What is phishing?
Phishing is the art of tricking people into revealing personal information. Usernames, passwords, and credit card numbers are often targeted for phishing attacks, with the intent of taking over user accounts. 59% of phishing attacks are financially motivated.
Phishing attackers usually approach victims via instant messaging, email spoofing, and phishing text messages, and then direct users to a fake website which matches the look and feel of the legitimate site so victims will enter personal details there. Attackers can trick users with communications that claim to come from trusted parties such as e-commerce sites, colleagues, banks, social media websites, managers/executives at work, IT administrators, or online payment processors.
What is Phishing?
Phishing is the fraudulent practice of inducing people to reveal sensitive personal information such as credit card numbers and passwords. Phishing attackers send what appear to be legitimate communications by text, email, or other electronic communication from reputable companies and other trustworthy entities to lure users to phishing websites. These professional-looking sites are designed to elicit sensitive data and personally identifiable information.
Phishing by the numbers
Average time between cyber attacks
Records stolen every day from breaches
Total cost globally for cyber crime
How does phishing work?
1. Cybercriminals plan
Cybercriminals choose attack targets, usually based on services, demographics, or any number of factors.
They create methods for tricking users into providing information they want to steal. They may use text messages, emails, and identical looking websites to trick users.
2. Attack begins
Successful phishing attacks use real information, seem like they’re coming from a real person or business, and create a sense of urgency to entice users to click.
The most successful attacks focus on tricking the user into sharing information for a delivery or signing into an account.
3. Tricked user logs in
Once users click on a link, they’re often directed to a fake website that looks identical to the real one – even the URL looks the same.
Once users enter their credentials on the fake site, cybercriminals immediately login to the real website with the username and password the user was just tricked into revealing.
4. Credentials stolen
Now the users’ credentials have been stolen, and are used to take over accounts. Attackers then use this information to commit fraud, hold information ransom, with the goal of financial gain.
The common element among phishing attacks is the disguised identity of the attackers. In phishing attacks, spoofed texts or emails appear to originate from a trusted sender, fake websites resemble those the victim trusts, and URLs are often disguised using foreign character sets.
Common features of phishing emails
Too good to be true
Lucrative offers and eye-catching or attention-grabbing statements are designed to attract people’s attention.
Sense of urgency
A favorite tactic amongst cybercriminals is to ask you to act fast because the offers are only for a limited time.
A link may not be all it appears to be. Hovering over a link shows you the actual URL where you will be directed.
If you see an attachment in an email you were not expecting or that does not make sense, don’t open it!
If anything seems out of the ordinary, unexpected or out of character, do not click or open an attachment.
Even if it looks exactly like a site you’ve been to before, it might be a malicious duplicate – especially if you’ve clicked a link to get there.
Typically, a phishing attack aims to get the victim to either reveal sensitive information or download malware.
Reveal sensitive information. The goal of these phishing messages is to trick the victim into revealing a user name, password, their credit card information, or other sensitive data—anything needed to breach an account or system. The attacker sends an email designed to look just like a message from a trusted sender such as an internet streaming company or a major bank. Some common sites cybercriminals spoof in phishing attacks include payment platforms like PayPal, software companies such as Microsoft, social media platforms like Facebook and Twitter, online auctions sites such as eBay, and streaming/e-commerce site Amazon, which is essentially a multi-surface target.
By spamming the message to millions, they ensure at least a few customers of the target streaming service or bank who go to a malicious site after clicking on a link or opening an attachment in the message. This is the difference between spam vs phishing; spam is unsolicited, but it may contain a legitimate sales message, for example. Phishing directs the user to a harmful site with a malicious intent. In our example above, the site is developed to look just like the streaming or bank webpage, and it asks for sensitive information.
Download malware. Many phishing emails work just like ordinary spam, attempting to infect victim computers with malware—most frequently ransomware. Frequently victims are “soft targets” such as HR professionals who receive emails with CV or resume attachments every day. In place of a legitimate resume, they might receive attachments with malicious embedded code. This kind of attack is more time-consuming, but the potential rewards may be higher and ongoing.
