Types of phishing attacks and business impact
What is a phishing attack?
Phishing is a typical type of social designing assault intended to gather client data, for example, login certifications and Visa data. At the point when a casualty opens an email, text, or instant message subsequent to being hoodwinked into doing as such by a culprit acting like a dependable source, it happens. The beneficiary is in this manner fooled into clicking a hazardous connection, which might introduce malware, lock the framework as a feature of a ransomware assault, or uncover private data.
Phishing is additionally consistently used to get sufficiently close to corporate or administrative organizations as a component of bigger assaults like high level determined danger (APT) occurrences. In the last situation, workforce is compromised to evade safety efforts, engender malware inside a protected setting, or get to private data.
As well as experiencing huge monetary misfortunes, an organization that is the casualty of such an assault habitually has its piece of the pie, notoriety, and client certainty decline. A security emergency from which an association will experience difficulty recuperating could result from a phishing endeavor, contingent upon its expansiveness.
History of Phishing
In the 1990s, programmers began using fake messages to "fish" for data from unwary clients, leading to the expression "phishing." Phishing, with a "ph," acquired the name since these early programmers were habitually alluded to as "phreaks." Phishing messages expect to entice beneficiaries into taking the trap. Furthermore, the shopper and the association are both in a difficult situation on the off chance that they get dependent.
Phishing's set of experiences traces all the way back to the 1990s, similar to those of numerous other well-known dangers. At the point when AOL was a notable substance stage with web access, programmers claimed to be AOL laborers in phishing and texting efforts to misdirect clients into unveiling their login data so they could assume command over their records.
Aggressors utilized ledgers during the 2000s. Clients were fooled into revealing their ledger data through phishing messages. The messages had a connection to a malignant site that impersonated the real financial site, albeit the malevolent site's space was a nearby form of the genuine site's name (e.g., paypai.com rather than paypal.com). Afterward, the assailants continued on toward different records, remembering those for eBay and Google, to take advantage of the taken qualifications to take cash, participate in extortion, or spam different clients.
Phishing attack in action
The foundation subtleties of a casualty's private and expert history might be assembled by phishers utilizing open sources, especially informal communities. The names, occupations, email locations, and interests and diversions of the potential casualty are completely assembled from these sources. When this data is gotten, the phisher can use it to make a reliable fake message.
Messages that the casualty gets regularly appear to be from notable individuals or associations. Assaults are sent off by means of connections to rebel sites or noxious connections. Aggressors every now and again make fake sites that appear as though they are controlled by respectable associations like the casualty's bank, work environment, or establishment. Aggressors attempt to accumulate delicate information from these sites, like installment data or usernames and passwords.
Unfortunate phrasing, erroneous utilization of typefaces, logos, and designs can make certain phishing messages simple to detect. In any case, a ton of online law breakers are getting better at making correspondences look certifiable, and they're using master promoting methodologies to survey and upgrade the progress of their messages.
Signs of phishing
- Dangers or a Sense of Urgency
Messages that compromise adverse results ought to constantly be treated with distrust. Another procedure is to utilize criticalness to support or request prompt activity. Phishers trust that by perusing the email in a rush, they won't completely examine the substance and won't find irregularities.
- Message Style
A quick sign of phishing is that a message is composed with unseemly language or tone. In the event that, for instance, a partner from work sounds excessively relaxed, or a dear companion utilizes formal language, this ought to set off doubt. Beneficiaries of the message ought to check for anything more that could show a phishing message.
- Peculiar Requests
It could be an indication that an email is unsafe on the off chance that it demands strange way of behaving from you. For example, on the off chance that an email demands the establishment of programming and implies to be from a particular IT group while truly, the IT division frequently handles these undertakings halfway, the email is most certainly false.
- Language Mistakes
Language blunders and incorrect spellings are further signs of phishing messages. For active messages, most organizations have introduced spell browsing in their email programs. Subsequently, messages with spelling or language slip-ups ought to raise warnings since they probably won't come from the source that is being recognized.
- Varieties in Web Addresses
Looking for jumbled email locations, URLs, and area names is one more straightforward strategy to recognize likely phishing assaults. Checking a prior message that matches the source's email address is a fantastic model.
Prior to clicking a connection in an email, the beneficiary ought to constantly drift over it to see the connection's objective. At the point when an email seems to have come from Bank of America yet the email address' space doesn't contain "bankofamerica.com," it is probable a phishing email.
