Phishing scams have been making a lot of headlines recently. But what exactly is phishing, what does a phishing email look like, and how do you protect your business from employee phishing attacks?
In this article, we cover:
A phishing attack is a scam that aims to ‘fish’ information from the receiver by posing as a legitimate email.
The phishing definition from Wikipedia is "the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication."
A phishing email will often try to disguise itself as a legitimate message from a bank, online service or other company. It will then include a link to a fake phishing site - a site that looks just like the legitimate company it is imitating - where it will ask for your username, password, credit card details or other information.
Once you enter this information, it will, of course, be in the hands of the cyber criminal.
Often you will be redirected to the legitimate site after you have entered your details - so you won't immediately realise that you have just fallen for a phishing scam. You may only realise something has gone wrong when information has been stolen from your accounts - or your bank account has been emptied.
Along with viruses and malware, phishing is an example of cyber crime.
So, how does phishing work, what types of phishing are there, and how do you stop it?
Phishing is pronounced the same way as fishing.
Phishing works by posing as a legitimate email and making you give up your details. Phishing emails will often be highly realistic, and can even be copies of real emails from the companies that they are emulating. Often, the only way to know a phishing scam email is by looking at the email address it is from - though phishers will use tricks to make it hard to tell.
For example, an email made for phishing Apple accounts might be sent from an address like firstname.lastname@example.org. The email looks like a legitimate communication from Apple because it has Apple in the domain - but is not actually from Apple at all.
(Want to know more about Apple phishing emails? Apple has a useful section on preventing phishing on their website, and reporting phishing to Apple.)
A phishing email copies the style and presentation of real emails and uses a real-looking domain name to appear legitimate - but how does it actually get you to hand over your details?
Phishing emails normally do this by creating a sense of urgency. For example, a Bank of America phishing email may say that your bank account has been compromised. The prospect of having your bank account emptied by a cyber criminal will surely get anyone's adrenaline pumping - and get you to overlook normal safety precautions. This, of course, will get you to hand over your details to the phishing attacker and compromise your bank account. Ironic, isn't it?
Now let’s take a look at some real-world examples of phishing emails.
The name phishing comes from the fact that attackers try to ‘fish’ for usernames, passwords and other information. The 'ph' comes from the combination of fishing with the word ‘phreak’, which was used to describe people who hacked into telephone systems in the ’60s and ’70s. Phishing is therefore fishing by people hacking into communication systems - quite an accurate name.
Incidentally, the word 'phreak' is itself a combination of the words ‘phone’ and ‘freak’.
This is a classic example of a phishing email:
(Image from ESET)
The above PayPal phishing email looks perfectly legitimate - but has actually been sent by a cyber criminal.
The email attempts to create a sense of urgency by claiming that there has been unusual activity on your PayPal account. Receiving an email like this is sure to alert you and get you to stop thinking clearly - especially if you are keeping a larger sum of money in your PayPal account.
The email does a good job at copying the style, colour and wording of a real PayPal message, but if you keep your eye out there are a few things you will notice that should make you think twice before following the link and entering your details.
First of all, the domain is quite clearly wrong. The email is from a domain called 'notice-access-273.com', whereas a real email from PayPal would be from the domain 'paypal.com'. (The domain is the part of the email address after the '@' sign.)
In addition to the incorrect domain, there are multiple spelling mistakes on the email (‘What the problem’s?, ‘we’ve place a limitation’). Real emails from large companies like PayPal will almost always be proofread to the extent where spelling mistakes are basically non-existent.
Thirdly, the email is addresses to 'Dear Customer'. Any legitimate email from PayPal - and just about any other company - will address you with your name rather than a generic greeting. This is one of the best ways to tell apart a PayPayl phishing email from a legitimate one - but just like everything else on this list, is not entirely foolproof. It's best to always stay alert, and not rely on just one telling sign to keep you safe.
We've looked at how phishing works and what a phishing email looks like - but what happens when you do clink a link from a phishing email? Let's have a look at phishing sites.
Learn how to perform a realistic phishing simulation and test your company's vulnerability to phishing attempts in a real-world scenario.
While some phishing emails will attempt to get you to reply with your credentials, these are getting more rare. Most people will now know not to reply to emails with information like usernames, passwords or credit card credentials.
In order to get you to actually give up your details, most phishing emails will now direct you to a phishing site.
Phishing sites imitate real websites - often copying the entire HTML and CSS front of the real website, making it an exact copy visually - and try to get you to enter you details. This will usually be in the form of a log in form, which will look exactly like the one on the legitimate website.
How do you tell apart a phishing site from a real one then?
Identifying a phishing site
The best way to do this is by looking at the domain name, and ensuring that it is the page that you want to be on. Phishing sites will often use very similar domain names to the real thing though - for example, a phishing HMRC domain may be hmnc.co.uk, which will look like the right thing in a quick glance. From time to time cyber criminals also come up with styling tricks to disguise the actual address bar on your browser and replace it with a fake one - allowing them to make it appear like you are actually on the correct site that you want to be on.