Phishing attacks achieve these two goals using a number of techniques:
Most phishing attacks use technical deception to spoof or manipulate links in some way. Phishers often misspell URLs or subdomains. For example:
http://www.yubico.example.com/ versus http://www.yubico.com/example/
In this case, the first link may seem to take you to the Yubico website, but it points to a spoofed phishing site.
Attackers may also ensure that the text between the <A> tags (the text for a link that is displayed) suggest a reliable destination, even though the actual link leads to the phishing site. Some users first hover over a target link’s URL with the mouse to confirm where they are going before clicking, but even that behavior is not fool-proof in that it can sometimes be overridden by a phishing attacker. Moreover, this preview feature does not typically exist in equivalent mobile apps.
Attackers can exploit internationalized domain names (IDN) by creating web addresses that look identical to the legitimate site, but lead to a malicious version instead. This is called IDN spoofing or a homograph attack. Similarly, phishers disguise malicious URLs with a trusted domain by using open URL redirectors on the websites of trusted organizations. Because a phisher can purchase a valid certificate and then change the content to spoof a genuine website or host the phishing site without SSL at all, even digital certificates do not solve this problem.
In Pharming, the phishing scammer infects your computer with malware to redirect you to a fake version of a legitimate website you attempt to visit. Even if you click on your bookmarked link or type the real address, the malware redirects you to the fake site.
Phishers sometimes avoid anti-phishing scanning techniques that search for text related to phishing by hiding text in multimedia objects using Adobe Flash. This is called filter evasion or phlashing. Some more sophisticated anti-phishing filters now use optical character recognition (OCR) as a response to the need to recover hidden text.
Flaws in a trusted website’s own scripts can also be wielded by a phishing attacker. These cross-site scripting (XSS) vulnerabilities are particularly problematic because they lead the victim to sign in at the service’s own web page or the bank’s page where everything looks legitimate, from the security certificates to the web address.
Phishing attacks that use covert redirect use legitimate-seeming links to redirect a victim to an attacker’s phishing website. The attacker typically hides the flaw on an affected site’s domain under a log-in popup. It can also affect OpenID and Oauth 2.0 based on well-known exploit parameters. These attacks often exploit XSS and open redirect vulnerabilities in third-party application websites or use malicious browser extensions to covertly redirect users to phishing websites.
Covert redirect phishing attempts are more difficult to spot than normal phishing scams, because unlike the classic phishing attack with a malicious page URL that is somehow different from a real site link, a covert redirect attack will corrupt an actual trusted site with a malicious login popup dialogue box. Such a popup window from a trusted social media app, for example, can send a “token” to the phishing attacker with the birth date, email address, contacts, and work history of the victim along with other sensitive information and possibly take control over the user’s account.
Search Engine Phishing
Search engine phishing involves using search engines to direct victims to product store sites. Once there when victims attempt to purchase the products and to provide their credit card details, the phishing site collects them. Similarly, search engine phishing leads many users to entire phishing websites that are fake, such as phony bank websites offering loans or credit cards at a low rate.
Phishing attackers can hijack sessions by exploiting the control mechanism of the web session to steal user information. The simplest version of session hijacking is called session sniffing; in this process, the phisher illegally gains access to a server by using a sniffer to gain relevant information.
Social engineering is the scalpel to the blunt instrument of spamming. If mass emailing or texting is not delivering the desired results, a phishing attacker may invest more time in enticing the right victims to click.
Many social and technical factors can induce or encourage users to click on a wide range of unexpected content. For example, an attacker could attach something malicious that appears to be a benign linked Google Doc, or a cute image of a pet, or an outrageous news story. Any of these things will infect the user if they click on them; the question is how enticing the bait is to that particular user.
Content injection is a phishing technique that allows attackers to change portions of reliable website content. For example, a portion of trusted site content will direct users to an outside page, and that new site will ask for personal details.
Tabnabbing takes advantage of a user’s open tabs, silently redirecting the victim to the affected site by loading a phishing page in one open tab.
Phishing Protection Benefits
The most obvious benefit of phishing protection is decreased security risks to your organization. Even the most carefully trained staff can fall victim to social engineering attacks involving current technologies, deception, and human manipulation. Actual phishing protection reduces the risk from such events.
Specific phishing protection benefits typically include:
Phishing protection solutions should include email filtering and scanning for every attachment and link. These tools should prevent users from opening dangerous links and attachments, and many have blacklist options.