- Interest for Identification, Payment, or Other Personal Information
Aggressors habitually use messages that look legitimate to connection to false login locales that look genuine. A login box or a solicitation for ledger subtleties can be found on the fake login page. The beneficiary shouldn't tap the connection or enter their login data in the event that they didn't anticipate the email. Beneficiaries ought to go promptly to the site they accept is the email's shipper as a safety measure.
Types of Phishing Scenarios
Referring to the Wikipedia definition once more, phishing is typically carried out by email spoofing, instant messaging, and text messaging. It is a deceptive way of making individuals reveal personal information. It is also a form of trickery to download malware or ransomware onto a system. Either way, the perpetrator gets privileged access to sensitive information.
This is an increasingly frustrating threat because there are numerous ways through which perpetrators attack. Here are the most common phishing scenarios:
1. Email Phishing
The most common phishing scenario takes the shape of malicious emails sent to individuals mimicking an authentic organization. Also known as spam phishing, this kind of attack lets the cybercriminal get access to a large number of customers registered on a site. So phishing emails are often sent en masse. There is a high possibility of success since some individuals out of the lot will often fall prey.
2. Clone Phishing
In a clone phishing scenario, the attacker takes advantage of actual email messages that an individual may have received. By creating a virtual replica or a clone, the phisher replaces any links or attachments with malicious ones.
This is often effective because the attacker could claim that the original message had a faulty link, hence the need to resend the mail. Since the business name would be a familiar one, the recipient wouldn't think to be wary of the sender.
As you can imagine, clicking on such links would either launch malware on your device or grant the attacker access to do so without you realizing it.
With clone phishing, there is often a sense of urgency, such as a limited time to take advantage of an offer or a threat to close your account on the site unless you change your password. Of course, in the latter case, the ruse is always for security reasons.
3. Domain Spoofing
The third kind of email phishing comes in the form of domain spoofing, where the perpetrator spoofs a notable organization's domain name. This technique makes it appear as if you are receiving an email from a legitimate company.
Email addresses are unique, so the phisher can only mimic the organization's address. They do so using character substitution like 'r' and 'n' together for 'rn' instead of 'm.' Otherwise, they use the organization's name with a different domain, in the hopes that only the local part of the email address will appear in the inbox of the recipient.
A domain spoof could also create a fraudulent website that looks like the real deal. They would replicate the real site's design. Once again, the emphasis is on the phrase "looks like." While the fake domain may be similar, it is not identical to the original website.
4. Spear Phishing
This implies a technique where the phisher targets a specific individual or group of individuals rather than a generic user base.
These attacks succeed precisely because they are more personalized. The perpetrator customizes emails with the recipient's name, company, phone number, and similar information, making the target believe that they share some form of connection to the sender.
Achieving convincing spear-phishing emails takes a great deal of time since the phisher has to acquire multiple data from various sources. It is no wonder then that this kind of malicious attack is prevalent on social media platforms like LinkedIn, where the phisher can utilize social engineering tactics.
In this case, the targets are usually high-profile members of an organization like project managers, department heads, etc. In a successful attack, the hacker steals the target's credentials and gets full access to sensitive areas within the company structure.
This is a type of spear-phishing where the targets are highly wealthy Individuals, for example the highest authority in the organization, the CEO. The fraudster tricks the executive with bogus emails to get access to their login credentials. Catching such high-ranking officials off guard is not as easy as any standard phishing attempt, so hackers often swap fake URLs and malicious links for tax return emails which require tailored information like the target's name, position, and other personal info which are accessible on social media platforms.
A successful whaling attack is usually the precursor to Advanced Persistent Threats (APT). In most cases, the fraudster uses the CEO's credentials to commit CEO Fraud.
6. CEO Fraud
As the name suggests, this is fraudulent activity by an attacker impersonating the CEO. With the compromised email account of the CEO, the phisher can authorize wire transfers to third-party accounts or file fake tax returns on behalf of employees.
Since the targets here are lower-level employees, they would move at light speed upon receiving an urgent email from the CEO to process a banking transaction or forward sensitive information. The fraudster may also ask employees to install a new application on their computer through which the hacker can launch malware or ransomware.
CEO Fraud is quite delicate and is said to cost businesses in the US billions of dollars yearly.
7. Evil Twin
What could be more evil than a malicious WI-FI network?
