Jump to content
Invision Community
Sign in to follow this  

About This Club

Phishing consists of fraudulent emails or other communications designed to attract a victim

  1. What's new in this club
  2. Almost all of the IT pros we talk to at KnowBe4 agree that end-users are their number one headache when it comes to cybersecurity and managing that problem continues to be a big challenge. Social engineering is by far the easiest way for hackers to gain access, either tailgating through the side door or phishing employees via email and other attack methods. It is now a must to protect against phishing threats by educating end users. The IT teams that get the approval from management to do this get great results. Apart from budget issues, sometimes there is resistance at the C-level to sending phishing tests to all employees, often driven by departments like Legal or HR who claim "we should not trick our employees". IT in those situations often run into office politics that prevent the phishing project from getting started. However, today you have to consider a new approach to securing your IT assets. You can’t afford to simply respond to attacks that WILL happen if nothing is done. Instead, you should take a proactive approach that effectively prevents your organization from being a target for cybercriminals. Here is some ammo to get approval, and more important, air cover from the top of your organization: First of all, let's talk about the "tricking our employees" issue. If we don't do it, you can bet the bad guys will. Prevention is key. We do not want to wind up like Yahoo, Target, JP Morgan or Home Depot to name just a few and see our organization on the front page with an extremely expensive data breach or worse. The next big issue is that most small and medium business owners think that they are not a target for cybercrime, but this couldn’t be further from the truth. Cybercriminals choose small and medium sized businesses (SMBs) more often than larger organizations as their prime attack targets.The reason is that many SMBs lack the expertise, budget and time to really defend their network like the bigger companies do. You are the low-hanging fruit and attacks can easily be automated. New strains of ransomware have a strong potential to cause users sitting on their hands for days because all their files are encrypted and backups failed. Can you really afford that? Wall Street Journal reported that the Target, Home Depot and Sony hacking incidents grabbed the attention of executives everywhere, bringing home the reality that cybersecurity has become a top risk consideration in the board room. These days getting air cover from the Board is much easier. Employees are not stupid, they are just trained in another field than IT. Once it has been communicated by the CEO that this is a company-wide ongoing training initiative which includes regular phishing tests and needs everyone's cooperation to be cyberaware, after stepping through the training almost always the employees say: "Wow, I did not know it was that bad on the web." If you frame this as part and parcel of safe Internet usage, there is mostly very positive feedback from end-users. So, here are the steps we recommend: Use the above five points to get the OK to do a free phishing security test and get a baseline of how high the employee phish-prone percentage is. Usually an unpleasant surprise but great to get budget. Find out how affordable this is for your organization. This is normally the pleasant surprise and essentially a no-brainer. Start the campaign with support from your CEO or another C-level executive and provide a deadline and incentives for the initial security awareness training. Schedule frequent simulated phishing tests, about once a month, and make it a game where you compare the percentages of different employee groups (this is supported by the KnowBe4 Admin console). Report regularly to both employees and executives about the positive results and show everyone graphs of the progress you’re making as an organization.
  3. Nobody wants to fall prey to a phishing scam. There’s a good reason that such scams will continue, though: They are successful enough for cybercriminals to make massive profits. Phishing scams have been around practically since the inception of the Internet, and they will not go away any time soon. Fortunately, there are ways to avoid becoming a victim yourself. Here are 10 basic guidelines in keeping yourself safe: 1. Keep Informed About Phishing Techniques – New phishing scams are being developed all the time. Without staying on top of these new phishing techniques, you could inadvertently fall prey to one. Keep your eyes peeled for news about new phishing scams. By finding out about them as early as possible, you will be at much lower risk of getting snared by one. For IT administrators, ongoing security awareness training and simulated phishing for all users is highly recommended in keeping security top of mind throughout the organization. 2. Think Before You Click! – It’s fine to click on links when you’re on trusted sites. Clicking on links that appear in random emails and instant messages, however, isn’t such a smart move. Hover over links that you are unsure of before clicking on them. Do they lead where they are supposed to lead? A phishing email may claim to be from a legitimate company and when you click the link to the website, it may look exactly like the real website. The email may ask you to fill in the information but the email may not contain your name. Most phishing emails will start with “Dear Customer” so you should be alert when you come across these emails. When in doubt, go directly to the source rather than clicking a potentially dangerous link. 3. Install an Anti-Phishing Toolbar – Most popular Internet browsers can be customized with anti-phishing toolbars. Such toolbars run quick checks on the sites that you are visiting and compare them to lists of known phishing sites. If you stumble upon a malicious site, the toolbar will alert you about it. This is just one more layer of protection against phishing scams, and it is completely free. 4. Verify a Site’s Security – It’s natural to be a little wary about supplying sensitive financial information online. As long as you are on a secure website, however, you shouldn’t run into any trouble. Before submitting any information, make sure the site’s URL begins with “https” and there should be a closed lock icon near the address bar. Check for the site’s security certificate as well. If you get a message stating a certain website may contain malicious files, do not open the website. Never download files from suspicious emails or websites. Even search engines may show certain links which may lead users to a phishing webpage which offers low cost products. If the user makes purchases at such a website, the credit card details will be accessed by cybercriminals. 