How Does a Phishing Attack Work?
No one would intentionally install malicious software on their computer or give the login credentials to their bank away. However, phishing attacks are still successful.
Fortunately, phishing attacks never work unless the targeted user takes an action. That is the key. Most phishing attacks take advantage of the law of large numbers and target thousands of people at one time hoping a small percentage of the recipients will fall for the trick and surrender sensitive information. Knowing the tactics a "phisher" may use will help you from falling victim to a cyberattack. We will look at the types of phishing attacks next.
Types of Phishing Attacks
Since the term phishing was coined in 1987, the tactics used for phishing attacks have evolved into quite a few specific types of phishing. Here are some common types of phishing:
A virus is malware that is attached to some other type of software. Whenever the user runs the virus, usually accidentally by running the software it is attached to, the virus will replicate itself by adding itself to other programs on the user's system.
Standard Email Phishing
Standard email phishing uses the shotgun method of sending as many emails as possible to as many people as possible. Attackers hope to steal sensitive information by getting a small percentage of the email recipients to fall for the tactics by clicking on a malicious link and entering their login credentials in a fake form.
When attackers design an email message to appeal to a specific individual, it is called spear phishing, bringing up the image of a spearfisherman targeting a specific fish.
The attackers in these cases find their target online, sometimes using social networks like LinkedIn that have detailed work history to gather information on the person. They will then send an email to the target's work email address using a spoof email address from the same domain. This is easy to do because the phisher can guess the target's work email based on their first and last name and the domain name of the company they work for.
In the email, the attacker will masquerade as an employee and attempt to get the target to divulge sensitive information or transfer funds.
Whaling or whale phishing is the same as spearfishing, except the targets of the attack are higher profile individuals, like CEOs or board members of the corporation. Whaling attacks usually involve a lot of research on the person being attacked and take a lot of preparation time, because the payoff for the attacker is usually large.
Malware phishing uses the same methods as standard email phishing. A malware phishing attack is usually untargeted to infect as many devices as possible with malicious software. Phishers attempt to get targets to click on email links that download and install malware. This malware can be of any type: ransomware, which locks out the user and demands a ransom; adware, which inundates the user with advertisements; spyware, which will steal data from the device or log the users’ keystrokes; and more.
Smishing is an attack where malicious links are sent to SMS-enabled phones. The links may masquerade as account warnings and prize notifications to trick the phone user into clicking the link.
Search Engine Phishing
Search engine phishing uses search engine optimization or paid search engine ads to get fraudulent sites designed to steal credentials ranked high in search engine results. Unsuspecting users will assume they are on a well-known site, enter their credentials, and be greeted with a fake error. By then the attacker will have already stolen their data.
These types of attacks usually occur in areas with public Wi-Fi networks. The attacker will create a fake free public Wi-Fi network to which unsuspecting people will connect to. Once a user is connected, the attacker can phish for information.
Vishing stands for voice phishing. This attack involves fake phone calls. The caller will say they are from a government agency like the IRS or a large organization and try to get the target to disclose banking details or credit card information.
This is also known as DNS poisoning. By corrupting DNS, an attacker can route legitimate traffic going to a banking site or other organization to a fake site that will steal user information.
In this type of phishing attack, the attacker hacks a legitimate users’ email or social account and then sends malicious emails or messages to the users’ contacts, who may click on links because the email comes from a trusted source.
This type of phishing involves fake advertisements that masquerade as ads from legitimate companies. Instead of taking users to a legitimate site, the ads will direct them to a phishing site.
What Are the Consequences of a Successful Phishing Attack?
Considering that a phishing attack is just a technique to compromise credentials or gain unauthorized access to data, there are quite a few possible consequences to a phishing attack. Here are some consequences:
- Data loss: Attackers can use phishing to access and steal sensitive data
- Reputation damage: A phishing attack can damage an enterprise's reputation
- Account compromise: Most phishing attacks target user credentials
- Malware infection: A big percentage of phishing attacks attempt to trick recipients into installing malware masquerading as valid software
- Financial loss: Many phishing attacks target online banking credentials or request bank transfers
How Do You Prevent Phishing Attacks?
All phishing attacks are preventable. Hackers depend on targeted users to take an action to be successful. There are many ways to prevent phishing attacks.
- Education: One of the best ways to prevent a phishing attack is education. Phishing attacks wouldn't occur without target interaction
- Anti-virus and anti-malware: Security software can detect and disable malware installed by a phishing scheme before it does any damage.
- Email and endpoint security: Email can be scanned for malicious links and sandboxed
- Micro-segmentation: Micro-segmenting your IT infrastructure will prevent the lateral movement of any malware that may have infected one device and limit the damage to a corporate network.