Social Engineering/Spoof Protection
To protect against social engineering techniques that allow attackers to impersonate trusted sources, phishing protection tools employ specific anti-impersonation software. This kind of technology typically searches incoming emails and their content for any indication of an impersonation attack, such as anomalies in: domain name, display name, reply-to information, domain registration recency, and body of the message. Anything that fails a set test of these combined factors is quarantined or discarded as an impersonation attack. Anti-phishing tools can also add protective measures to organizational email signatures that makes them much more difficult to spoof.
Any effective, reputable anti-phishing technique will offer some form of protection across devices, including laptops, desktop computers, mobile devices, and tablets.
Automation, Machine Learning Benefits
Anti-phishing tools that use automation and machine learning provide their own benefits for amplifying organizational insight, augmenting employee training, and reducing IT workload.
Mailbox-level anti-phishing tools use machine learning to analyze user communication habits and account information. The immediate reason for this is to detect threats as quickly as possible and deliver better phishing protection. However, this kind of machine learning also offers much deeper insights into what normal user communications look like, enabling the organization to develop a baseline for comparison, and better detect and learn from anomalies.
This all reduces IT workload by filtering out false positives. An automated system for phishing threat detection and mitigation identifies threats faster and reduces response time. It also improves intelligence and offers deeper, real-time insight into existing metrics. This allows IT and security teams to focus more time on prevention and forward-thinking policy, and less on triage.
A strong authentication tool is among the best anti-phishing solutions, because repelling phishing attacks is among the defining qualities and primary purposes of the technology.
To qualify as strong authentication, a system must:
Never rely solely on shared secrets/symmetric keys such as passwords, codes, or recovery questions.
Robustly repel credential phishing and impersonation.
Be scalable and easy to use on a variety of devices, across protocols, and different situations.
Any tool with strong authentication is using its own anti-phishing tools and modern anti-phishing techniques built into their solution, designed to resist phishing attacks.
Phishing is on the rise
Phishing is on the rise with a 65% year over year increase in the number of phishing attacks. And, it works better than you think. Cybercriminals are getting better at slipping their phishing emails through spam filters and past anti-malware software. By using weak usernames and passwords, or vulnerable SMS-based two-factor authentication, users are vulnerable to account takeovers resulting from increasingly sophisticated phishing scams.
Common Types of Phishing Attacks/Phishing Examples
There are a number of common types of phishing attacks today:
Personal phishing attempts directed at particular companies or individuals is called spear phishing. Unlike typical phishing, spear phishing attackers increase their probability of success by collecting and using personal details about their target against them. The first research study on a kind of spear phishing attack that takes place on social media called social phishing found that it was over 70 percent successful.
Often within organizations spear phishing targets high-level executives or employees that have access to financial data or other sensitive information. In 2016, Threat Group-4127 (Fancy Bear) hacked high-level officials in Hillary Clinton’s 2016 presidential campaign using spear phishing tactics to threaten victims.
Whaling phishing, trap fishing, or simply whaling is a type of spear phishing attack that takes aim at high-profile targets such as senior executives. Whaling attack content is typically crafted to the person’s role in the company, and the content may relate to an executive issue such as a customer complaint or a lawsuit.
Catphishing and Catfishing
Catphishing (with a “ph”) attackers pose online in order to gain access to a person’s resources or information, or to otherwise force them to do something. Catfishing (with an “f”) is a related but specifically romantic or sexual concept, in which the phishing attacker creates a social network presence to lure the victim into a social relationship for access to resources or to gain control.
Clone phishing attacks make use of cloned emails, emails that were previously legitimate and delivered with links or attachments, but then stolen and replaced with a malicious version that seems to come from the original sender.
Some phishing scams use the phone instead of fake websites by sending messages claiming to be from trusted senders such as government entities or banks. These messages direct the victim to call a number to resolve a problem, and then the phisher’s phone number which works using a voice over IP service asks for sensitive information such as account numbers and PIN.
Similarly, vishing or voice phishing skips the written message and reaches out with this kind of VoIP system and fake caller-ID data to spoof a trusted organization and elicit sensitive data.
