Phishing is a type of cyber attack that lures users into giving up personal information to the attacker. There are many ways to do this. CBR has looked at some common types of phishing attack and how they work.
1. Carrot or stick
The most basic form of a phishing attack is generic and aims wide rather than deep.
The communication will simply ask for information under a pretext or invite the recipient to click a link. It could be masquerading as a legitimate company, such as a bank, and saying that it requires your login details.
Often the attack will exploit the recipient’s fear in order to provoke a reaction. It could, for example, claim to be from law enforcement officials and claim that the recipient had committed a crime, asking for personal details to verify their identity.
It could also claim that they were the victim of a cyber attack or that they are the winner of a contest.
A recent phishing scam in the UK sent emails purportedly from the Land Registry. The Government said that the fake emails could be identified by the domain name of the sender.
It is unlikely that a legitimate company will ever ask for potentially sensitive financial information via email. If you do think the email is legitimate, try to contact the company via phone instead.
2. Cry for help
More advanced than the scatter-gun approach, this type of attack may be fine-tuned to work in some knowledge of the person it is targeting.
Using information available on social networks, the attack could pretend to be from a friend or family member.
The email might say that the claimed sender is stranded somewhere and requires a transfer of funds to get home.
To carry this kind of attack out, the attacker might have a mechanism for taking over the email addresses of those who are affected. That person’s email address will then send out the phishing emails to all of this person’s email contacts, giving authenticity to the scam.
These emails can be embarrassing for the sender as well, especially if work or business contacts are on their email contact list and get sent this kind of request.
Again, to verify if the communication is authentic, it is always best to get in touch via another means of contact such as phone.
3. The command from above
So much of work communication is conducted over email nowadays that it would hardly be out of the ordinary to receive a request for important data from your boss.
Hackers know this as well, and many phishing scams masquerade as an email from a senior official in the organisation and request sensitive company data.
This type of phishing attack was used in the attack on Snapchat on 26 February, when a scammer impersonated Snapchat CEO Evan Spiegel in a request for employee information.
One employee fell for the scam, providing the payroll information of around 700 current and former employees.
There are numerous advantages to this approach for the hacker. For one thing, employees are likely to be keen to respond quickly and thoroughly to a communication from their boss; they may be less willing to ask questions or request clarifications that could expose the email as a fake.
The disadvantages are that it requires far more planning and data to construct such an attack than a less targeted scam. The attacker will need specific information about the employees they are addressing and the data they are after.
4. Payment problems
If you shop online it is likely that you use services such as Amazon, eBay or PayPal to do so.
A common phishing attack claims that you have had problems paying for an item that you have purchased through one of these services.
It could say that the item cannot be shipped to you due to these payment issues.
The email text may include a link that directs you to a website that looks like the legitimate site, but is actually a close mock-up. The URL may even look similar, with the characters in a slightly different order.