WI-FI access points are frequented by hoards of individuals looking for fast wireless connections to surf the web and carry out other internet-based activities.
The hacker in this scenario replicates the WI-FI hotspot with a fake. When users connect, they are then able to eavesdrop on their network traffic. The attacker steals account names and passwords. The phisher is also able to view any attachments that the user accesses while on the compromised network.
Vulnerable WI-FI access points include those at coffee shops, airports, shopping malls, hospitals, and other public hotspot locations.
8. SMS Phishing - Smishing
The advent of mobile technology brought about a myriad of advantages in communication and online banking. At the same time, it opened up a new point of contact for unscrupulous individuals to commit more crimes. One of such is smishing (smishing definition), where cybercriminals lure victims through text messaging to:
- Visit rogue websites
- Download malicious apps
- Contact tech support
Whether in the guise of a coupon code or an offer to win free tickets or free money, a smishing attempt will more often than not require you to click on a link that redirects you to a website. Quite common also are links that trigger the automatic download of dangerous apps. Although they appear to be from legitimate sources with URLs that are familiar to you, they are merely aimed at stealing personal information or installing malware on your mobile device.
Less common but equally as dangerous is the technique of requiring you to contact customer support for some assistance with rectifying an issue. The scammer will then masquerade as a legit customer service representative and trick you into providing personal information. This combines another type of phishing attack that is prevalent on mobiles, known as Voice Phishing.
9. Voice Phishing (Vishing)
Vishing campaigns are a lot bolder than email or messaging scams. Rather than hide behind a virtual screen, the attacker convinces the victim to disclose personal information while speaking to them through the phone.
Since the attacker can convince their victims verbally, they often dispel any doubt that it could be a scam. The scammer will often impersonate your bank, a company executive from the head office or some other branch, a representative from the Internal Revenue Service, and so on. With the claim of a suspicious activity or some other ruse, they'll request your data for verification.
Of course, they apply tactics to spoof their phone numbers to appear legit or to reflect your area code. The latter often creates a false sense of security, prompting the targets to let their guard down.
Pharming comes in as an advanced variant to phishing, and some fraudsters choose to forego traditional phishing scams for more complex alternatives like this one.
With pharming, the perpetrator attacks individuals by installing and running custom malware code, which is utilizing DNS. The attack is directed at the DNS (Domain Name System), where the fraudster causes DNS cache poisoning. This changes the IP address associated with a website name, so even when individuals input the correct site name, the scammer can still redirect users to the malicious website.
Although less widespread, targeting the DNS server could compromise millions of URL requests by web users.
11. Watering Hole Phishing
The attack consist of a malicious attacker observing the browsing activities of groups of targets (what websites so they visit) and tries to infect the websites they browse with custom malware.
On opening the already infected with malware malicious website, your computer is automatically loaded with malware that spreads to other systems within the company. To perpetuate successful watering hole attacks, the hacker will often identify websites that employees visit regularly and monitor email patterns used within the organization.
Real-Life Examples of Phishing Attacks
These threats are one aspect of cybercrime that isn't showing any signs of slowing down. Rather, the exact opposite appears to be the case. According to recent research by Google, there was a 3505 increase in phishing websites from January to March 2020. Another survey by Check Point Research revealed that 64% of businesses in the past year had been victims of phishing attacks. More findings by Verizon have confirmed that phishing is involved in 78% of cyber-espionage incidents.
These numbers have all been compiled using hard facts from real-life phishing attacks over the years. These are five of the most notable examples:
Whaling Attack Leads to Firing of FACC Boss
In 2016, Austrian Aerospace company FACC had been subject to one of the most prominent Whaling attacks ever, dubbed the Fake President Incident, where the attacker made away with $56 million.
In a classic whaling attack, the perpetrator impersonated the CEO and sending an email to an employee of the finance department requested an immediate funds transfer.
The attack didn't only cost the firm financial losses, but it also cost the CEO at the time, Walter Stephan, his position. Although the details were not revealed, the sack was on the grounds of violation of duties.
Spear Fishing Targeted at Ubiquiti Networks Inc.
In June of 2015, the American network technology company Ubiquiti Networks became the target of a spear-fishing email campaign.
The attacker impersonated higher-ranking executives from an overseas branch with spoofed email addresses and domain look-alikes. The employees were fooled into believing that they were getting legitimate requests from company officials to transfer funds to a secure account. Ubiquiti Networks was unaware that it was being scammed until it was notified of the activity by the FBI.