5. Check Your Online Accounts Regularly – If you don’t visit an online account for a while, someone could be having a field day with it. Even if you don’t technically need to, check in with each of your online accounts on a regular basis. Get into the habit of changing your passwords regularly too. To prevent bank phishing and credit card phishing scams, you should personally check your statements regularly. Get monthly statements for your financial accounts and check each and every entry carefully to ensure no fraudulent transactions have been made without your knowledge. 6. Keep Your Browser Up to Date – Security patches are released for popular browsers all the time. They are released in response to the security loopholes that phishers and other hackers inevitably discover and exploit. If you typically ignore messages about updating your browsers, stop. The minute an update is available, download and install it. 7. Use Firewalls – High-quality firewalls act as buffers between you, your computer and outside intruders. You should use two different kinds: a desktop firewall and a network firewall. The first option is a type of software, and the second option is a type of hardware. When used together, they drastically reduce the odds of hackers and phishers infiltrating your computer or your network. 8. Be Wary of Pop-Ups – Pop-up windows often masquerade as legitimate components of a website. All too often, though, they are phishing attempts. Many popular browsers allow you to block pop-ups; you can allow them on a case-by-case basis. If one manages to slip through the cracks, don’t click on the “cancel” button; such buttons often lead to phishing sites. Instead, click the small “x” in the upper corner of the window. 9. Never Give Out Personal Information – As a general rule, you should never share personal or financially sensitive information over the Internet. This rule spans all the way back to the days of America Online, when users had to be warned constantly due to the success of early phishing scams. When in doubt, go visit the main website of the company in question, get their number and give them a call. Most of the phishing emails will direct you to pages where entries for financial or personal information are required. An Internet user should never make confidential entries through the links provided in the emails. Never send an email with sensitive information to anyone. Make it a habit to check the address of the website. A secure website always starts with “https”. 10. Use Antivirus Software – There are plenty of reasons to use antivirus software. Special signatures that are included with antivirus software guard against known technology workarounds and loopholes. Just be sure to keep your software up to date. New definitions are added all the time because new scams are also being dreamed up all the time. Anti-spyware and firewall settings should be used to prevent phishing attacks and users should update the programs regularly. Firewall protection prevents access to malicious files by blocking the attacks. Antivirus software scans every file which comes through the Internet to your computer. It helps to prevent damage to your system. You don’t have to live in fear of phishing scams. By keeping the preceding tips in mind, you should be able to enjoy a worry-free online experience.
  4. If a random person with an official-looking business card approached you and asked for your Social Security card, driver’s license and other sensitive information, you probably wouldn’t give it to them. For one reason or another, however, people are more easily duped when it comes to online interactions. It’s far easier to trick users, which is why phishing attacks are so rampant. Phishing refers to the act of obtaining victims’ sensitive information by posing as trusted companies and organizations. It is usually carried out through spoofed emails and spoofed websites that urgently ask for various types of information. There are many potential consequences, and identity theft is among the very worst of them. Personal Data Gets Compromised Phishers with identity theft on their minds can do a whole lot of damage with seemingly small amounts of information. When you fill out a credit card application, for example, you typically need a handful of things: your Social Security number, your current address and your occupation, to name a few. Those types of things are easy to obtain once a cybercriminal has gained access to one of your online accounts. Before you know it, a bunch of credit cards with your name on them could be sent out into the wrong hands. Cleaning Up ID Theft Isn’t Easy It is vastly preferable to avoid becoming a victim of identity theft than to try to clean up the mess later. You will have to jump through a whole lot of hoops in order to prove to banks and creditors that your identity has been stolen. In the meantime, your credit rating will be shot and you won’t able to take out new loans or mortgages. You might even have trouble finding employment. Avoid Identity Theft by Being Aware of the Signs of Phishing If identity theft is often caused by phishing, it stands to reason that you should do your best to avoid falling prey to the many phishing attacks that take place every year. Educate yourself about the common signs of phishing. Learn how to identify spoofed emails and spoofed websites. Exercise extreme caution whenever you do any sort of business online. Guard your personal information as carefully as you can. Undoing the damage that can occur due to phishing and identity theft isn’t easy, and avoiding phishing in the first place is the best way to go.
