How Did Phishing Start?
Phishing has been one of the fastest evolution in the hacking history. Different types of phishing attacks spread over the internet in a flash. Here is how it evolved.
1990: Algorithm-Based Phishing
America Online (AOL) flagged the concept of phishing in the early 1990s.
During that time, the first phishers created an algorithm to generate random credit card numbers in order to get an original card’s match from the AOL accounts.
Once matched, the phishers accessed this data to manipulate it.
By the time AOL caught up to the scam – after 1995 – phishers had already moved to newer technologies.
2000: Email Phishing
The next generation phishers were more advanced and tech-savvy.
They chose a mode of phishing that was less expensive and easy to create and track: email phishing.
Initially, the emails were poorly constructed – with a lot of grammatical errors – but in the year 2003, an idea changed the phishing world.
2003: Domain Spoofing
Phishers started purchasing domains which sounded similar to well-known domains like yahoo-info.com and manager-apple.com.
With those domains, they sent out sophisticated direct emails.
In the same year, Paypal got hit when users received a phishing email asking them to verify credentials, compromising their accounts.
2018: Phishing via HTTPS
Previously, phishing was done through two major means: email phishing and domain spoofing.
Over time, scammers devised new types of phishing for launching attacks. This article gives you the complete overview of various types of phishing attacks.
What Is Phishing?
Phishing is a cybercrime in which scammers send a malicious email to individual(s) or mass users of any organization by impersonating a known individual or a business partner or a service provider.
These emails are carefully crafted such that you open it without any suspicion.
These types of phishing attacks open the door for attackers to enter into your system and access confidential data like bank account details, credit card numbers, social security number, passwords, etc.
Once the information is obtained, the phishers immediately send or sell it to people who misuse them.
Sometimes, phishing not only results in loss of information but also injects viruses into the victim’s computer or phone.
Once infected, phishers gain control over devices, through which they can send emails and messages to other people connected through the server.
5 Categories of Phishing
Based on the phishing channel, the types of phishing attacks can be classified into the following categories:
Vishing refers to phishing done over phone calls. Since voice is used for this type of phishing, it is called vishing → voice + phishing = vishing.
Considering the ease and enormity of data available in social networks, it is no surprise that phishers communicate confidently over a call in the name of friends, relatives or any related brand, without raising any suspicion.
SMS phishing or SMiShing is one of the easiest types of phishing attacks.
The user is targeted by using SMS alerts.
In SMiShing, users may receive a fake DM or fake order detail with a cancellation link.
The link would actually be a fake page designed to gather personal details.
3. Search Engine Phishing
Search engine phishing is the type of phishing that refers to the creation of a fake webpage for targeting specific keywords and waiting for the searcher to land on the fake webpage.
Once a searcher clicks on the page link, s/he will never recognize that s/he is hooked until it is too late.
4. Spear Phishing
Unlike traditional phishing – which involves sending emails to millions of unknown users – spear phishing is typically targeted in nature, and the emails are carefully designed to target a particular user.
These attacks have a greater risk because phishers do a complete social profile research about the user and their organization – through their social media profile and company website.
Out of the different types of phishing attacks, Spear phishing is the most commonly used type of phishing attack – on individual users as well as organizations.
Whaling is not very different from spear phishing, but the targeted group becomes more specific and confined in this type of phishing attack.
This technique targets C-suite posts like CEO, CFO, COO – or any other senior management positions – who are considered to be big players in the information chain of any organization, commonly known as “whales” in phishing terms.
Technology, banking, and healthcare are the most targeted sectors for phishing attacks. This is because of two main factors: a huge number of users and higher dependency on data.
Here are a couple of basic steps you should take to stop major types of phishing attacks:
- Create multiple levels of defense for your email network.
- Any phishing attack can succeed only if a targeted victim clicks on a link. Hence, creating awareness and educating the employees and other users about the types of phishing attacks in your network is the best way to prevent phishing attacks.
To know more about preventing different types of phishing attacks, read our in-depth article on How to Prevent a Phishing Attack?
Types of Phishing Attacks
According to the APWG report, the number of unique phishing websites had reached 73.80% from October 2017 to March 2018.
And, 48.60% of the reported phishing incidents had used “.COM” domains.
Isn’t it shocking?
We assume that the domains and websites that we interact with are safe, but hackers do trick us with different types of phishing attacks, by using impersonated domains and cloned websites.
Scammers use Social Engineering to know the online behavior and preferences of the potential victim.
This helps them to craft a sophisticated attack.
1. Email Spoofing – Name Impersonation
Email spoofing is one of the easiest types of phishing used to get data from users without their knowledge.
