Wednesday, October 10, 2018

Phishing: An Introduction


Chances are good that at some point you’ve received a suspicious email urging you to click on a link or open an attachment. This email was most likely an example of the cybercrime known as phishing. This article serves as an introduction to phishing: what it means, how it affects individuals and organizations, and how security awareness and training tools can be used to reduce the threat of these attacks.
What is Phishing?
Phishing is when cybercriminals send malicious emails designed to trick people into falling for a scam. The intent is often to get users to reveal financial information, system credentials, or other sensitive data.
The term “phishing” came about in the mid-1990s, when hackers began using fraudulent emails to “fish for” information from unsuspecting users. Since these early hackers were often referred to as “phreaks,” the term became known as “phishing,” with a “ph.” Phishing emails try to lure you in and get you to take the bait. And once you’re hooked, you’re in trouble.
Phishing is an example of social engineering: a collection of techniques scam artists use to manipulate human psychology. Social engineering techniques include forgery, misdirection, and lying, all of which can play a part in phishing attacks. On a basic level, phishing emails use social engineering to encourage you to act without thinking things through.

Why Is Phishing a Problem?

Cybercriminals use phishing because it’s easy, cheap, and effective. Email addresses are easy to obtain, and emails are virtually free to send. With little effort and little cost, attackers can quickly gain access to valuable data. Those who fall for phishing scams may end up with malware infections (including ransomware), identity theft, and data loss.

The data cybercriminals go after includes personal information — like financial account data, credit card numbers, and tax and medical records — as well as sensitive business data, like customer names and contact information, proprietary product secrets, and confidential communications.
Cybercriminals also use phishing attacks to gain direct access to email, social media, and other accounts — or to obtain permissions to modify and compromise connected systems, like point of sale terminals and order processing systems. Many of the biggest data breaches — like the headline-grabbing 2013 Target breach — start with a phishing email. Using a seemingly innocent email, cybercriminals can gain a small foothold and build on it.
Cybercriminals use three primary mechanisms within phishing emails to steal your information: malicious web links, malicious attachments, and fraudulent data-entry forms. 
Example of Malicious Web Links:
Image of an example of a Malicious Link

Links, also known as URLs, are common in emails in general, and also in phishing emails. Malicious links will take you to imposter websites or to sites infected with malicious software, also known as malware. Malicious links can be disguised to look like trusted links, and embedded in logos and other images inside an email.
Here is an example of an email received by users at Cornell University, an American college.  It is a simple message that showed "Help Desk" as the name of the sender (though the email did not originate from the university’s help desk, but the @connect.ust.hk domain). According to Cornell’s IT team, the link embedded in the email took clickers to a page that looked like the Office 365 login page. This phishing email attempted to steal user credentials.
Example of a Malicious Attachment:
Image of an example of a Malicious Attachment








These look like legitimate file attachments, but are infected with malware that can compromise your computer and the files on it. In the case of ransomware — a type of malware — all of the files on your PC could become locked and inaccessible. Or, a keystroke logger could be installed to track everything you type, including your passwords. It’s also important to realize that ransomware and malware infections can spread from your PC to other networked devices, such as external hard drives, servers, and even cloud systems.

Here is an example of phishing email text shared by international shipper FedEx on its website. This email encouraged recipients to print out a copy of an attached postal receipt and take it to a FedEx location to get a parcel that could not be delivered. Unfortunately, the attachment contained a virus that infected recipients’ computers. Variations of these types of shipping scams are particularly common during the Christmas shopping season, though they are seen year-round.
Fraudulent Data Entry Forms
image of an example of a fraudulent tax data from

These emails prompt you to fill in sensitive information — like user IDs, passwords, credit card data, and phone numbers. Once you submit that information, it can be used by cybercriminals for their personal gain.
The above image is an example of a fake landing page shared on the gov.uk website. After clicking on a link in a phishing email, users would be routed to this fraudulent page that appears to be part of the HMRC tax collection agency. Users are told they are eligible for a refund but must complete the form. This type of personal information can be used by cybercriminals for a number of fraudulent activities, including identity theft.
It’s important to recognize the consequences of falling for a phishing attack, either at home or at work. Here are just a few of the problems that can arise from falling for a phish:

In Your Personal Life

  • Money stolen from your bank account
  • Fraudulent charges on credit cards
  • Tax returns filed in your name
  • Loans and mortgages opened in your name
  • Lost access to photos, videos, files, etc.
  • Fake social media posts made in your accounts.

60 Seconds to Better Security video
Partially reposted from Wombat Security: Phishing: An Introduction

At Work


  • Loss of corporate funds
  • Exposed personal information of customers and coworkers
  • Outsiders access to confidential communications, files, and systems
  • Files become locked and inaccessible
  • Damage to employer's reputation