  5. Phishing is a serious problem that is achieved in a number of different ways. Email spoofing and website spoofing are two of the primary methods by which phishers acquire sensitive information from unsuspecting Internet users. While email spoofing and website spoofing are sometimes used separately, they are often used in concert with each other. For example, a spoofed email is used to lead a victim to a spoofed website; the spoofed website requests sensitive financial information or login information from the victim. In this way, a successful phishing attempt may be undertaken. What is Email Spoofing? Most people know that it’s unwise to download files or click on links that appear in emails from unknown senders. What happens if the sender appears to be legitimate but really isn’t, though? This is precisely what happens in an email spoofing or phishing attack. The hacker sends emails that appear to originate from trustworthy sources. In some cases, they appear to be sent from legitimate companies; in others, they may even appear to come from friends, family members and coworkers. This is exactly how crimes like CEO fraud are started, criminals bank on targeted employees not questioning to comply with what the 'CEO' is asking for. In any case, they lend the recipient a false sense of security that makes them more likely to open files and click on links. For IT professionals, it's a good idea to run a free KnowBe4 Domain Spoof Test to see if it's possible for hackers to spoof your domain. Email Spoofing Methods There are many different ways to mask the true origins of an email. The clever use of subdomains can make emails look like they are arriving from trusted sources. For instance, the name of a company may be added to the term “customer service” to create a seemingly trustworthy domain. Emails that are sent from that domain are more likely to be perceived as trustworthy. In other cases, phishers simply transpose a couple of strategic letters to make email addresses look more legitimate. They don’t just stick with the “from” field, either; they typically switch around the return path and the “reply to” fields to appear as realistic as possible. What is Website Spoofing? Like email spoofing, website spoofing is used to make people believe that they are interacting with a trusted, legitimate company or person. Especially sophisticated methods of website spoofing can result in forged sites that appear nearly identical to their legitimate counterparts. If you are in a hurry, it is especially easy to fall prey to these sites. At a glance, they often appear to be real. Whenever you access a site through a link, it is important to be especially skeptical about it. Look closely at the URL. Keep in mind, however, that there are ways to cloak URLs. Website Spoofing Methods A wide range of phishing techniques are used to create spoofed websites. As mentioned above, URL cloaking is a popular method. Through the use of specialized scripts, phishers can cover up the true URL with one that is associated with a trusted website. Subdomains are also commonly used to confuse Internet users and to lend them false senses of security. Internationalized domains are increasingly being used in this way too. As with spoofed email addresses, URLs sometimes contained a few transposed letters. At a glance, they appear to be correct and are trusted by unsuspecting Internet users. Don’t Become a Victim! Even if you are a seasoned Internet user, it is easy to fall prey to the sophisticated techniques that are used in website and email spoofing. With the wool pulled over your eyes, you could inadvertently give phishers extremely damaging information. The best way to handle spoofed emails and spoofed websites is by exercising caution at all times. If something seems “off” about an email, do not open attached files or click on included links. Type in a site’s URL manually to avoid landing on a spoofed version of it. By taking your time and being careful, you should be able to avoid most problems.