SMS phishing or smishing delivers malicious links, cell phone numbers, or other bait via SMS. Smishing is harder to detect because URLs may not be fully displayed due to the nature of mobile browsers; also, smishing messages often arrive in unexpected or strange formats—like other automated messages.
Modern phishing v/s common phone and OTP authentication
Phishing attacks are a type of social engineering. This simply means they trick people using deception via electronic communications, such as email or instant messenger, in order to steal information such as usernames and passwords, money or access to systems.
Although phishing scams are not new, they have become far more sophisticated. Oftentimes they will seem completely normal. An email exchange or phone call will come from an employee in the organization who has actually already been compromised, but because the communication seems to include verifying details such as start dates, employee numbers, and telephone numbers, it easily gets past spam filters and feels legitimate. The experience can be so smooth that the victim doesn’t even know that they were phished.
Sadly, not all types of multifactor authentication are up to the task of preventing modern phishing attacks. This is in large part because most of the “secret” information that platforms require users to know and confirm are not actually secrets unless the users are extremely careful all of the time.
In the past, manual work was required to create lookalike templates for various websites. Today there are automated proxies available that make that much easier, rendering phishing attacks fairly easily.
Two-factor authentication (2FA) is one of the more powerful credential strengthening techniques. The core idea is to demand more than just the basic user name and password at high risk times, such as when performing a risky or sensitive transaction, when signing in from a new location or device, or when the system has detected other suspicious activity at that location or account.
There are various commonly used 2FA methods, each with its strengths and weaknesses as it relates to phishing.
Two-step verification (2SV) and 2FA are not necessarily the same. For example, the two steps might both impact the same factor, login codes received on the same device. Adding more than one of the same type of step does not strengthen the authentication, as the above discussion explains.
Knowledge-based Authentication (KBA)
These are the questions you have answered many times, such as, “What was your high school mascot,” and “What’s your mother’s maiden name?” Dynamic versions of knowledge-based authentication questions also exist for some organizations and services you use regularly like a bank, such as, “did you go to the movies on Saturday?” or “when did you last leave the state you live in?”
However, these typically amount to no more than a second form of something you know, a password, and are often publicly available information in widespread use with predictable results. Worse, verification information is often stored reversibly encrypted or as plaintext answers even when password verifiers are more securely stored, because providers want to use approximate matching due to capitalization typos, and because the answers are sometimes considered less secret than passwords.
One-time Password (OTP) or Notification via SMS or Phone Call
OTP via SMS is widely available in that most people have phones, and there are no secret seeds hackers can steal. However, SMS networks and phones can and have been exploited, by private companies, governments, criminal gangs, and even sophisticated hackers as well. They are also vulnerable to number porting fraud and pretexting/vishing.
Push Notification-based OTP Codes
OTP via push notification is difficult for hackers to intercept when implemented correctly, but as with all OTP implementations, phishing may prompt the user to reveal the code.
OTP via Email
OTP via email is remotely accessible and vulnerable to hackers as described above.
OTP Tokens and Apps
The OTP app or token embeds secret seeds, typically in a hardware token or QR code. These seeds combine with the current time or a counter to produce a code that can only be predicted with the seed. An OTP code is only valid once and cannot be used to recover the secret seed. The user cannot be phished for the seed, because they don’t know it, and they can only be used once, in what is near real time.
To validate the OTP codes the secret seeds must be present on a server somewhere, so that location must be extremely secure. Also, a catastrophic breach of any seed manufacturer can obviously hurt customers.
Unfortunately, OTP codes can ultimately be stolen by tricking users into visiting phony websites. Hackers can then forward the code to the real site and gain access. In the end, an OTP is a shared secret. Once it is generated, it is no longer bound to the hardware device that generated it, no matter how secure.
Push Notification-based Apps
Push notification-based apps offer context for the user so they can decide whether to login by touching an approve or deny button rather than revealing information by entering a code. For example, the app might say, “you’re logging into your bank in New Jersey,” and allow you to confirm or deny that activity in real time.
However, phishing attackers can use bots with ISPs that are similar to the user’s device, and especially if the user does not carefully read the approval message, this may be enough.
Biometrics use iris scans, fingerprints, or some other intrinsic quality of a user’s body to replace or augment other authentication mechanisms. However, unlike other exposed authentication credentials, there is no way to change biometric credentials if yours become publicly known.
