How Does Phishing Happen?
Phishing happens when an unsuspecting victim responds to a fraudulent email that demands action. Examples of phishing emails include simple actions like clicking an attachment, enabling macros in Word document, updating a password, responding to a LinkedIn or other social media request, or using a new wi-fi hot spot.
Every year, cybercriminals become savvier with their phishing attacks and have tried-and-tested methods to continue to deceive and steal from innocent victims. Because phishing comes in so many forms, it can be hard to recognize a phishing attack from a valid email, voice mail, text message, or request for information.
This is why phishing simulations are an ideal way to measure phishing awareness. Most people don’t realize there are so many examples of phishing emails until they use a phishing simulation trial that tests their phishing and cyber security awareness .
What is Phishing?
Phishing is a cybercrime that relies on deception to steal private and confidential information from individuals and companies.
Phishing victims are tricked into giving up information that they know should be kept confidential. However, because victims trust the source of the request for information and believe they’re acting in their own best interest, phishing victims respond without thinking twice.
Cybercriminals typically ask for information such as date of birth, social security numbers, phone numbers, confirmation of credit card details, home address, and password resets.
This information is then used by cybercriminals to impersonate the victim – applying for credit cards, applying for loans, opening bank accounts, and other fraudulent acts. Some cybercriminals use the information collected from a phishing attack to start a more targeted cyber attack such as a spear phishing or BEC attack that relies on knowing details about the victim.
For example, many of the BEC attacks exposed by Operation reWired began with a simple phishing email that gave the cybercriminal access to the victim and allowed them to use this information to steal funds and commit large-scale cyber attacks.
Different Types of Phishing Email Attacks
As internet technology has advanced, so have the different types of phishing attacks:
This is the most common type of phishing attack. Cybercriminals know that most people pay little attention to critical email details including the sender email address, URL, or attachments. Phishing emails are designed to appear to come from a legitimate source, for example customer service for Amazon, a bank, PayPal or other recognized company.
This targeted phishing email attack relies on data that the cybercriminal has previously collected about the victim or the victim’s employer. Typically spear phishing emails use urgent and familiar language to encourage the victim to act.
Relying on carefully worded phishing emails, this attack includes a link to a familiar website such as LinkedIn or another popular website. This link takes victims to a spoofed website designed to look like the real website. This fake website asks phishing victims to confirm or update their account details.
Cybercriminals send phishing emails that include links to fake websites that look just like legitimate websites. For example, a phishing attack email could include a link to mobile email account login, asking the victim to load a newly designed email interface. This fake website uses a URL that is similar to the valid website, mail.update.yahoo.com instead of mail.yahoo.com.
This example of a phishing email attack uses an email address that is familiar to the victim, for example the company CEO, human resources, or IT support. The email asks the victim to act – transfer funds, update employee details, or install a new app on their computer.
Savvy cybercriminals hack a familiar website and include a fake website login page or pop-up that directs website visitors to fake website.
With this advanced phishing attack, criminals gain access to a company web server and steal the confidential information stored on the server.
All it takes to install malicious software on a computer or company network is clicking an email attachment. These attachments look valid or may even be disguised as funny cat video or GIF.
Evil Twin Wi-Fi
Free wi-fi access points are spoofed and victims unknowingly log into the wrong wi-fi hotspot. Typical spoofed wi-fi access points include those available in coffee shops, airports, hospitals, shopping malls, public parks – really anywhere people are looking for wi-fi access.
Mobile Phishing (Smishing)
A fraudulent SMS, social media message, voice mail, or other in-app message asks the recipient to update their account details, change their password, or tells them their account has been violated. The message includes a link that is used to steal the victim’s personal information or installs malware on the mobile device.
Voice Phishing (Vishing)
A caller leaves a strongly worded voicemail that urges the recipient to respond immediately and to call another phone number. These voicemails are urgent and convince the victim for example, that their bank account will be suspended if they don’t respond.
This sophisticated phishing email attack tricks two people into believing that they’re emailing each other. However, the phisher is actually sending fake emails to each person asking them to share information or to update confidential corporate information.
This malware technique uses online advertisements or pop-ups to compel people to click a valid-looking link that then installs malware on their computer.
Social engineering is the one common thread linking each of these different types of email phishing attacks. Both social engineering and phishing rely on the human tendency to trust people and companies.
People are busy and don’t take the time to carefully review phishing email details, automatically trusting the request. Email phishing victims believed they were helping their company by transferring funds, updating login details, or providing access to proprietary company products.
What Are Examples of Phishing Emails?
Make sure your colleagues are aware of these common examples of phishing emails:
(example of phishing email)
An email from PayPal arrives telling the victim that their account has been compromised and will be deactivated unless they confirm their credit card details. The link in the phishing email takes the victim to fake PayPal website and the stolen credit card information is used to commit further crimes.
Compromised Credit Card
The cybercriminal knows the victim made a recent purchase at Apple for example, and sends an email disguised to look like it is from Apple customer support. The email tells the victim that their credit card information might have been compromised and to confirm their credit card details to protect their account.
An urgent email arrives from the company CEO who is currently traveling. The email asks the recipient to help out the CEO by transferring funds to a foreign partner. This phishing email tells the victim that the fund request is urgent and necessary to secure the new partnership. The victim doesn’t hesitate to transfer the funds, believing she is helping both the company and the CEO.
Social Media Request
A Facebook friend request arrives from someone who has the same Facebook friends as you. You don’t immediately recognize the person but assume the request is legitimate because of the common friends. This new friend then sends you a Facebook message with a link to a video which when clicked installs malware on your computer and potentially the company network.
Fake Google Docs Login
A cybercriminal creates a fake Google Docs login page and then sends a phishing email hoping to trick someone into logging into the faked website. The email might read “We’ve updated our login credential policy, please confirm your account by logging into Google Docs.” The sender’s email is a faked Google email address, for example firstname.lastname@example.org.
(example of phishing email)
Company Tech Support Request
Employees receive an email from corporate IT asking them to install new instant messaging software. The email looks real, however a spoofed email address is used email@example.com instead of firstname.lastname@example.org. When employees install the software, ransomware is installed on the company network.
Each of these phishing attack examples highlights how easy it is to be tricked by an email. The more familiar people are with how phishing happens, the easier it is foster a cyber security aware culture.
Take advantage of Terranova Security’s free Phishing Simulation Trial to raise awareness of how phishing email attacks happen.
How To Protect Against Phishing Emails
To protect against phishing emails, you need to raise awareness of how phishing happens. When people experience first-hand how easy it is to be tricked by what looks like a valid email, they are more likely to carefully review email details before automatically clicking Reply, an embedded link, or downloading an attachment.
To protect against phishing emails, remember these five keys to building a cyber secure aware culture:
- Educate: use security awareness training and phishing microlearnings to educate, train, and change behavior.
- Monitor: use phishing simulation tools to monitor employee knowledge and to identify who is at risk for a cyber attack.
- Communicate: provide ongoing communications and campaigns about phishing emails, social engineering, and cyber security.
- Incorporate: make cyber security awareness campaigns, training, support, education, and project management part of your corporate culture.
You want to be protected from phishing email attacks. You want your colleagues to be protected from phishing email attacks. And you want your company to be protected from phishing email attacks.
The best way to do this is to create a culture of cyber security awareness. The first step is finding out who is at risk for a phishing attack. Take advantage of our free Phishing Simulation Tool so you can move forward with creating a cyber security aware culture.
Webcast – 5 Stages of Being Phished
When falling for a phishing scam there is a chance your users go through one or more emotional stages. Register for this free webcast and learn how to use security awareness training to help users become cyber aware.