How phishing works
Phishing is any type of attempt to trick you into doing something to benefit the thieves and with increasing numbers of phishing attacks happening, it’s important to have a good feel for how phishing works.
Phishing attacks are usually conducted through email but attackers are increasingly leveraging websites, texts, instant messaging and phone calls as phishing platforms.
The attacker dupes someone into clicking a malicious link or visiting a fake website, which installs
ransomware or gives the attacker access to sensitive information.
Why phishing works
Phishing attacks succeed when people believe the email, text or instant message to be legitimate.
In the early days of phishing, the emails we received were pretty laughable. Most people could tell straight away that they were spam.
You probably received some yourself. A Nigerian prince asking you to transfer a donation in return for millions of dollars. A desperate husband looking to bequeath his fortune to ensure his wife doesn’t get her hands on it, would be paid directly to your bank account as soon as you paid the processing fee. Mark Zuckerberg was secretly giving away his fortune and you were the lucky recipient. They were so comical and unrealistic that London-based comedian James Veitch even published a book of the
emails he received, along with his sometimes hilarious responses.
How attackers persuade us to click
Nowadays phishing emails are a lot more realistic, and the way attackers dupe people varies.
In earlier years the most popular phishing approach was to send out a single message to mass email addresses in the hope that at least some people would be duped.
However, attackers have become much more clever. In 2019 The SSL Store announced that 91% of cyber attacks start with a tailored, personalised email, targeted to a specific individual, using subject lines of particular interest to that person. This is what we call
spear phishing.
Some of the most common ways attackers persuade us to click are by:
- ‘Spoofing’ a domain so the email you receive or website you are referred to looks real. These used to be a bit more obvious as they were insecure sites, but many spoofed sites are secure sites that start with https.
- Sending messages from a company you have an account with, advising you to update your details
- Resending a message you have already received, with the original links swapped out for malicious links
- Delivering you an email that appears to be from your CEO, manager, or someone who works in the accounting department, requesting personal information or a money transfer
- Tricking a high level executive with high level access to reveal sensitive information and corporate data
- Sending malicious coupon codes or competitions via text message
- Sending emails with unsubscribe links
- Phoning and claiming to be a legitimate organisation that you deal with such as your bank. The ‘bank’ may advise that your credit card has suspicious activity and ask you to verify your personal information before they can help
The impact of successful phishing attacks
Phishing attacks are usually designed to either steal data or install malware so the attacker can gain access to the computer, the network and accounts. Attacks can have devastating results on individuals and businesses.
Individuals may find the attacker makes purchases on their cards and accounts, syphons money and/or steals their identity. Attacks on businesses can include a complete shutdown of IT systems, theft of sensitive data and the release of sensitive data to the public.
Common brands used in phishing attacks
The three most spoofed brands in phishing attacks are
Microsoft almost always takes out the top spot. In New Zealand, we have seen many phishing emails using Apple, Amazon and Microsoft, along with:
- DHL
- Facebook
- Google
- Dropbox
- LinkedIn
- PayPal
- TradeMe
- Banks
- Retail stores
- Supermarkets
- IRD
- Waka Kotahi (NZTA)
- and many more.
Cyber criminals go out of their way to use brands that you know and trust.
How to protect yourself from phishing attacks
Firstly, look carefully at the overall look and feel of the email. Is the branding right? What about the spelling and grammar? Are the email addresses and domains legitimate? Always be wary of unsolicited messages, and if in doubt, contact the organisation or person who sent you the message and ask if it is legitimate before you take any action.
Secondly, proper IT security is absolutely essential for anyone who uses a computer. Cyber crime is the current day version of breaking and entering. It’s much more profitable to steal data and money than it is to steal TV’s and jewellery nowadays and it’s no longer a matter of whether it will happen to you, but when. You need to have multiple layers of defence.
Contact us for a confidential chat about your personal or business circumstances and we can advise you on what protection you need.