It can be done in different ways:
- Sending an email through a familiar username,
- Sending an email impersonating your superiors and asking for some important data, or worse,
- Impersonating the identity of an organization and asking employees to share internal data.
Here is an example.
The call to action in the email is to click the link and log in to view the document.
Just by seeing the company’s name and the urgency of action, some users may click on the link.
Compared to other types of phishing attacks, email spoofing has a focused target with a well-developed structure:
“Whom to target?
What should be the content?
And, which action has the higher probability of conversion?”
An email crafted with these details has higher chances of being opened and phished.
The best way to prevent these attacks is by carefully reading the sender’s email address. If you are not sure about the characters in an email address, then copy and paste it in the notepad to check the use of numeric or special characters. You can also configure security settings on Gmail and Outlook.
2. Mass Target – Brand Impersonation
Mass phishing attacks are the emails sent to a group of people with some common interest based on their brand preferences, demographics, and choices.
In mass phishing attacks, the emails sent to potential victims are clones of transactional emails like receipts, payment reminders, or gift cards.
Here is a brand impersonation example targeting Citibank customers.
Phishers use brands as a weapon for mass attacks because the brands have a lot of credibility among targeted victims.
Check whether you are marked in the “To” section or “cc” section of the received mail. Avoid replying to an email marked to you with an unknown set of people.
3. URL Phishing
In URL phishing attacks, scammers use the phishing page’s URL to infect the target.
This has a higher opening rate because:
- People are “social” enough to click on links sent by strangers,
- They are ready to accept friend requests and messages – DM links or email notifications, and
- They are even ready to share their email and contact details.
One way to hook a person with a phishing bait is by using a hidden link. We have all received emails with the action phrase “CLICK HERE” or “DOWNLOAD NOW” or “SUBSCRIBE.”
These are examples of hidden links, which makes it easier for scammers to launch phishing attacks.
In the example mentioned above, the phisher had sent an email in the name of “Wells Fargo” and asked customers to check for the service offers by clicking on the hidden call-to-action link: “Click here” – which led directly to the attacker’s page.
Another way to hide phishing links is by using link-shortening tools like TinyURL to shorten the URL and make it look authentic.
Instead of tiny URLs, phishers also use misspelled URLs.
Hackers buy domains that sound similar to popular websites.
Then, they phish users by creating an identical website, where they ask targets to log in by submitting personal information.
Homograph attacks involve the usage of similar-looking words – characters or combinations – that can be easily misread.
Here’s an example.
In the example, you might think that the offer looks genuine, but when you click on the link, instead of ‘amazon.com,’ you will be redirected to ‘arnazon.com’ – which belongs to the attacker.
Once you land on the attacker’s site, the fake page will prompt you to enter login credentials or financial data like credit card information or other personally identifiable information.
How to prevent URL phishing?
Hover the cursor over the attached link. The full link will appear on the laptop screen. If the link is different or seems phishy, don’t click on it! In case of mobile devices, press and hold over the link, and the attached link will appear as a pop-up window with actionable options.
4. Subdomain Attack
These types of phishing scams are aimed at non-technical people.
Scammers exploit the lack of understanding about the difference between a domain and a subdomain to launch phishing attacks.
What is a subdomain attack?
Assume that you receive an email from your organization www.organizationname.com or from a colleague’s email id firstname.lastname@example.org.
The email instructs you to click on the given link www.organizationname.support.com and log in for accessing data in order to produce an urgent report.
What will you do?
You will click on the link and end up compromising your credentials!
Here is an example.
You can see the sender’s domain is “linkedin.example.com” – which means that subdomain is linkedin under the example domain.
Why is a subdomain attack so difficult to spot?
This is because anyone can use any well-known domain as a subdomain.
Most people may not be aware of the difference between a domain and a subdomain.
How to prevent a subdomain phishing attack?
Before clicking on any attached link from an unknown sender, read the domain name carefully. And remember, it is always read from right to left.
5. Pop-Up Messages: In-Session Phishing
Pop-up messages are the easiest way to run a successful phishing campaign.
Through pop-up messages, attackers get a window to steal the login credentials by redirecting them to a fake website.
This technique of phishing is also known as “In-session phishing.”
Look at the pop-up window given below.
In this example, doesn’t the foreground pop-up seem legitimate enough to mislead customers?
How to prevent in-session phishing?
The only prevention we have at present is the pop-up blockers available in the browser extension and settings on different app stores. If your data is very crucial, you should opt for a security software that blocks all these threats in one shot to prevent any kind of data security breach.
6. Search Engine Attack
Phishers run a paid campaign optimized for certain keywords to launch a phishing scam.
This is a well-crafted attack that looks completely legitimate.
Phishers create fake websites with “Exclusive offers” as bait – which look too good to be true!
