, and here’s what you need to know.
How phishing used to be done
Phishers use social engineering, particularly by leveraging fear, to trick people into clicking on fake links. Usually, this would allow scammers to steal things like login credentials to access funds (from your bank) or personal details to apply for credit cards etc.
You’re likely already familiar with what a phishing email looks like. Odds are, you’ve seen highly suspect notices crop up from (purportedly) the CRA or any number of banks, threatening immediate legal trouble or termination of your account unless you verify your details immediately. Full of poor grammar and misspellings, these kinds of emails tend to undermine their own credibility, which is sometimes done deliberately to identify the perfect targets.
In any case, the conventional phishing email or message usually contain a number of common traits, including:
- the aforementioned poor grammar
- strange or infrequent senders
- attachments, especially in cases where the information could (logically) have been in the body of the message itself
- generic greetings (“Dear Friend”)
However, not all phishing is directed at a recipient. Some types, like “watering hole” attacks, use vulnerabilities or flaws on websites frequented by their target groups to steal information. Typically, they exploit these vulnerabilities to install malware or to create credible-looking pages (on a real website) which can dupe unsuspecting site visitors. More insidiously, they use the websites’ actual email notifications or newsletters to direct people to compromised sections where they may be exposed to “drive-by download” attacks. This, of course, makes them especially hard to detect and safeguard against.
How it’s evolved
Phishing still leverages social engineering, but has added “annoyance” alongside “fear” to the selection of emotions the attempts are designed to exploit. If you’ve ever suddenly been spammed with a barrage of newsletters or cc’d emails that you never signed up for (or received before), there’s a good chance you’ve been targeted in the hopes that you’ll be annoyed enough to try to unsubscribe using their (malicious) link without paying too much attention.
In fact, the aforementioned “drive-by download” attacks are great examples of how far phishing tactics have come. In essence, this kind of attack installs malicious programs on your computer without your consent when you visit a compromised website or open an infected attachment in an email. Moreover, victims are usually unaware that they’ve been attacked at all. Stealing credentials at an individual level is no longer the ultimate end of phishing; rather, those credentials are now used to get close to someone else that’s more valuable, or to install malware which can be used to compromise your organization!
Which brings us to: “spear phishing” and “whaling”, the evolution of the phishing email. While regular variants are still common, phishers are increasingly taking a much more targeted approach with their attacks. Instead of relying on the high-volume mass email approach, they’re now dedicating time and effort to creating very convincing and functionally undetectable phishing emails specifically targeted to a specific individual or organization—something known as “spear phishing”.
This is particularly prevalent in the corporate sphere, where strategic employees or senior executives are singled out as ideal victims. Similarly, “whaling” attacks carefully construct bogus messages to look like they originated from a superior or someone highly-placed in a company or organization in order to trick the recipient into complying.
While the specifics of the attack types differ slightly, the common underlying factor is the extra effort spent by phishers on researching details about their targets in order to make their attacks look legitimate and convincing. If you’re still working under the assumption that phishing is a low-effort, easily-spotted tactic you may find yourself taken completely unawares by a sophisticated message.
Even worse: you might not even notice you’ve been the victim of an attack! For example: following a successful dupe, you’ll usually be redirected to the legitimate site you thought you were accessing, in the hopes that you won’t notice that you’ve accidentally divulged your login information to a scammer.
How to protect yourself
With myriad ways for scammers to target you, it’s understandable if you feel like trying to protect yourself from phishing attacks is a futile endeavour. However, that’s not the case at all. Now that you have a reasonably good handle on just how far (and convincing) phishing attempts can be, you can cultivate a healthy amount of skepticism for any messages, links, or requests that seem even a little out of the ordinary while being very protective of your login credentials, passwords, and user details.
In addition, there are also straightforward measures companies and individuals can employ to thwart phishing attempts, such as:
- Automatically flagging “out-of-organization” emails, or emails from infrequent senders. Harmless emails flagged by these systems will reveal as much from a quick read, but the simple addition of these flags can undermine even an authentic-looking phishing attempt (for example: why is an email from your manager asking you for confidential information being sent from a random gmail address instead of the usual office address?).
- Implementing a phone call or in-person approval for large transactions or major decisions. This is particularly useful in the case of whaling attacks—companies should encourage their employees to be extra certain when performing certain transactions or making major changes, especially if it prevents loss of funds or data on a massive scale. A simple phone call or verbal check can quickly unravel a carefully-constructed whaling attempt.
- Being aware of your personal information that’s publicly-visible. If you haven’t yet, this is a great time to go through your social media and prune details such as your date of birth, education details, etc. At the very least, you should set them to only be visible to trusted friends, family, and associates. After all, those details can be used to brute force your passwords or bypass your security questions to gain access to your accounts.
Knowing when and how you can be targeted by cybercriminals will go a long way to ensuring that you won’t fall prey to their tactics. It’s a bit of a tired old saying, but knowing really is half the battle here—proper countermeasures are the other!
Note: This is intended to be used as general information only and does not constitute security advice. Please consult an IT security expert for more information.
Freelance writer and communications professional at the University of Toronto. He’s an avid cinephile, voracious reader, and a terror at karaoke bars.