Phishing email refers to the malicious practice of sending a fraudulent email under a false pretext in order to steal someone’s credentials.
What does this mean in laymen terms? How does a phishing email work? Do phishing campaigns target only regular people or companies as well? How can you stay safe from phishing scam? Learn all this and more in our 101 guide on phishing.
Origin of Phishing: When Did the Term Appear?
First thing’s first: let’s see how the concept of phishing appeared and what it means. If you didn’t realize it yet, the term ‘phishing’ is a homophone word for ‘fishing’, as in the well-known activity of catching fish. The reason for this is pretty obvious: much like traditional fishing, the act of phishing implies using a bait and putting it in front of unsuspecting users, hoping that some of them will ‘bite’.
But why the use of ‘ph’ instead of ‘f’? This is actually a long-standing hacker tradition. It is believed that the word ‘phishing’ was first used in 1996, in the discussions on the alt.2600 hacker group. There had been a wave of phishing attacks on America Online accounts at the time, so the world had its eyes on this new type of scam.
Still, the practice of replacing ‘f’ with ‘ph’ was even older than that among hackers and they tended to do it whenever possible, since John Draper had coined the term phone phreaking in the 70s. For more context, John Draper had the hacker alias Captain Crunch and authored the infamous Blue Box which was used for hacking telephone systems, hence the term of ‘phreaking’.
The idea of baiting users and tricking them to do something not in their best interest is actually the main way social engineering hacks work. That’s precisely why they are called social engineering: because they can’t work without the social nature of people. Such hacks attempt to abuse the natural qualities of humans, which prompt them to try to be polite, helpful and so on. Unfortunately, in a twist of maliciousness, this good nature is precisely what helps hackers reach their nefarious objectives.
Phishing, therefore, is a social engineering hack, at least in part. Why in part? Because while a social engineering hack doesn’t require any sophisticated technical hack in order to work (it can be as simple as phoning someone and pretending to be the sys admin asking for your password in order to do a verification), phishing does need a bit more technical effort.
The Main Types of Phishing Email
Here’s what we mean by technical effort, when it comes to phishing email. In order to appear legitimate, the hackers will use technology to imitate an official email and to make it appear as if it’s coming from a legitimate source.
Some phishing email campaigns are very simple, either because they don’t require advanced imitating techniques, or because the hackers are not very smart and pretty bad at it.
Others, on the other hand, can be scarily well-conceived and therefore very effective. Phishing email may well be a pretty old technique in the hacker’s manual, but there’s a reason it’s still employed: because it works. We’ll delve into that lower, in the section describing how dangerous the technique is.
For now, let’s cover the most common types of phishing email campaigns.
#1. Business Email Compromise Through Phishing
In this type of phishing email, the hacker claims to be either another employee in the company (most often a superior, like in CEO fraud which we’ve covered in a different blog article) or a partner company.
This can be done in a more or less sophisticated way: while some hackers go out of their way to replicate the original email address used by the business or person they are claiming to be, some are careless and use an email address with a changed character. Even in the latter case, the phishing still often works, since people tend to not read the sender’s address carefully.
#2. Service Provider Phishing (Banking, for Example)
In this type of high-stakes phishing, the hackers claim to be a service provider, such as the victim’s bank, contacting them about an issue to be handled. Of course, the fake issue requires the user to enter their credentials (username and password) in a page which resembles the official one in as great detail as possible.
#3. Spear phishing
Unlike bulk phishing (mass emails like those sent out in traditional spam campaigns), spear fishing has a narrower target. Often, it’s as narrow as one person, and the technical aspects of the phishing attempt need to be more sophisticated in order to catch them. Spear phishing is used on top level business executives, politicians and so on.
Whaling refers to those spear phishing attempts which really go after a ‘whale’, as in a very high profile target. Typically, the content of a whaling phishing email will be centered around an urgent issue to be solved by that person through the role they have within the organization.
In contrast, spear phishing can be subtler and relate to the person in their unofficial capacity, whatever it takes to capture their credentials.
#5. Clone phishing
Once the hackers have access to an infected machine, they can use it as a hub for sending out cloned phishing emails. Such an email works as a ‘clone’ of an initial legitimate email, sending a reply to a thread or claiming to be a resend because of a technical issue, or an updated version. Within the original content, a link or an attachment is modified to include malicious code, which the hackers will then use to gain a foothold inside the organization they are targeting.
#6. Rose phishing
A recent trend, noticed online starting with 2019, rose phishing refers to a psychologically advanced type of phishing. While the technological aspect involved isn’t particularly advanced, hackers do pay a lot more attention to the victim profile in this type of phishing attempt. A period of intelligence gathering is required, in which the hackers observe the online behavior and preferences of their target.
As a result, the email pitch the victim finally receives is customized to seem as legitimate as possible (for example, coming from a website where the victim shops often, or from a friend they often interact with and so on).