  6. Credit Card Phishing Scams In our digital age it’s easy to monitor your credit card accounts online. But are you taking every precaution to protect those accounts from phishing attacks? Many people are so busy and pressed for time that they assume that every email they receive from their credit card company is legitimate. The backbone of any successful phishing attack is a well-designed spoofed email or spoofed website, which is why it pays to have a healthy level of skepticism when it comes to opening emails and visiting websites. Learn more about the basics of credit card phishing scams by checking out the following information! Email Alerts that Lead to Trouble You are probably used to receiving occasional emails from your credit card company. That is precisely what phishers are banking on: that you won’t recognize a spoofed email before it is too late. Most of the messages that you receive from your credit card company are probably friendly reminders and sales pitches. If you receive a message that has an unusual level of urgency, however, you should be extremely careful. Phishing attacks usually involve spoofed emails that include a lot of urgent language. That urgency is used to prompt quick, unquestioning action from the recipient, which often leads to serious trouble. Clicking on Links in a Spoofed Email Although spoofed emails sometimes include forms that request personal information, they are more likely to contain links that lead to spoofed websites. This is why you should never click on a link in an email from your credit card company, even if you think that it is legitimate. It only takes a few extra seconds to open a new tab in your browser, manually type in the credit card company’s URL and log into your account. If a truly urgent situation exists, you will learn more about it after logging into your online credit card account. Spoofed Credit Card Websites Spoofed credit card websites can be extremely well done. Even if you visit your credit card company’s website on a regular basis, it is all too easy to be fooled. Phishers use many sophisticated techniques to make spoofed websites that look eerily similar to their legitimate counterparts. In the rush to find out what is wrong, it is easy to fall right into phishers’ traps. The consequences of doing that can be dire. Avoid Serious Consequences If you fall victim to a credit card phishing scam, the perpetrators can gain access to your credit card numbers and a lot of other personal information. They can use your credit card to go on shopping sprees, and they can use your personal information to steal your identity. From there, they can attempt to open new accounts and wreak all sorts of other havoc. You can avoid phishing scams by being conscientious of the threat of phishing attacks and by protecting your sensitive information at all costs. Bank Phishing Scams Bank customers are popular targets of those who engage in phishing attacks. If you have a bank account, you more than likely access it online from time to time. As a result, you probably have a username and a password that are associated with your online account. Most people understand the importance of keeping that kind of information confidential; if it falls into the wrong hands, a great deal of sensitive financial information would be compromised. Unfortunately, many people fall victim to bank phishing scams each year and inadvertently give out sensitive information to people who have criminal activities on their minds. Spoof Bank Emails The most common way that a phisher gets the ball rolling on a bank phishing attack is by sending out thousands of spoof emails. These emails are carefully crafted to look nearly identical to the types of correspondence that are sent out by actual banks. Skilled phishers can replicate the logos, layout and general tone of such emails to uncanny degrees. They bank on the fact that most people are quite busy; at a glance, these spoof emails appear to be legitimate. As a result, recipients are more likely to take what is written in them seriously. One way to avoid falling victim to spoof bank emails is by looking at them closely. Never assume that such messages originate from legitimate sources. Be especially vigilant if the email requests information from you. For one thing, no legitimate bank is going to include a form within an email that they send to you. This is a well-known phishing ploy and it should raise a big red flag for you. Look closely at the sender’s email address as well. Above all else, double-check on the actual bank’s website or give the bank a call if you are in doubt. Spoof Bank Websites Spoofed bank emails almost always include links that will take you to spoofed bank websites. Like spoof emails, spoof bank websites look nearly identical as their legitimate counterparts. One telltale sign of a spoofed bank website is a popup window that demands various types of credentials. There are many scripts that phishers can use to make these popup windows appear, and real banks never use them. Never follow a link to your bank’s website. Always type the URL manually into your browser’s address bar or give them a call to check on your accounts. Chase Bank Phishing Scam One of the most famous examples of a bank phishing scam involved Chase. Phishers especially went to town when Bank One of Indiana was bought out by the huge bank. Phishers obtained the email addresses of thousands of Bank One customers and used the changeover as a ruse in order to cull sensitive information from the victims. Like so many other phishing scams, these emails and fake phishing websites included a lot of urgent language. They implied that customers needed to supply the requested information right away or lose access to their accounts, which would certainly be a cause for alarm. The Chase bank phishing scam is a prime example of just how easy it is for people to fall into phishers’ traps. Actual Chase logos were used in the emails, which made it even trickier to tell them apart from spoofs. You can be sure that future bank phishing scams will use even sneakier and more sophisticated methods. Whenever you receive an important email from your bank, make a point of logging on to its website. Do not follow a link to the bank website; instead, type