By Helen C & David Bloxberg 

Whether you are a person fishing for the animal as a hobby or a criminal phishing to steal data from your next victim, these two very different activities share one common tool – a hook. A literal hook catches the fish, but an emotional hook is usually what entices a person to respond to a phishing cyber-attack. Here, we take a detailed look into phishing to provide your business with the information it needs to defend itself.

Introduction 

Phishing is a cyber-crime where individuals are approached through email, websites, phone calls, or text messages by hackers claiming to represent legitimate organizations. The aim is to deceive individuals into divulging private information, including personally identifiable information (PII), protected health information (PHI), banking and credit card details, passwords, and other confidential data. The term itself, a homophone of “fishing,” hinting at the tactic of baiting individuals into exposing their private data, mirroring the act of waiting for a fish to bite when bait is placed on a hook. This deceptive practice is a significant threat in the digital world, as it is a type of cyber-crime which uses the vast reach of the internet to exploit human vulnerabilities across the world.

History 

Phishing has been around since the early 1990s, coinciding with the rise of the internet. Initially, attackers targeted AOL users in a famous phishing attack from 1995, tricking them into divulging their login credentials. These early attempts were relatively straightforward, often involving direct messages requesting users to verify their accounts or confirm their passwords. 

As phishing techniques advanced, the sophistication of these attacks significantly increased. A notable example of this evolution is the 2020 Colonial Pipeline attack. Here, attackers used a compromised password to access the network, leading to massive disruptions in fuel supply across the Eastern United States. This incident illustrates the shift from simple deceptive messages to complex, multi-layered cyberattacks that exploit both technological vulnerabilities and human error.

This progression from the primitive phishing scams of the 1990s to today’s highly elaborate schemes highlights the adaptability and persistence of cyber criminals in exploiting new technologies and human psychology.

In today’s digital age, understanding phishing is crucial for two key reasons. Firstly, the internet has become part of nearly every aspect of day-today life. The inescapable nature of the internet combined with the proliferation of digital transactions make individuals and organizations perpetually vulnerable to these attacks. Secondly, a successful phishing attack’s financial and reputational damage to a business can be devastating. 

Understanding How Phishing Works

Phishing is a digital deception technique cyber criminals use to fool people into divulging sensitive information. It’s effective because the lies are carefully crafted believable requests or alerts that appear to come from trusted sources.

Personal data can be used for identity theft, unauthorized transactions, or even sold on the dark web. For organizations, the stakes are equally high, with potential losses running into millions and severe damage to customer trust. Therefore, awareness and education on the nature of phishing attacks, their indicators, and prevention strategies are vital components in safeguarding both personal and organisational assets in the digital landscape.

Who Are the Targets?

Initially, phishing scams cast a wide net, targeting the general internet population. But in England and Wales, data provided by the National Office of Statistics shows that those between the ages of 25 to 44 are most likely to be affected. However, as techniques have evolved, so has the specificity of targeting.

Today, anyone can be a target—from individual internet users to employees at any business. Specific campaigns, known as spear phishing, target high-value individuals or employees with access to sensitive corporate data. Larger-scale campaigns may aim to collect data from as many individuals as possible or install malware for various malicious purposes.

The New Future of Work Report published by Microsoft stated that security professionals had found a 62% rise in phishing campaigns over any other type of attack.

Why Are Attacks Successful?

Phishing scams leverage social engineering to exploit human psychology, in other words they appeal to our human nature to get a response. They often create a sense of urgency, fear, or curiosity to prompt immediate action. Official logos, familiar layouts, and language mimicking legitimate organizations add to their believability. This psychological manipulation makes it challenging for individuals to distinguish phishing attempts from genuine communications, leading to high success rates for attackers.

For cybercriminals, phishing is a low-risk and high-reward activity. Compared to other cyber-crimes, it requires minimal investment but has the potential for significant financial gain or access to valuable information. Phishing can also serve as a stepping stone for more complex attacks, including those on corporate networks or government agencies, by enabling the installation of malicious software or the theft of credentials.

The Evolution of Phishing with AI

The integration of Artificial Intelligence (AI) into phishing schemes marks a significant evolution in cybercrime. AI algorithms can automate the creation of phishing emails, phone calls or messages, making them more personalized and more challenging to detect. These algorithms sift through extensive data sets to pinpoint the most efficient phishing tactics to provoke a response. Furthermore, AI can help create more convincing fake websites and mimic human behaviour in chatbots or emails, increasing the sophistication of attacks. This evolution underscores the need for advanced detection systems and heightened awareness among businesses and individuals.