The easiest way to get around any sort of domain trickery is to type in the domain yourself. If you aren't sure whether an email from, let's say, Wells Fargo, is legitimate, type in https://www.wellsfargo.com/ directly into your browser yourself so you won't accidentally follow a link to a fake phishing Wells Fargo site.
All major browsers like Chrome, Safari and Firefox also use a lock - often green - to indicate a site uses the HTTPS protocol. The HTTPS protocol - a secure version of the HTTP protocol it replaces - means that the site is verified by a third-party verification provider. This doesn't always mean that a site is the site that it says it is - but a site that doesn't have the lock definitely won't belong to a real bank, government or major company.
A clone phishing email is an exact replica of a real email - with only the link or attachment changed to a malicious copy. It is a particularly dangerous type of phishing because there will be no mistakes in the spelling (unless there were mistakes in the original) and it will be the exact style and look of a legitimate email from the same organisation.
A spear phishing email is a targeted attack. Unlike most phishing emails, which are generally made to be generic and sent around as widely as possible, spear phishing emails are specifically made to target an individual person or company. Spear phishing is made dangerous by the fact that the attacker can use any information they have on the target to customise the attack and make the victim far more likely to open the email and hand over their details.
Whale phishing attacks are a subset of spear phishing attacks. Whale attacks target C-suite executives and employees in the financial sector - called ‘whales’ due to the high amount of money and information they can potentially expose in a successful attack. Whale phishing attacks are some of the most costly types of cyber crime due to this reason.
Phishing on Facebook and other social media is becoming increasingly common. In a social media phishing attack, cyber criminals send links to users in posts or direct messages. These will often use URL-shorteners and other methods in an attempt to make them look like they lead to real websites.
Social phishing attacks can spread very quickly as the attacker can use any compromised accounts to send further phishing messages. When users get messages from friends or family members they are far more likely to click the link - compromising their own accounts and spreading the phishing attack even further.
Link manipulation is a type of phishing that works by making a link appear to be legitimate, when in fact it links to a fake website. This could be a misspelled domain, or use some sort of technical manipulation. For example, a link may read ‘www.amazon.com’, but actually link to a phishing website that looks exactly like amazon, but is actually a copy that will steal your credentials once you enter them.
A content injection is a type of attack where malicious content is placed onto a legitimate website. This can happen in a couple of different ways.
If a site doesn’t vet its ads properly, a malicious actor could buy an ad spot and use it to launch a phishing attack on unsuspecting users. This ad could pretend to be a part of the site it is on, or an ad for another legitimate company, and entice users to click on it. Once users follow through, they are taken to a fake website where they will be asked to give over their details.
Even if a site vets its ads - or uses an ad delivery network such as Google Ads - content can still be injected maliciously in scams such as a Man-in-the-Middle attack. In a MitM attack, a cyber criminal gets in between your device and the rest of the internet - often by intercepting your traffic on a public Wi-Fi network - and can then modify all the webpages you visit as they wish.
While phishing cyber crime is becoming increasingly sophisticated, taking the right precautions will help you to detect and avoid phishing attempts. Here’s how to avoid falling prey to a phishing email.
Learn the telling signs of a phishing attack
Educating yourself on the telling signs of phishing emails will help you detect and report any phishing emails that you receive. Here’s a list:
- Fake domain (look out for spelling errors and inconsistencies - such as @micrusoft.com instead of @microsoft.com)
- Spelling and grammar mistakes
- Unexpected email (for example, an email from your bank when your bank normally texts you instead)
- Generic greeting (for example, 'Dear Customer' instead of addressing you by your name)
Check the link address
Many browsers and email clients will let you hover over links and see what address the link points to before clicking on it. This will let you see if the domain it points to is legitimate. If the domain does look legitimate and you follow the link, you can also check that the domain uses secure HTTPS, which means there is a reduced chance of malicious intervention. You know a site uses secure HTPPS when the address is preceded by ‘https://’ instead of ‘http://’ (there is an ‘s’ before the colon).
Usually, though, you will want to avoid this problem entirely by manually entering addresses into your address bar rather than following links.
Two-factor and multi-factor authentication add an extra layer of protection to your accounts. They work by making you have to enter another piece of information when logging into your accounts, in addition to your username and password.
For example, if you have two-factor authentication enabled in Gmail, you will need to enter a code from a text message or the Google Authenticator app whenever you sign into your email from a new device.
This means that even if you fall victim to a phishing scam and give away your password to an attacker, they will not be able to log in to your account unless they have access to the authentication codes from your mobile phone.
Phishing attacks carry a high risk to businesses. A data breach or malware attack caused by a phishing email could be far costlier and more damaging to a company than an individual person.
Here’s how companies can combat phishing:
A phishing training course will allow you to teach about the risks of phishing to your employees and end-users. Phishing training will both raise awareness of the dangers of phishing and teach your users how to recognise and appropriately deal with phishing emails.
Phishing email scams like CEO fraud are increasingly targeting businesses - so educating your users on overcoming phishing could potentially save your company a lot of money.
A phishing simulation or test will allow you to test the phishing vulnerability of your workforce. Phishing simulation tools allow you to send realistic phishing emails to all your end-users, testing them individually on their phishing-recognition and reporting skills. This is key to knowing how vulnerable your organisation is to a real attack.