DATA SECURITY KNOWLEDGE BASE

A Definition of Phishing

The United States Computer Emergency Readiness Team (US-CERT) defines phishing as a form of social engineering that uses email or malicious websites (among other channels) to solicit personal information from an individual or company by posing as a trustworthy organization or entity. Phishing attacks often use email as a vehicle, sending email messages to users that appear to be from an institution or company that the individual conducts business with, such as a banking or financial institution, or a web service through which the individual has an account.

The goal of a phishing attempt is to trick the recipient into taking the attacker’s desired action, such as providing login credentials or other sensitive information. For instance, a phishing email appearing to come from a bank may warn the recipient that their account information has been compromised, directing the individual to a website where their username and/or password can be reset. This website is also fraudulent, designed to look legitimate, but exists solely to collect login information from phishing victims.

These fraudulent websites may also contain malicious code which executes on the user’s local machine when a link is clicked from a phishing email to open the website.

Types of Phishing Attacks

Phishing attempts most often take the form of an email that seemingly comes from a company the recipient knows or does business with. The most recognized type of phishing attack is similar to the bank example described above, where the email asks the recipient to enter his account credentials on a website.

USA.gov lists some widespread phishing scams reported from agencies and corporations, revealing that phishing emails can take many forms, such as:

• Emails from people you know claiming to be stranded in a foreign country, asking you to wire money so that they can travel home.
• Emails claiming to be from reputable news organizations capitalizing on trending news. These emails generally ask recipients to click a link to read the full story, which in turn leads the user to a malicious website.
• Emails claiming to be from organizations like the FTC and FDIC, referencing complaints filed or asking recipients to check their bank deposit insurance coverage.
• Emails threatening to harm recipients unless sums in the thousands of dollars are paid.
• Emails claiming to be a confirmation of complaints filed by the recipient. Not having logged any complaints, recipients are inclined to click on these links to find out what is being referenced. The links and attachments, of course, contain malicious code.

This is certainly not an all-inclusive list. Phishing emails can take any form, making it difficult for recipients to filter out spam and phishing emails from legitimate messages.

Phishing vs. Spear Phishing

Phishing attacks and spear phishing have much in common, including the shared goal of manipulating victims into exposing sensitive information. Spear phishing attacks differ from typical phishing attacks in that they are more targeted and personalized in order to increase chances of fooling recipients. Attackers will gather publicly available information on targets prior to launching a spear phishing attack and will use those personal details to impersonate targets’ friends, relatives, coworkers or other trusted contacts. Information that attackers can leverage for spear phishing includes victims’ employment information, organizations that they belong to, hobbies, and other personal details. Much of this information can be gleaned from targets’ profiles and/or activity on social media sites. In many cases, spear phishing attacks are used as a first step in an APT attack targeting a specific organization.

How to Identify Phishing Attacks

Phishing is most often initiated through email communications, but there are ways to distinguish suspicious emails from legitimate messages. Training employees on how to recognize these malicious emails is a must for enterprises who wish to prevent sensitive data loss. Often, these data leaks occur because employees were not armed with the knowledge they need to help protect critical company data. The following may be indicators that an email is a phishing attempt rather than an authentic communication from the company it appears to be. 

• Emails with generic greetings. Phishing emails often include generic greetings, such as “Hello Bank One Customer” rather than using the recipient’s actual name. This is an obvious tell for phishing attacks that are launched in bulk, whereas spear phishing attacks will typically be personalized.
• Emails requesting personal information. Most legitimate companies will never email customers and ask them to enter login credentials or other private information by clicking on a link to a website. This is a safety measure to help protect consumers and help customers distinguish fraudulent emails from legitimate ones.
• Emails requesting an urgent response. Most phishing emails attempt to create a sense of urgency, leading recipients to fear that their account is in jeopardy or they will lose access to important information if they don’t act immediately.
• Emails with spoofed links. Does a hyperlink in the message body actually lead to the page it claims? Never click on these links to find out; instead, hover over the link to verify its authenticity. Also, look for URLs beginning with HTTPS. The “S” indicates that a website uses encryption to protect users’ page requests.

When in doubt, call. If the content of an email is concerning, call the company in question to find out if the email was sent legitimately. If not, the company is now aware and can take action to warn other customers and users of potential phishing attempts appearing to come from their company.