What is Phishing?
Top 5 Types & Examples
Just like fishermen cast nets to catch fish, phishers cast fake emails into the sea that is the internet to catch your personal information. Whereas fishermen use baits to lure in fish, phishers use forgery and manipulation to do the same to you. If you become a victim of phishing, you could lose your privacy, your livelihood, and even your identity.
Key takeaway: Phishing is an attempt to acquire somebody else’s personal information by deceptive means. Conducted via emails and fake websites, phishing allows hackers to gain access to your login credentials, banking and credit card info, or your Social Security number. Read on to learn about the most common types of phishing attacks and the ways to stay safe on the internet.
What Is Phishing?
Phishing is any attempt to acquire somebody else’s personal information or other private details by deceptive means. Perhaps the most prevalent type of internet fraud, phishing usually involves fraudulent emails or websites that aim to trick the potential victim into sharing their sensitive information with the fraudster behind them. Rather than using the information they acquire themselves, many fraudsters proceed to sell it on the dark web, mostly to hackers and cybercriminals who specialize in identity theft.
With the advancements in cybersecurity, many cyber threats have come and gone, but phishing is still going strong. The main reason phishing attacks remain as common as ever is their use of forgery, manipulation, and social engineering techniques to deceit potential victims. As a rule, phishing emails are written as urgent-sounding (albeit fake) notifications from internet providers, digital wallets, financial institutions, and other organizations. In addition, many of them include logos and other official imagery.
Commonly referred to as phishers, the fraudsters responsible for these attacks will ask the potential victim to provide a vital piece of personal information – be it their Social Security number, credit card details, or login info. To add a sense of urgency to their message, they will offer an important reason why the victim should do it. For example, they could lose access to their bank account or they may be locked out of their social media profile if they fail to provide the requested info within the given timeframe.
To gather the information they need, phishers build fake websites that look just like the real thing. What’s more, they also have very similar URLs, which make it even harder for victims to spot the fake. According to recent statistics, more than 1.5 million new phishing sites are created every single month, with an average lifespan ranging from three to five days per site. That amounts to almost 50,000 new sites every day, so it’s no surprise that phishing is the main cause of data breaches around the globe.
What Types of Phishing Exist?
There are several types of phishing scams, some of them only possible via phone (i.e. voice phishing or vishing) or text messages (i.e. SMS phishing or SMiShing). As far as online phishing scams are concerned, the five most common types include the following:
- Spray and Pray Phishing
Commonly known as deceptive phishing, spray and pray is the oldest and most primitive type of online phishing. Phishers use this technique to send out a bunch of emails labeled “urgent”, where they are asking the potential victim to update their PayPal password or enter their data in order to claim their lottery win. These emails usually contain links to fake login pages. When a victim enters their personal data in these fake forms, it is immediately stored on a remote server that the phisher has access to.
- Spear Phishing
Spear phishing is much more sophisticated than deceptive phishing for the simple reason that it’s personalized. Rather than sending a generic message, phishers target specific organizations, groups, or even individuals with the goal of obtaining their personal information. They gather their names, email addresses, and other personal info from networking sites like LinkedIn or hacked email records.
This type of phishing primarily targets businesses and organizations, which is why spear phishing emails are somewhat different from deceptive emails. Although they follow a similar layout, spear phishing emails usually include false queries or invoices from business partners. Phishers may claim that they have attached an important document and ask the victim to download it on their computer. When they do, it will install malicious software that spies on their activity and collects their personal information.
- CEO Phishing
CEO phishing is a very sophisticated form of this online fraud that can also be very time-consuming for the phisher behind it. It involves cybercriminals targeting staff in either human resources or finance departments of an organization and posing as either the CEO of the company or some other high-level executive. They proceed to exchange multiple messages with their target and gradually build up trust.
After some time, the phisher will suddenly ask their target to send them the employees’ personal information or, more often, to transfer funds to an account they specify. In most cases, they will say that they need the funds for a new contract and demand that the transfer is very urgent. As outrageous as it may sound, businesses around the world have lost more than $5 billion so far as a result of CEO phishing.
- File Hosting Phishing
Many people use online hosting services like Dropbox and Google Drive to back up their files for easy access and sharing. Phishers are aware of this, which is why there have been countless attempts to compromise their victims’ login credentials. The layout of the scam is much like deceptive phishing in that it involves fake login pages. However, instead of looking for something specific, hackers want to access their victims’ online file storage to harvest any valuable piece of information they can find there.
- Cryptocurrency Phishing
Cryptocurrency phishing is a fairly new form of online fraud. To set it in motion, hackers create fake login pages to cryptocurrency websites. When unsuspecting users enter their credentials using these fake pages, the hackers instantly gain access to their victims’ digital accounts and can withdraw funds from them in a matter of seconds. There has only been one major cryptocurrency phishing attack so far, but seeing as digital currency is on the rise, it is safe to assume that there will be more of these in the future.
Examples of Phishing Attacks
Some of the most destructive phishing attacks in recent years include the following:
- In late 2014, hackers used spear phishing emails to harvest the Apple IDs of numerous Sony Pictures employees. Assuming that most of the employees used the same password across multiple online accounts, the hackers then used these credentials to log into their business emails. They succeeded in their mission and went on to release thousands of personal emails and other confidential documents, causing a major media storm in Hollywood.
- In 2014 and 2015, hackers have targeted Anthem, a US-based health insurance provider. They have used phishing emails to infect the computers of five employees with keyloggers, a type of spyware that records their keystrokes. This allowed hackers to steal almost 80 million medical records from Anthem’s servers, all of which included the patients’ Social Security numbers.
- In 2017, a group of hackers sent phishing emails to the employees of three major restaurant chains in the United States – Chipotle, Arby’s, and Chili’s. Attached to the emails was malicious software that would quietly install itself on the target computers and give the hackers access to these businesses’ internal networks. Using this software, the hackers managed to steal more than 15 million credit card records belonging to the customers of these three chains.
How to Protect Yourself from Phishing
As with all other types of cyber threats, the best way to stay safe is to adopt responsible surfing habits and use the best antivirus software. Good web browsing habits are particularly important because some types of phishing emails can steal your data while bypassing your cybersecurity software of choice.
You should never divulge any personal information – be it credit card info, login credentials, or Social Security numbers – in emails or instant messages. If your email, online banking, digital wallet, or web shopping login page looks different than before, check the text on the page for spelling and grammatical errors, which are usually the tell-tale sign of a fake website. Always look for an “https” prefix in the address bar and the padlock icon next to it to make sure that the information you enter is secure.
Don’t open any emails sent from unknown email addresses or click on any links or attachments they may contain. Clicking on them may install spyware on your computer that could give hackers access to your personal information. Thankfully, the best antivirus software will immediately detect any malicious software on your computer and remove it from your hard drive. In addition, these programs will examine the security certificates of all the addresses you visit and prevent you from accessing phishing websites.
- Computer World
- Health IT Security
- ZD Net (1)
- ZD Net (2)
Are you protected?
With millions of phishing emails sent and thousands of new phishing websites created daily, you mustn’t take your online security lightly.