Biometrics also fail to easily differentiate actual intent to authenticate. For example, simply looking at a device does not equal an intent to login.
Furthermore, there is a significant privacy difference between systems that use central validation of biometric data and device local biometrics. Biometrics specific to a particular device are typically not transferrable from device to device, which means re-enrollment and security support are ongoing issues. However, carefully chosen biometric protocols implemented robustly and validated locally to a device can help prevent scalable remote attacks.
Certificate-based authentication prevents phishing attacks and offers security using public/private key cryptography. The user proves they have a private key and certificate to authenticate their identity to the server.
Certificates have already been in use at the enterprise level to validate the server-side of every https connection, both with and without smartcards to protect the private keys, for years. The TLS protocol helps prevent both man-in-the-middle attacks and phishing by ensuring the server can detect interference with the connection between the client and the server.
In enterprise environments, user certificates with smartcards are potentially both secure and usable. Several internet websites—mostly financial institutions—have user certificate-based authentication, but it is not practical for widespread internet use.
Token binding or TLS mutual authentication (mTLS) extends the secure TLS protocol used for https connections to provide more robust, lengthier sessions and stronger web authentication. This protocol was developed by the Internet Engineering Task Force (IETF) as one of the foundations of the FIDO2 and W3C WebAuthentication (WebAuthn) password free standards for identity options (see below).
The standard bearer tokens used in OAuth 2.0 can be altered, intercepted, lost, proxied, replayed, or stolen by man-in-the-middle attacks. Token binding replaces these vulnerable tokens with tokens bound to cryptographic certificates on both server and client ends. In other words, rather than trying to prevent the attack itself, token binding renders the results of the attack useless.
For widespread adoption to work, web browsers must support token binding. However, browser support for token binding remains limited to versions of Microsoft Edge using the EdgeHTML engine, even though industry participation is widespread. Token binding standards contributors include Google, Microsoft, Ping Identity, PayPal, and Yubico.
FIDO Universal 2nd Factor (U2F)
FIDO U2F authenticators achieve several goals with public/private key technology: preserves privacy by creating a unique key per registration and site; handles sensitive private keys with dedicated secure hardware; binds credential use solely to the site where the credential was created; and requires user interaction to authenticate. The protocol simply functions, and does not require the user to confirm or notice anything about the site they are visiting.
FIDO2: Web Authentication (WebAuthn)
A key element of the FIDO2 specifications, Web Authentication (WebAuthn) is a web-based API that enables websites to update their login pages with FIDO-based authentication on platforms and browsers that are supported. FIDO2 allows users to safely and easily authenticate to online services using common desktop and mobile devices in a range of environments.
FIDO2 uses cryptographic login credentials to authenticate that are unique across every website. Yet the model eliminates the risks of phishing, replay attacks, and password theft because those credentials are never stored on a server and never leave the user’s device. Elimination of passwords improves security and also enhances user experience and functionality.
Client to Authenticator Protocol (CTAP), also a component of FIDO2, is complementary to WebAuthn. It allows external authenticators, such as mobile phones or security keys, to work with browsers that support WebAuthn. It also enables those authenticators to work with web services and desktop applications.
Currently, WebAuthn is supported in Apple Safari, Mozilla Firefox, Google Chrome, and Microsoft Edge web browsers, and on the Android and Windows 10 platforms.
Spear Phishing vs Phishing
Spear Phishing Attack
Phishing attack aimed at a particular organization or certain individuals.
Phishing attack aimed at mass scale of targets
Spear phishing is the professional version of standard phishing. A regular phishing campaign will send a mass communication to as many potential victims as possible. In contrast, spear phishing is very targeted and takes aim at a particular organization or certain individual(s) they want to compromise. They are typically seeking information that is more valuable than mere credit card data and conduct careful research into their targets to increase their chances of success with a more personalized phishing attack.
Because phishing emails are sent in bulk and impersonal, they often contain typos, spelling errors, and other mistakes that allow users to detect their malicious intent. Trusted links and logos help disguise these subtle hints, but even so, the errors are there. On the other hand, spear phishing emails appear to come from trusted sources and contain convincing details, making them more challenging to detect.