in the URL manually. If something important really needs your attention, you should be alerted about it somewhere on the online interface. If questions persist, pick up the phone and contact your bank. You can’t be too careful when it comes to protecting your financial information from phishing attacks. Email Phishing Scams A spoofed email message is often the cornerstone of any well-executed phishing scam. From the earliest days of phishing, fraudulent email messages have been used to catch Internet users unawares. Phishing attacks picked up steam during the heyday of AOL. Instant messages and email messages were used to carry out those attacks. Although many things have changed, many others have remained the same. To this very day, major online entities like PayPal and eBay have to grapple with the problem of email phishing. Learn more about how email phishing works, what it looks like and how avoid falling victim to it below. What is Email Phishing? Email phishing refers to the act of creating and sending fraudulent or spoofed emails with the goal of obtaining sensitive financial and personal information. Under such schemes, emails are designed to look exactly like the ones that are sent by legitimate companies. Sophisticated phishing attacks use the email addresses of people who are registered to use certain services. When those people receive emails that are supposed to be from those companies, they are more likely to trust them. Spoofed emails often contain links that lead to spoofed websites, where various methods are used to request and collect a person’s financial and personal information. Forms are occasionally contained within the emails themselves too. Why Email Phishing Works Considering how long email phishing has been used, it may seem odd that it continues to work. It isn’t because people are foolish; it is because these emails are very well done. Phishers know precisely how to design spoofed emails to look like their legitimate counterparts. By throwing in some urgent language, phishers dramatically increase their odds of success. Busy people scan such emails, trust them and click on their links because they look almost exactly like the real thing. One wrong click can lead to a world of hurt. Signs of Email Phishing There are many signs of a phishing email. The first thing that you should look at is the greeting. Does it use your actual name, or does it have a generic greeting? Look closely at the email’s header. What is the sender’s email address? These addresses are usually carefully designed to look authentic. By taking a very close look at them, though, you can usually see inconsistencies and things that don’t make sense. If possible, compare the sender’s email address to that of previous messages from the same company. If it’s a phishing email, you will notice things that don’t add up. Examples of Successful Email Phishing Many successful email phishing attacks have been carried out in the past, which is why they continue to be used to this day. Prominent examples include eBay phishing scams and PayPal phishing scams. Both companies were prime targets of email phishing campaigns in the past. eBay and PayPal users receive messages that look legitimate. The messages typically urge them to verify their account information or to update their credit card numbers. People often fall for these ruses because they are afraid of losing access to these important services. Both companies now offer extensive information on ways to avoid such phishing scams on their websites. There is no simple way to completely avoid email phishing attacks. Sooner or later, someone is bound to send you a spoofed email. The easiest way to avoid these scams is by never clicking on links that are included in email messages. Make it a policy to always type in the URL of the site that you need to access manually. Upon arriving on the site, you will be able to confirm whether or not the message that you received was legitimate. If it’s a spoofed email, find out where to send it – most companies like to know about the scams that are going on out there. Website Phishing Scams It is never a good idea to blindly trust a website. Assuming that a site is legitimate can cause you to fall prey to phishing attacks. If that happens, you could inadvertently disclose sensitive information to people who may use it for identify theft and other malicious things. You don’t have to live in fear, though. By familiarizing yourself with a few of the main signs of a copycat website, you will have an easier time protecting yourself against these attempts. Keep in mind that phishing techniques can be quite sophisticated, and keep the following tips in mind as you browse the Internet. Unusual Urgency – A legitimate website for a bank, credit card company or other organization isn’t going to have an air of desperation about it. You aren’t going to find urgent messages sprawling across such sites. If you land on a site and it seems to include a lot of inappropriate urgent messages, you should double-check the URL and make sure that you’re really in the right place. Phishers rely on this type of urgency to increase the odds that people will quickly and willingly disclose sensitive information. Poor Design – The websites of professional businesses and organizations are generally sleek and stylish. If you visit one that seems to look a little ramshackle, there’s a very good chance that you’ve stumbled upon a spoofed site. Legitimate businesses are not going to allow their sites to go live with glaring design flaws. If things look sloppy, take the time to do a little investigating before you proceed. Misspellings – Business websites typically include copy that has been written by professionals. They are not going to be riddled with misspellings and glaring grammatical errors. Scan through a site before you proceed. Does it seem to be well-written and professional? Has anything changed since your last visit? Pop-Up Windows – Legitimate sites are not going to bombard you with pop-up windows the second you land on them. Everyone knows that pop-ups are commonly used to gather sensitive information from unsuspecting victims. Use a browser that allows you to block pop-ups. If one slips through, you should consider it to be a major red flag.