When users stumble upon these fake sites, they are fooled into sharing their information to claim the offer.
In the example below, the ad says “Full Version & 100% Free!”
A similar example is given below, where the search results for “blockchain” shows a fake web page as the top search result – paid by the scammers for making it appear as the first result.
This example doesn’t state any offer, but it targets the trust of a user by claiming itself to be the “official site.”
The best way to avoid search engine attack is to avoid the ads displayed in the paid results section – look for the “ad” tag displayed next to the website link, which is usually found on the top-most results. Also, if you know the URL, then try to type it whenever possible.
7. Website Spoofing
Website spoofing is similar to email spoofing, though it requires the attacker to put in a lot more effort.
How is website spoofing done?
Phishers publish a website by copying the design, content, and user interface of a legitimate website.
Some scammers also use URL shortening tools to create a similar URL for the fake site.
Here is an example of a website spoofing attack that mimics the Bank of America website:
It is always a best practice to type the entire link by yourself, instead of copying and pasting the link from somewhere else.
Third party tools like SysCloud’s Phishing Protection provide the best possible security from all kinds of spoofing attacks. As a part of their service, all the suspicious websites are not only blocked but also reported to the user.
Scripting or cross-site scripting (XSS) uses malicious scripts deployed on the victim’s computer or phone using emails as the medium.
Hackers infect the script of a legitimate website – which you visit regularly, identified through social engineering – with a script that will redirect you to a phishing page.
When the browser loads the phishing page, it will execute the malicious script, and the attack would take place without the victim’s knowledge.
Here is how a normal script works when you search for ‘colors’ on Google.
It means the value of the search parameter ‘q’ is inserted into the page returned by the Google search engine.
Let’s say, a scammer creates a script that changes the behavior of this URL when it is loaded in the browser.
The browser will execute the Google search result page.
The fragment displaying the search results for ‘colors’ with the script will change as below:
Loading this page will cause the browser to execute XSSphish_script().
How to prevent cross-site scripting attack?
- Use browsers with in-built XSS protection feature
- Check for the latest version of browsers and security applications
- Use a browser add-ons like “NoScript,” which let you choose whether to allow or deny the scripting permissions
9. Man-in-the-Middle Attack
In Man-in-the-Middle– MITM, MitM, MiM, or MIM – attack, a malicious actor intercepts online interaction between two parties.
Hackers impersonate themselves on both sides to access confidential information like transactions, conversations, or other data.
Major targets of MiTM:
- Financial website: between login and authentication
- Public or private key-protected conversations/connections
MITM use two major spoofing execution techniques: ARP spoofing and DNS spoofing.
- ARP spoofing: ARP spoofing is an attack in which a malicious actor sends a fake ARP (Address Resolution Protocol) message over a local area network. This links the attacker’s MAC (Machine address) address to the IP address of a legitimate computer or server on the network.
- DNS spoofing: Domain Name System (DNS) spoofing or DNS Cache Poisoning is a form of hacking that corrupts the DNS data in the resolver cache, causing the name server to return incorrect result records.
A possible MITM attack scenario is given below:
The only way to prevent the Man-in-the-Middle attack is by encrypting your online data. Using S/MIME encryption can help you to secure the data from misuse by cybercrooks, or you can use Third-party tools to encrypt your data.
10. Clone Phishing
In a clone phishing attack, a previously-sent email containing any link or attachment is used as a true copy to create an almost identical or cloned email.
Scammers replace the link or attachment in the email with a malicious link or attachment.
The cloned email is forwarded to the contacts from the victim’s inbox.
The recipients of the cloned email will assume it to be a legitimate email and click on the malicious link.
Clone phishing attack is harmful for one major reason: The victim will never suspect the email.
How to prevent clone phishing?
- Check the sender’s email.
- Hover over any link in the email to see the landing page before clicking on it.
- Follow up with the email and the organization it appears to be coming from.
- Report emails to anti-phishing organizations.
11. Image Phishing
If you are receiving emails containing images according to your interest, then BEWARE!
It could be a phishing attack.
Attackers use images and other media formats to deliver batch files and viruses.
There are two ways of embedding a phishing image in an email:
- Linking an image directly to the URL and sending it to the victim as a mass email attack.
- Using an encoded image (.jpeg) or other media files like song (.mp3), video (.mp4), or GIF files (.gif). In this type of attack, the hacker embeds a batch file (.bat) or virus into an image and sends it as an attachment to a victim.
When the victim downloads the image, s/he downloads the batch file – or virus, thereby infecting the computer or phone.
Kaspersky Lab published a report on a PNG (Portable Network Graphics) phishing, as shown in the image below.
