What is phishing?
From banking scams to industrial espionage, we look at why phishing is so lucrative
We've all grown accustomed to receiving the odd suspicious email - whether it's from someone claiming to be a recently-deceased relative's lawyer or what looks like an unexpected tax bill, scam emails have become just another part of life online.
These emails are examples of an attack method known as 'phishing', the goal of which is to trick people into doing something. Most commonly, hackers will try and get you to hand over your login credentials for an online service like a banking portal or your email account.
There are many tactics that can be used to do this; one ever-popular method is to send out an email purporting to be from a bank, alerting the user to a large (unexpected) withdrawal from their account and including a link to check their bank statement or activity. This link leads to a site that's made to look like the bank's login page, but is actually controlled by the attacker.
The idea is that, in their panic, users will click through to the login page and enter their details without realising that it's not really their bank - at which point the hacker will be able to use those details to ransack their bank accounts at will.
There are multiple ways to launch this kind of attack, but email has become the platform of choice. It's incredibly cheap to send messages to thousands of recipients, and at such a scale the scam would only need to fool a handful of victims to be lucrative.
Phishing attacks aren't always as simple as that, however. Hackers can often go after something as seemingly innocuous as the login details for a victim's social media or Netflix accounts on the basis that, because so many people use the same username and password for multiple services, these details may be able to give them access to more valuable accounts.
Hackers also frequently target corporate email accounts with phishing attacks, and not just those belonging to high-level executives or finance personnel. Gaining access to the email account of someone in the sales department, for example, could allow hackers to launch phishing campaigns against other areas of the business without arousing as much suspicion.
Aside from email-based campaigns, hackers can also use bogus webpages to fool victims, buying up similar domains to popular services (such as netflux.com or facebok.com) and mimicking the legitimate service's login page in order to harvest credentials.
History of phishing
While a theoretical phishing technique was first described in 1987, this type of attack only really started to gain popularity in the 1990s, with the advent of the consumer internet.
One of the earliest examples of phishing was known as AOHell and was a customer service ruse. This hacking tool targeted AOL users and allowed the attacker to masquerade as a customer service representative. The target user would be encouraged to hand over their password if they did, then the attacker would be able to use their account for nefarious purposes.
This element of using underhand tactics remains the defining feature of phishing, although the number of types and techniques has expanded significantly.
Here's what you need to know about some of the types of phishing attack you may come across and the motivations of the attackers.
Financially motivated phishing attacks have been used for a long time and take on many different guises.
Many of us will be familiar with the so-called Nigerian Prince scam emails, where the victim is contacted by either a person alleging to be a representative of a Nigerian prince who, for whatever reason, wants to transfer some of his wealth out of the country and will give the victim a cut of the money if they let the scammer use their bank as a conduit. Other variations include the death of a long-lost relative or, more recently, a friend or family member who has been robbed while on holiday and needs an emergency loan.
Normally, this scam results in a loss of money not because bank details are handed over, but because the victim is asked to pay money out to the scammer first, who they never hear from again.
This is a very basic form of a financial phishing attack, but others are much more sophisticated. Scammers are sending out increasingly well-crafted emails that appear to be genuine messages from real banks.
This type of attack is aimed at getting a user to enter all their bank or credit card details into a website accessed through a link in the phishing email that looks like the genuine article but is in fact owned by the criminals. Once that is done, the phisher can use the details as if they were the legitimate cardholder or bank customer.
Account takeover is what the first phishing attacks were geared towards gaining access to another person's online account, whether it's on social media, email, a forum or something else and then taking control of it.
This is typically done via a malicious link sent in a legitimate-looking an email, instant message or direct message. Once the user clicks on it, they will be taken to a realistic-looking website operated by the attackers and, much like the banking attacks mentioned above, asked to enter their username and password.
The purpose of an account takeover could be to send spam from that email address or social media account; to find out further information about the person, including financial information or other sensitive data; or as a form of protest rival ideologies at the fringes of politics have been known to take over and shut down the accounts of their opponents, for example.
This category covers both industrial espionage and state-level snooping. In both cases, the objective is to gain information on your rival with the aim of outmanoeuvring them or, in some cases, sabotaging them.
In this case, the email is normally crafted to look like it came from a supplier or perhaps a senior person within the company and has a sense of urgency. This, it's hoped, will make the recipient of the email more likely to respond with the information quickly, suppressing any doubts if they do arise.
This can be part of a much longer campaign that involves many other types of cyber attack like spyware and specially created malware to harm industrial machinery or national infrastructure.
Under the umbrella of "phishing", security researchers have identified a number of sub-groups that are even more targeted in their approach, with the two most common being spear phishing and whaling.
Spear phishing is a phishing campaign that targets a specific individual or company. This technique requires a bit more effort on the part of the cyber criminal, as they need to do more background research in order to create a personalised phishing email. Between 2013 and 2016, business email compromise (BEC) attacks carried out through spear phishing led to the theft of over $3 million, according to Symantec's 2017 Internet Security Threat Report.
Whaling is like spear phishing, but it's even more targeted, focusing on the likes of CEOs and CFOs within a business.These emails are crafted to look like an urgent item a senior person within a business must look at, such as a customer complaint or a court subpoena. The scams often then demand the transfer of a large sum of money.
The Symantec report said that "these scams can be damaging as they require little technical expertise but can reap huge financial rewards for the criminals and significant losses for the companies involved. For example, early in 2016, an Austrian aerospace company fired its CEO after it lost almost (USD) $50 million to BEC scammers".