What is phishing? How this cyber-attack works and how to prevent it

Phishing definition

Phishing is a cyber attack that uses disguised email as a weapon. The goal is to trick the email recipient into believing that the message is something they want or need — a request from their bank, for instance, or a note from someone in their company — and to click a link or download an attachment.

What really distinguishes phishing is the form the message takes: the attackers masquerade as a trusted entity of some kind, often a real or plausibly real person, or a company the victim might do business with. It's one of the oldest types of cyberattacks, dating back to the 1990s, and it's still one of the most widespread and pernicious, with phishing messages and techniques becoming increasingly sophisticated.

Some phishing scams have succeeded well enough to make waves:

· Perhaps one of the most consequential phishing attacks in history happened in 2016, when hackers managed to get Hillary Clinton campaign chair John Podesta to offer up his Gmail password.

· The "fappening" attack, in which intimate photos of a number of celebrities were made public, was originally thought to be a result of insecurity on Apple's iCloud servers, but was in fact the product of a number of successful phishing attempts.

· In 2016, employees at the University of Kansas responded to a phishing email and handed over access to their paycheck deposit information, resulting in them losing pay.
What is a phishing kit?

The availability of phishing kits makes it easy for cyber criminals, even those with minimal technical skills, to launch phishing campaigns. A phishing kit bundles phishing website resources and tools that need only be installed on a server. Once installed, all the attacker needs to do is send out emails to potential victims. Phishing kits as well as mailing lists are available on the dark web. A couple of sites, Phishtank and OpenPhish, keep crowd-sourced lists of known phishing kits.

Some phishing kits allow attackers to spoof trusted brands, increasing the chances of someone clicking on a fraudulent link. Akamai's research provided in its Phishing--Baiting the Hook report found 62 kit variants for Microsoft, 14 for PayPal, seven for DHL, and 11 for Dropbox. 

Types of phishing

If there's a common denominator among phishing attacks, it's the disguise. The attackers spoof their email address so it looks like it's coming from someone else, set up fake websites that look like ones the victim trusts, and use foreign character sets to disguise URLs.

That said, there are a variety of techniques that fall under the umbrella of phishing. There are a couple of different ways to break attacks down into categories. One is by the purpose of the phishing attempt. Generally, a phis

hing campaign tries to get the victim to do one of two things:

· Hand over sensitive information. These messages aim to trick the user into revealing important data — often a username and password that the attacker can use to breach a system or account. The classic version of this scam involves sending out an email tailored to look like a message from a major bank; by spamming out the message to millions of people, the attackers ensure that at least some of the recipients will be customers of that bank. The victim clicks on a link in the message and is taken to a malicious site designed to resemble the bank's webpage, and then hopefully enters their username and password. The attacker can now access the victim's account.

· Download malware. Like a lot of spam, these types of phishing emails aim to get the victim to infect their own computer with malware. Often the messages are "soft targeted" — they might be sent to an HR staffer with an attachment that purports to be a job seeker's resume, for instance. These attachments are often .zip files, or Microsoft Office documents with malicious embedded code. The most common form of malicious code is ransomware — in 2017 it was estimated that 93% of phishing emails contained ransomware attachments. 

How to prevent phishing

The best way to learn to spot phishing emails is to study examples captured in the wild! This webinar from Cyren starts with a look at a real live phishing website, masquerading as a PayPal login, tempting victims hand over their credentials. Check out the first minute or so of the video to see the telltale signs of a phishing website.

More examples can be found on a website maintained by Lehigh University's technology services department where they keep a gallery of recent phishing emails received by students and staff.

There also are a number of steps you can take and mindsets you should get into that will keep you from becoming a phishing statistic, including:

· Always check the spelling of the URLs in email links before you click or enter sensitive information

· Watch out for URL redirects, where you're subtly sent to a different website with identical design

· If you receive an email from a source you know but it seems suspicious, contact that source with a new email, rather than just hitting reply

· Don't post personal data, like your birthday, vacation plans, or your address or phone number, publicly on social media

If you work in your company's IT security department, you can implement proactive measures to protect the organization, including:

· "Sandboxing" inbound email, checking the safety of each link a user clicks

· Inspecting and analyzing web traffic

· Pen-testing your organization to find weak spots and use the results to educate employees

· Rewarding good behavior, perhaps by showcasing a "catch of the day" if someone spots a phishing email