The attack prompted the user to download a malicious Java ARchive (JAR) that also downloaded a virus.
How to prevent image phishing?
- Do not download images from unknown sources.
- Do not open the images in an incognito window.
- Use an antivirus or anti-malware in your email service.
- Use a backup solution to avoid losing data.
12. Voice Phishing Attack
In a voice phishing or vishing attack, the message is orally communicated to the potential victim.
Though it doesn’t use technology, this is one of the most trickiest types of phishing – you have nothing to confirm or verify what is said over the phone!
A scam reported by BBC in which Emma Watson – a businesswoman – was duped in the name of a (fraud) bank alert.
Emma Watson got a call from her bank stating that some unusual transaction activities were identified on her account.
To safeguard her money, she was requested to transfer all the amount into a newly-created account.
She mentioned, “They were very professional, and because they knew my name and were addressing me with my name, I didn’t suspect them.”
“They called me on the landline number given to the bank for communication purpose. Also, they used all the banking language,” she added.
Emma had transferred £100,000 into the account communicated to her – Out of which, only a fraction was traced and returned to her.
The security and prevention from these attacks rely completely on the victim. If s/he is aware of such attacks – and knows whether to act on such calls or not – s/he will be able to prevent it.
13. CEO Fraud
CEO fraud – a business email compromise – is a part of whaling attack in which cybercrooks fool the employees into executing unauthorized wire transfers, or disclosing confidential information.
On April 4, 2016, FBI issued a warning against these CEO frauds stating that “There is a 270 percent increase in the identified victims and exposed loss.”
The total loss was around $2.3 billion and the average loss was around $50,000 which itself is a boatload of money.
According to the report of the security advisory, more than 70 percent of the scammers pretend to be the CEO – while the remaining comprised CFO and COO signatures – and more than 35 percent of these phishing emails are targeted at financial executives.
CEO fraud or BEC attacks impose a higher risk as well as damage the organization at a higher level.
A few of these damages are listed below:
- Money loss as fraud wire transfer
- Reputation loss for the CEO/CFO and the organization
- Termination of the CEO/CFO
- Lawsuits against CEO/CFO and victim executives
- Loss of customer trust
The only way to avoid such scams is to check the sender details – confirming the identity through human efforts – or by enabling a third-party solution for anti-phishing protection in your organization.
14. Malware Injection
Injecting malware into a system or network through emails is a common form of phishing.
The usual objectives of a malware attack are:
- Hijacking a user’s computer or an online session,
- Stealing a user’s confidential data,
- Conducting fraudulent activities, and
- Launching a DDoS attack.
Trojan is a kind of malware that creates digital backdoors for attackers to hack into your computer without your knowledge.
They are capable of stealing your personal information – like SSN and/or your private files – business details, or making your computer to stop working permanently.
Attackers can use the hacked device as a proxy to conceal their identity or send out spam for a mass phishing attack.
“Zeus” was a trojan that helped attackers to steal about $3 million from dozens of US corporate accounts!
A virus is a malicious set of code used to breach into a device to fetch confidential data.
Mostly, viruses are attached with .exe files to infect your computer or laptop.
The moment you open a malicious .exe file, your machine will get corrupted.
Similar to viruses, worms affect the computer by replicating themselves.
Worms are one of the most dangerous types of phishing, as they don’t need any human intervention to make their copies!
They use the system’s vulnerabilities to transmit from one device to another, which make them more dangerous than a typical virus attack.
Ransomware encrypts your computer files to lock them and keep them as hostage until you pay a fee for its decryption code.
WannaCry was a crypto-worm ransomware which affected more than 200,000 computers across 150 countries by encrypting and locking the data at the user’s end.
The estimated loss by this attack was $4 billion USD.
To learn how to protect your Gmail against ransomware, click here.
Spyware is a kind of malware that monitors the actions of the victim over a time period.
The objective of this malware is to create a long-term profit for the hackers.
Types of spyware used for various types of phishing:
- System spy: Hijack any of the Web searches, homepages, and other Internet Explorer settings. (E.g.) CoolWebSearch (CWS)
- Adware: Display advertisements based on your Web surfing history. (E.g.) Gator (GAIN)
- Keystocks: Monitor keystrokes – passwords and details – and take screenshots. (E.g.) Advanced Keylogger
Using an updated anti-malware and antivirus is the best available option. Also, an up-to-date browser works as an extra security layer from these types of phishing attacks.
As all of us know: the best way to learn is by doing it.
Therefore, to understand more about phishing methods, run some phishing test campaigns on your teams, friends, colleagues, and family members.
Now that you know the types of phishing, check out how to prevent them.
To learn about the latest phishing scams and the safety precautions, stay in touch with us.