Although the company didn't suffer any compromise to its systems, it lost $46.7 million in transferred funds.
Facebook and Google Invoice Scam
Between 2013 and 2015, US behemoth companies Facebook and Google were reportedly scammed out of $100m in an elaborate wire fraud scheme.
The perpetrator set up a fake business impersonating the Taiwanese Quanta Computer company. The latter regularly conducted multi-million dollar transactions with the social media companies, and over the two years, the attacker would send phishing emails with forged invoices to be paid to fake bank accounts.
The scheme avoided suspicion for so long by creating phony supporting documents for transactions and forged corporate seals. The attacker was later identified as Lithuanian Evaldas Rimasauskas, who was given a five-year prison sentence following his arrest in 2017.
In 2020, one of the biggest smartphone companies in the world, Apple, was reported to have been the target of a smishing campaign. With a fake Apple chatbox, the messages informed users that they had eon the chance to be part of Apple's 2020 testing program for the new iPhone 12. The recipients were requested to pay a delivery charge. Redirecting to a malicious website, the attackers hijacked the victims' payment card credentials.
People nowadays keep lots of sensitive information on their smartphones, and the widespread usage of iPhones and iPads has made them recurring targets for SMS phishing schemes. Attackers regularly send out messages to users. These messages will contain a link to follow to unlock a frozen Apple ID account or to prevent it from expiring.
Some messages appear so convincing as the scammer will provide the option of unsubscribing from future messages of the sort. Others will bait users with the idea that a lost iPhone has been found. Victims are duped out of their login credentials, and the hackers gain access to their media, documents, and other information stored on the device.
As an ongoing threat, the amount lost during successful attempts adds to the statistics for annual cybercrime losses. Even though not everyone falls victim, the attacker earns significant rewards for the small percentage of people that wasn't any wiser.
RSA Security Breach
All it took for an attacker to gain access to the popular cybersecurity company's network system was an email with the subject line "2011 Recruitment Plan." In the email was a virus-infected Excel file, and once opened by an unknowing employee gave the attacker access to private passwords. Making this a perfect example of a watering hole phishing attack.
Ironically, the RSA provides cybersecurity services to several branches of the US government and other business enterprises. This breach gave the hackers access to the networks of US government departments, becoming an Advanced Persistent Threat.
Impacts on a Business
- Loss of Money
From every phishing incident that has ever taken place in history, one constant effect is financial loss. First is the direct loss from transferred funds by employees who were fooled by the hackers. Second is the fines for non-compliance imposed by regulatory bodies like HIPAA, PCI, and PIPEDA, among others.
In the event of serious violations of data protection standards, these fines could go through the roof.
Finally, there are costs of investigating the breach and compensating the affected customers, which would further compound the company's financial losses.
A 2018 Internet Crimes Report by the FBI revealed that Business Email Compromise (BEC) attacks cost US businesses over $1.2 billion.
- Loss of Intellectual Property
Financial losses are not the only thing businesses have to worry about in the event of a phishing attack. Even more devastating is the loss of customer data, trade secrets, project research, and blueprints.
When the company at stake is in the tech, pharmaceutical, or defense industries, a stolen patent would mean millions of research expenditures going down the drain.
While it is relatively easy to recover from direct monetary losses, it is more difficult to make up for the loss of sensitive business information.
- Damage to Reputation
Businesses often try to hide the fact that they have suffered any phishing attacks. The major reason for this is the damage to reputation. Customers often patronize brands they consider to be reliable and trustworthy. Not only will the disclosure of a breach taint the brand image, but it will also break that established trust. Regaining customers' confidence is no easy feat, and the value of a brand is directly related to its customer base.
An exposed breach attack will also damage the company's reputation in the eyes of investors. Cybersecurity is essential during all stages of project development. Hence, investor confidence drops when a company experiences a data and privacy breach.
With combined damage to customer and investor confidence, a successful phishing attack could potentially sabotage hundreds of millions in market capitalization.
- Business Disruption
It is nearly impossible for a business to run exactly as it used to after suffering a phishing attack, especially one involving malicious bugs. Attacks involving malware usually take a while to rectify. Systems will have to be taken offline or shut down, and this could result in a substantial decrease in productivity.
Interruption to businesses providing services like transportation, technology, waste disposal, and other critical infrastructure could cripple the economy significantly.