  7. There are a number of different techniques used to obtain personal information from users. As technology becomes more advanced, the cybercriminals' techniques being used are also more advanced. To prevent Internet phishing, users should have knowledge of how the bad guys do this and they should also be aware of anti-phishing techniques to protect themselves from becoming victims. Spear Phishing While traditional phishing uses a 'spray and pray' approach, meaning mass emails are sent to as many people as possible, spear phishing is a much more targeted attack in which the hacker knows which specific individual or organization they are after. They do research on the target in order to make the attack more personalized and increase the likelihood of the target falling into their trap. Email/Spam Using the most common phishing technique, the same email is sent to millions of users with a request to fill in personal details. These details will be used by the phishers for their illegal activities. Most of the messages have an urgent note which requires the user to enter credentials to update account information, change details, or verify accounts. Sometimes, they may be asked to fill out a form to access a new service through a link which is provided in the email. Web Based Delivery Web based delivery is one of the most sophisticated phishing techniques. Also known as “man-in-the-middle,” the hacker is located in between the original website and the phishing system. The phisher traces details during a transaction between the legitimate website and the user. As the user continues to pass information, it is gathered by the phishers, without the user knowing about it. Link Manipulation Link manipulation is the technique in which the phisher sends a link to a malicious website. When the user clicks on the deceptive link, it opens up the phisher’s website instead of the website mentioned in the link. Hovering the mouse over the link to view the actual address stops users from falling for link manipulation. Keyloggers Keyloggers refer to the malware used to identify inputs from the keyboard. The information is sent to the hackers who will decipher passwords and other types of information. To prevent key loggers from accessing personal information, secure websites provide options to use mouse clicks to make entries through the virtual keyboard. Trojan A Trojan horse is a type of malware designed to mislead the user with an action that looks legitimate, but actually allows unauthorized access to the user account to collect credentials through the local machine. The acquired information is then transmitted to cybercriminals. Malvertising Malvertising is malicious advertising that contains active scripts designed to download malware or force unwanted content onto your computer. Exploits in Adobe PDF and Flash are the most common methods used in malvertisements. Session Hijacking In Session Hijacking, the phisher exploits the web session control mechanism to steal information from the user. In a simple session hacking procedure known as session sniffing, the phisher can use a sniffer to intercept relevant information so that he or she can access the Web server illegally. Content Injection Content injection is the technique where the phisher changes a part of the content on the page of a reliable website. This is done to mislead the user to go to a page outside the legitimate website where the user is then asked to enter personal information. Phishing through Search Engines Some phishing scams involve search engines where the user is directed to products sites which may offer low cost products or services. When the user tries to buy the product by entering the credit card details, it’s collected by the phishing site. There are many fake bank websites offering credit cards or loans to users at a low rate but they are actually phishing sites. Vishing (Voice Phishing) In phone phishing, the phisher makes phone calls to the user and asks the user to dial a number. The purpose is to get personal information of the bank account through the phone. Phone phishing is mostly done with a fake caller ID. Smishing (SMS Phishing) Phishing conducted via Short Message Service (SMS), a telephone-based text messaging service. A smishing text, for example, attempts to entice a victim into revealing personal information via a link that leads to a phishing website. Malware Phishing scams involving malware require it to be run on the user’s computer. The malware is usually attached to the email sent to the user by the phishers. Once you click on the link, the malware will start functioning. Sometimes, the malware may also be attached to downloadable files. Ransomware Ransomware denies access to a device or files until a ransom has been paid. Ransomware for PC's is malware that gets installed on a user’s workstation using a social engineering attack where the user gets tricked in clicking on a link, opening an attachment, or clicking on malvertising.