The difference between spear phishing and whaling is victim profile. Spear phishing usually goes after a specific yet lower profile category of individuals, while whaling exclusively targets high-ranking individuals within an organization.
How does Spear Phishing work?
Spear phishing potentially targets anyone with personal information online—and that is almost everyone. Attackers might scan a social networking site to view individual profiles, and find a user’s geographic location, friends list, email address, and posts about recent trips, purchases, and other activities. This kind of information allows a phishing attacker to impersonate a familiar entity or even a friend, and send a fraudulent but convincing message to their victim.
Phishing attackers increase success rates by asking for sensitive information with urgent explanations for why the information is needed. For example, an attacker may impersonate a friend via phishing texts or emails on vacation who has lost all of their social media usernames and passwords; they claim they just want to post their photos before they lose them.
Another common tactic in many spear phishing examples is to compromise a business email account, and use it to pose as a senior employee with the power to request direct deposit changes, wire transfers to fraudulent companies, or W2 information. Social engineering and data breaches will reveal the names of the impersonated employee’s direct reports, managers, and other convincing facts.
Here is another phishing example: As assistant to your company’s CEO, a spear phisher researches you on LinkedIn and creates a fake personal email account for your CEO. While the real CEO is out of town—and the attacker knows that, also from online research—they send you a spoof email that says, “Help! I am on my trip, but this project is in jeopardy right now and I need a wire transfer of $40,000 to this vendor immediately. Here is the number, I have created an invoice too and I’ll send it. Here are the wiring instructions. Please take care of it right away.”
Phishing During Crises
During times of crisis, criminals rely on a sense of urgency and deception to phish successfully. Crises such as the coronavirus pandemic are an ideal opportunity for these cybercriminals to launch phishing campaigns.
Users crave authoritative information from trusted sources such as their employers, the government, and other relevant authorities during a crisis, and it is not always as forthcoming as people hope. As people seek out information, they are even more likely to click on a link or complete a task with less scrutiny than before.
Additional issues arise as more and more workers transition to a work from home (WFH) model. With working from home over less secure networks as the new norm for many organizations, risk factors for remote workers have also increased.
There are several ways to support a remote workforce and augment security against phishing attacks:
Minimize Risks with Strong Authentication
Multi-factor authentication (MFA) is one of the best options to establish trust with users, but unfortunately, as described above, not all MFA is created equal. Actual strong authentication has three qualities:
- Not rely solely on shared secrets/symmetric keys at any point. This includes passwords, codes, and recovery questions.
- Robustly repel credential phishing and impersonation. While wary users are always welcome, strong authentication accounts for these phishing attacks which are inevitable—and some will succeed.
- Be scalable and easy to use.
See more about strong authentication here.
Leverage an Identity Access Management (IAM) Solution
Leverage an IAM solution in conjunction with strong authentication to ensure users have the enterprise access they need and can work seamlessly throughout the day without entering information. Enterprise-wide IAM solutions with strong authentication help enterprises achieve a company-wide, single point of login security solution with access across a range of business applications.
Can you spot a phishing email?
Have you ever received an email that looked suspicious? Maybe an email asking you to verify your account, threatening to cut-off a service, or asking you to send money? If yes, then you are not alone. 97% of people are unable to identify a phishing email.
Does Yubico Offer Phishing Protection?
Typically, a phishing victim clicks on a link asking for a code or password, receives a request or sign-in page that is actually a phishing link, and responds to the phishing link with their personal information. This works well for phishing attackers whether it is a website or an app, because they can capture valid OTP codes, and victims may not even know and not even know they were phished or ever detect the issue. You can’t expect victims to report phishing they are unaware of.
Yubico stops this problem. A registered YubiKey “talks” to your device. When you click on a phishing link and enter your details, you are then prompted to authenticate using your YubiKey. However, the YubiKey and device can see that even a phishing link or site with a valid SSL security certificate is bogus and will refuse to authenticate.
Find out more about YubiKey solution: https://www.yubico.com/products/
Proven protection in the most challenging environments
“We have had no reported or confirmed account takeovers since implementing security keys”
- The Anatomy of a Phishing Email: 5 Things to Look For Before You Click
- Modern phishing v/s common phone and OTP authentication
- How modern phishing defeats basic multi-factor authentication