Since this strategy requires quite a bit of effort on the hacker’s part, rose phishing tends to be reserved for business executives or similar high profile targets. It’s just like spear phishing in terms of who it targets, but with a sweeter, more psychological, ‘rosy’ approach.
Phishing can come in many other forms (link manipulation, filter evasion, covert redirect, voice phishing etc.), but we covered only the most common ones above. Almost every year, hackers find new ways to deliver phishing and new types of content for it. That’s why vigilance and risk assessment are crucial in order to stay safe.
Who Can Be Targeted by Phishing Email?
Everyone can be targeted so you need to be on guard regardless of how tech-savvy you think you are. Still, since the business sector can be much more profitable for hackers compared to individual consumers, the past 2 years have revealed a shift in the target of malicious campaigns. There are now phishing email attacks targeting businesses much more often than regular people.
Still, don’t forget that the entry point for hackers in an organization still consists of a person. In this regard, the distinction between B2C and B2B is highly artificial. Businesses are comprised from people, too, so it’s not uncommon for a hacker who is after a business to target the personal accounts of an employee just to have a better chance of finally gaining entrance to what the target was all along.
National institutions or infrastructures are not exempt either, as the news reveals regularly. With such high stakes as controlling or compromising national intelligence systems or nuclear plans, state actors often target one another through hacking activities, and phishing can work even at such levels too.
How Dangerous is Phishing Spam?
The technique might be old, but phishing spam is still incredibly effective. According to the SANS Institute, 95% of all enterprise-level attacks are originating today from successful spear phishing.
The average cost of such an attack for just a mid-sized company was 1.6 million dollars in 2017, the figures being definitely higher since then. The number of phishing attempts were also up by 65% according to the same data, contained in the ENTERPRISE PHISHING RESILIENCY and DEFENSE REPORT by PhishMe.
The following year, 2018, brought on some very successful phishing campaigns which stormed the world. Account verification prompts (even for high profile players like Gmail), cryptocurrency sales, GDPR notifications, Docusign scams, tax signing scams and so on – all of these prove that phishing is more dangerous than ever and very much in tune with the times.
Don’t make the mistake of disregarding phishing as those lame ad emails we all get in the spam folder, since it can be much more than that.
How Does a Phishing Email Work? What Is Its Goal?
All a phishing attacks needs to do is to capture a user’s credentials. With them, the hackers can wreak all kinds of havoc on an organization’s systems, or empty your personal accounts, or steal an identity and so on. But since high profile accounts have more security measures in stall, hackers don’t need to directly target those.
A smart move involves stealing the credentials for a less important personal account (like a music streaming service you sometimes use) and then use the stolen data for future credential stuffing attacks. Why does this work? Because, unfortunately, many people tend to use the same password or only slightly modified ones for different accounts.
How to Stay Safe from Phishing Scam: 5 Key Takeaways
So how can you stay safe? Do your best to follow these security guidelines, both in your work life and your personal digital life.
#1. Stay informed
You need to stay in the loop on the latest types of threat, the most commonly used pretexts for phishing email campaigns, how the latest phishing emails look like and so on. Staying on top of current trends is the only way to not be an easy target for malicious phishing attempts.
The best way to do that is to keep reading as many cybersecurity news and blogs as you can. Of course, we think our own blog is a great place to start, so make sure you hit the subscribe button.
#2. Check the sender’s address always
Always check the sender’s email address and verify the email independently before answering any request. Check the original address from past emails, contact the customer support for the company they claim to represent, or give the person a call (if you’ve previously talked to the legitimate person). If you’re prompted to use your credentials somewhere on a page, make sure you always enter the true address manually in your browser.
#3. Use strong and varied passwords
Don’t use the same password for multiple accounts, even with slight alterations. Use a password manager in order to create complex passwords and so that you don’t have to actually remember them all. This way, even if a credentials leek makes some of your passwords known for less important services, the hackers won’t have much use for them.
#4. Don’t enter credentials unless verifying the need for it
The same advice as above, for checking the legitimate address of the sender, also applies here. For example, if you’re getting an email from PayPal asking you to verify your account information, how about contact their customer support first? They will confirm whether you really need to do that or not. Most likely, it’s a dangerous phishing attempt which can leave your bank accounts empty.
#5. Get a risk assessment made for your email network systems
If you represent a business entity, the stakes are higher. Conduct a risk assessment to see how well your filtering works and what are the chances for phishing emails to get through. It’s the only way to divert a potential disaster in the long run.
That being said, as information systems become smarter at defending against attacks, hackers change tactics as well. The threatscape is constantly evolving, so we’re pretty sure new forms of phishing email campaigns will appear. To keep your data safe, your best bet is to continuously follow the broad advice above and be on your toes.