  8. As widespread and well-known as phishing is now, it hasn’t been around forever. Although the practice originated sometime around the year 1995, these types of scams were not commonly known by everyday people until nearly ten years later. That doesn’t mean that phishing was not a force to be reckoned with right from the start. In order to avoid falling prey to such scams yourself, it is helpful to have a basic understanding of the history behind them. Name Origins Phishing scams use spoofed emails and websites as lures to prompt people to voluntarily hand over sensitive information. It isn’t surprising, then, that the term “phishing” is commonly used to describe these ploys. There is also a good reason for the use of “ph” in place of the “f” in the spelling of the term. Some of the earliest hackers were known as phreaks. Phreaking refers to the exploration, experimenting and study of telecommunication systems. Phreaks and hackers have always been closely linked. The “ph” spelling was used to link phishing scams with these underground communities. First Recorded Mention According to Internet records, the first time that the term “phishing” was used and recorded was on January 2, 1996. The mention occurred in a Usenet newsgroup called AOHell. It is fitting that it was made there too; America Online is where the first rumblings of what would become a major criminal issue would take place. Phishing’s America Online Origins Back when America Online (AOL) was the number-one provider of Internet access, millions of people logged on to the service each day. Its popularity made it a natural choice for those who had less than pure motives. From the beginning, hackers and those who traded pirated software used the service to communicate with one another. This community was referred to as the warez community. It was this community that eventually made the first moves to conduct phishing attacks. The first way in which phishers conducted attacks was by stealing users' passwords and using algorithms to create randomized credit card numbers. While lucky hits were few and far between, they struck the jackpot often enough to cause a lot of damage. The random credit card numbers were used to open AOL accounts. Those accounts were then used to spam other users and for a wide range of other things. Special programs like AOHell were used to simplify the process. This practice was put to an end by AOL in 1995, when the company created security measures to prevent the successful use of randomly generated credit card numbers. Phishing Attacks Begin With their random credit card number generating racket shut down, phishers created what would become a very common and enduring set of techniques. Through the AOL instant messenger and email systems, they would send messages to users while posing as AOL employees. Those messages would request users to verify their accounts or to confirm their billing information. More often than not, people fell for the ruse; after all, nothing like it had ever been done before. The problem intensified when phishers set up AIM accounts through the Internet; such accounts could not be “punished” by the AOL TOS department. Eventually, AOL was forced to include warnings on its email and instant messenger clients to keep people from providing sensitive information through such methods. The Evolution of Phishing In many ways, phishing hasn’t changed a lot since its AOL heyday. In 2001, however, phishers turned their attention to online payment systems. Although the first attack, which was on E-Gold in June 2001, was not considered to be successful, it planted an important seed. In late 2003, phishers registered dozens of domains that looked like legitimate sites like eBay and PayPal if you weren't paying attention. They used email worm programs to send out spoofed emails to PayPal customers. Those customers were led to spoofed sites and asked to update their credit card details and other identifying information. By the beginning of 2004, phishers were riding a huge wave of success that included attacks on banking sites and their customers. Popup windows were used to acquire sensitive information from victims. Since that time, many other sophisticated methods have been developed. They all boil down to the same basic concept, though, and it is safe to say that this concept has proved to be quite effective.
  9. Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. The information is then used to access important accounts and can result in identity theft and financial loss. The first phishing lawsuit was filed in 2004 against a Californian teenager who created the imitation of the website “America Online”. With this fake website, he was able to gain sensitive information from users and access the credit card details to withdraw money from their accounts. Other than email and website phishing, there’s also 'vishing' (voice phishing), 'smishing' (SMS Phishing) and several other phishing techniques cybercriminals are constantly coming up with. Common Features of Phishing Emails Too Good To Be True - Lucrative offers and eye-catching or attention-grabbing statements are designed to attract people’s attention immediately. For instance, many claim that you have won an iPhone, a lottery, or some other lavish prize. Just don't click on any suspicious emails. Remember that if it seems to good to be true, it probably is! Sense of Urgency - A favorite tactic amongst cybercriminals is to ask you to act fast because the super deals are only for a limited time. Some of them will even tell you that you have only a few minutes to respond. When you come across these kinds of emails, it's best to just ignore them. Sometimes, they will tell you that your account will be suspended unless you update your personal details immediately. Most reliable organizations give ample time before they terminate an account and they never ask patrons to update personal details over the Internet. When in doubt, visit the source directly rather than clicking a link in an email. Hyperlinks - A link may not be all it appears to be. Hovering over a link shows you the actual URL where you will be directed upon clicking on it. It could be completely different or it could be a popular website with a misspelling, for instance www.bankofarnerica.com - the 'm' is actually an 'r' and an 'n', so look carefully. Attachments - If you see an attachment in an email you weren't expecting or that doesn't make sense, don't open it! They often contain payloads like ransomware or other viruses. The only file type that is always safe to click on is a .txt file. Unusual Sender - Whether it looks like it's from someone you don't know or someone you do know, if anything seems out of the ordinary, unexpected, out of character or just suspicious in general don't click on it!

  • Create New...