On Dec 5 2017, several existing and old patients of Bronson Healthcare Group received an email from the Michigan hospital, informing them that their email communications with the hospital staff had potentially been compromised and accessed by hackers. Information of 8,256 patients was exposed because of the hack, and behind it all was – phishing.
This is just one of the dozens of phishing-caused data leakage and system hacking events occurring every day. Phishing continues to be one of the most often used tactic among cyber criminals to access systems they’re not authorized to.
These scamsters work by ‘posing’ as someone they’re not, and duping unsuspecting email recipients into divulging information or executing commands that compromise the security of their computer systems.
Phishing is a global headache. Wombat Security State of the Phish 2017 report suggests that 76% enterprises reported being victims of phishing attacks in 2016 (1).
Every other email you receive, potentially, could be a part of a phishing scam! To keep yourself safe and secure on the Internet, you need to thoroughly understand what phishing is, how it works, and most importantly, how you can keep yourself secure from phishing.
What Exactly is Phishing?
Phishing is a cyber crime in which the perpetrators use communication media such as email, text, social media, and telephone to ‘pose’ as a legitimate institution (such as a colleague, government agent, IT support team personnel, or a social contact).
The ‘posers’ then try to dupe/lure the recipient into divulging personal, sensitive, restricted, or sensitive information.
This information is then used to access important user or company account information, which can then be used to execute financial and information theft.
What is a Phishing Attack?
Any attempt made to manipulate an individual into revealing sensitive or protected information by faking one’s identity can be called a phishing attack.
Email continues to be the most commonly used method of executing phishing attacks by cyber criminals.
Here are some figures to put things in perspective:
- An estimated 3.7 billion people use email every day.
- The number of emails sent daily is estimated at 269 billion.
- Synamtec researchers suggest that one in 2,000 emails is a phishing email (3).
- This indicates that almost 135 million phishing emails float around cyber sphere every day.
Want to understand further as to what is a phishing hack? Here’s how most of them pan out:
- Cyber criminals send out emails in bulk, bombarding a large number of email users with their messages.
- The subject line is meant to capture the recipient’s attention.
- Generally, the subject of such emails is about lottery prizes, lucky draw rewards, calls for action by government agencies, solicitation for online dating, etc.
- Scammers ask users for personal information such as name, phone number, government identify numbers, credit card numbers, etc.
- This information is then used to launch more advanced phishing attacks (also called social engineering), or directly to steal more important data or money from the victims.
Why is Phishing Called So?
The question is an expected one particularly because the word doesn’t have a literal recognition for most people.
The word is a derivative of ‘fishing’, that is, careful and well thought out act of giving bait to somebody only to use them later. Some say that because early hackers were called phreaks, this cybercrime came to be known as phishing.
When did Phishing Start?
The first known and acknowledged cases of phishing is said to have occurred in mid 1990s. Back then, AOHell, a software, was used to steal AOL user names and passwords from several people.
Because nobody was aware or conscious of the possibility of such cybercrimes, the number of victims was massive. Though AOL warned its users to be wary of phishing attempts, it’s worth noting here that this cyber crime continues to be prevalent till date.
Is it illegal to indulge in phishing?
Of course, it is. Over time, laws around cyber crime have evolved, and phishing is among the most recognizable offences. Amateur attempts at faking one’s identity online date back to the times when Internet become open for public access.
However, the first known phishing lawsuit was filed in 2004 (2), when a Californian teenager was castigated for creating a fake website, a replica of ‘America Online’, to gain sensitive information (such as credit card details) from unsuspecting users.
What are the different types of phishing?
Since the term phishing started making rounds in cyber sphere news, several variants of phishing have come into the picture – Smishing (SMS based phishing), and vishing (voice based phishing), among many. Then, there’s whale phishing, which refers to phishing attempts made specifically at rich, wealthy, and high net worth individuals. CEO fraud is one sub-type of whale phishing.
Social media phishing has also reared its ugly head; it could be as basic as a bot sending shortened URLs to social media users via instant messengers, or a cyber criminal using fake online profiles to initiate dialog with unsuspecting users, with malicious intent. Spear phishing is another type; we’ll cover more on it next.
What is the main difference between phishing and spear phishing?
Whereas traditional phishing is about sending an impersonal message to a large number of recipients, spear phishing is more personal, and such an email could address you by your first name.
Before you share any personal or sensitive info, ask yourself – will my business partner, colleague, friend, or service provider ask me for this information, and in such a manner? If it seems doubtful, it probably is a spear phishing attempt.
Telltale Signs of Phishing Emails
More than anything else, Internet and email users need to understand how to identify phishing emails and other phishing communications.
Here are some telltale signs that help you identify phishing emails (the same attributes are valid for other forms of phishing as well):
- An offer that’s too good to be true
- An undeniable sense of urgency
- Inclusion of hyperlinks, with instructions to specifically click on the same
- Unusual sender
What are some examples of phishing?
You just need to do a news search on phishing to find dozens of recent real-world examples of phishing. Here are a couple of them.
The most noteworthy and recent example is from July 2017 when MacEwan University in Edmonton (4), Alberta, Canada ended up transferring $11.8 million in an unauthorized bank account, after being led into believing that the account belonged to a vendor!
It’s estimated that annually, phishing inflicts damages to the tunes of $5 billion, across US businesses only (5).
In June 2015, Ubiquiti Networks Inc., an American network technology company, was duped into transferring $46.6 million to accounts that it believed to belong to its subsidiaries (6) but were actually owned by cyber criminals who used spear phishing tactics to execute their scam.
How Can I Prevent Phishing Attacks?
Wondering how do you avoid being scammed? Well, technically you can’t prevent cyber criminals from executing their phishing attacks. However, you can protect yourself from falling prey to their evil designs. Here are some best practices for staying safe from phishing attacks.
Spam filters: Most email service providers work hard to upgrade their internal spam filters that can identify a major proportion of phishing emails and keep them away from your inbox. The attributes that these spam filters analyze are:
- The origin of the message
- The software used to send the message
- The content of the message
However, these spam filters could always allow some spam messages to leak through to your inbox. Or, they could falsely tag some legitimate messages as spam. So, this method is not exactly 100% secure and reliable.
Recommended Browser Settings: Almost all web browsers trigger alerts before you access a risky or fraudulent website. These browsers maintain an often-upgraded database of such fraudulent websites.
Even if you click on a link in a phishing email, which intends to take you to such a website, the browser will prevent you from doing so.
Use Firewall, Anti Virus, and Anti Spyware Software: These software will go a long way in warning you of potential phishing attacks, and will also block the download of malicious scripts embedded in seemingly innocuous attachments added to phishing emails.
Be Alert: We are living in times where our most valuable asset is our data! Be very alert and aware of how you use Internet; regularly check your financial statements to detect unauthorized debits.
Report: Do your bit in helping the cyber sphere get rid of a few scamsters by reporting potential phishing attempts to cyber crime authorities. Here are some links.
- USA – Federal Trade Commission (FTC)
- Canada – Canadian Anti-Fraud Centre
- UK – National Fraud and Cyber Crime Reporting Centre; unsolicited calls
Update Your Knowledge: Within a few months, there will be new kind of phishing scams going around.
To keep your data thoroughly secured, you need to be aware of these scams, and hence, must keep on upgrading your knowledge (and that of your employees) of anti-phishing measures.
Phishing will get to you, if it hasn’t already. You can’t control that. Of course, you can control how you deal with it, and keep your personal and financial data safe throughout.