Understanding the dynamics of phishing scams is crucial in developing effective countermeasures. As these scams become more sophisticated with AI, the importance of staying informed and vigilant cannot be overstated.

Different Types of Phishing Attack

Email Phishing

Email phishing is the quintessential model of phishing attacks, notorious for its wide net and simplicity of execution. This method involves sending out large quantities of fraudulent emails, targeting a broad audience without discrimination. The success of email phishing hinges on a numbers game; even a tiny fraction of recipients succumbing to the scam can lead to substantial data breaches or financial benefits for the attackers.

Example of a phishing email

Email Body:

Dear [Recipient’s Name],

We’ve detected suspicious activity on your account and believe your security may be at risk. For your protection, we require you to reset your password immediately.

Please click this link [Malicious Link] to start the reset process.

If you haven’t requested a password reset, please contact our support team now at [Fake Contact Information].

Thank you for taking prompt action to secure your account.

Best,

[Your Company’s Name] Security Team

Vishing (Voice Phishing)

Vishing, or voice phishing, uses phone calls where attackers impersonate representatives from credible organizations like banks or government agencies. The aim is to deceive individuals into revealing personal information by creating a false sense of legitimacy and urgency over the phone.

Example of  Vishing: Bank Fraud Alert

Scenario: The victim receives a phone call from a person claiming to be from their bank’s fraud department. The caller ID appears to be from the bank, making the call seem legitimate.

Caller: “Good day, this is [Fake Name] from [Victim’s Bank] Fraud Department. We’ve detected unusual transactions on your account that are flagged as fraudulent. To ensure your account’s security, we need to verify your identity and recent transactions. Could you please confirm your account number and the last three transactions you made?”

Objective: The attacker aims to gather account details and transaction history to gain unauthorized access to the victim’s bank account.

Smishing (SMS Phishing)

Smishing, or SMS phishing, manipulates text messages to trick recipients into clicking on harmful links or disclosing personal information. These texts masquerade as alerts from trusted sources like banks or government bodies, exploiting urgency or fear to provoke immediate action. By directing individuals to malicious websites or prompting the sharing of sensitive data, smishing leverages the widespread trust in SMS communication for nefarious purposes. 

Example of smishing

Text Message: “Notification: You have a package from [Courier Service] pending delivery. Due to a missing shipping fee, immediate action is required. Click here to resolve and schedule your delivery: [Malicious Link]. Failure to act will result in your package being returned.”

Objective: This smishing attempt seeks to lure the recipient into clicking a malicious link claiming to resolve a delivery issue. The link leads to a fake courier service website asking for personal information and payment details, which the attackers collect for fraud.

How Can You Prevent Phishing?

Preventing phishing requires a multifaceted approach to cyber security, combining technology, education, and vigilance to safeguard personal and organizational data.

• Security Awareness Training: Regularly educate and train employees on the latest phishing tactics and prevention strategies. Use simulations and real-life examples to teach people how to spot suspicious links, phishing emails, and unsolicited requests for information.
• Implement Strong Email Filters: Utilize advanced email filtering solutions that can detect and quarantine phishing emails before they reach the inbox. These systems analyze emails for phishing indicators, such as suspicious sender addresses, malware attachments, and malicious links.
• Keep Software Updated: Make sure all systems and software have the most recent security updates installed. Cybercriminals frequently take advantage of known software flaws to initiate phishing attacks.
• Use Antivirus Software: Install anti-phishing toolbars and antivirus software on all devices. These toolbars can alert users when they stumble upon known phishing sites, while antivirus software can detect and remove malware installed via phishing emails.

You can report emails and other suspicious content you receive. As of January 2024, the National Cyber Security Centre (NCSC) have removed 168,000 scams across 430,000 URLs following 29 million reports.

Conclusion

By adopting preventative strategies, individuals and businesses can significantly diminish their susceptibility to phishing attacks, safeguard sensitive data, and preserve confidence in digital interactions, like email.

At Cirrus we can support your business with implementing software to prevent the risk of phishing, so why not get in touch and see what we can do for your business.