“Give a man a fish and you feed him for a day. Teach a man to phish and he’ll eat your food every day.” – slight variation of old Chinese proverb
Phishing, simply defined, is the act of attempting to acquire personal information, through fraudulent means, via electronic communications and, like so many aspects of personal internet usage, its’ origins can be traced back to the good old days of America Online (AOL).
During the 1990s, a group calling themselves Warez was very active on AOL. They primarily dealt with the exchange of pirated software and worked closely with the hacking scene that was committing credit card fraud and other online crimes. At the time, AOL allowed up to seven different users, or screen names, per paid account, and it was easy to create a user name that appeared to be “official”. Under the guise of being an AOL employee, these individuals would send instant messages, to legitimate users, seeking user names, passwords, and credit card information. Following their early success with AOL account information, the phishers then began to target online payment systems and financial institutions, and finally branching out to web mail domains, governmental agencies and social networks. These days, an agency or business can measure its’ popularity by the number of phishing attacks they have endured. Not many are immune.
Phishing, as is the case with all things “tech”, has become more sophisticated and is constantly evolving in order to circumvent security measures. Methods used by phishers may include link manipulation, filter evasion, website forgery, and phone phishing (Vishing).
List of phishing techniques:
- Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.
- Phishing attempts directed at specific individuals or companies have been termed spearphishing. Attackers may gather personal information about their target to increase their probability of success.
- A type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or Link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original.
- This technique could be used to pivot (indirectly) from a previously infected machine and gain a foothold on another machine, by exploiting the social trust associated with the inferred connection due to both parties receiving the original email.
Several recent phishing attacks have been directed specifically at senior executives and other high profile targets within businesses, and the term whaling has been coined for these kinds of attacks.
Example of a phishing attempt via email:
Apparently, all of these methods and techniques are paying off. Damage caused by phishing ranges from denial of access to email & social network sites, to substantive financial losses. RSA, , the security division of EMC, reports a global loss of 1.5 billion dollars, in 2012, to phishing scams.
Regardless of their sophistication, understand this: Every person involved with phishing, and every phishing scam requires one thing – YOU. You and your willingness to readily share your personal data. I’ve said this before, and you’ll hear it from me many times going forward: Banks, financial institutions, credit card companies, payment processing services, and email providers will never ask for personal data verification via email.
Every now and then I receive a call from a customer who states that they are having difficulties with an email log in or with signing into their financial institution because they can’t remember their password. For some people, it may be just as well.