Phishing stands as one of the most widely used cybercrime tactics right now. Phishing can be worryingly easy to carry out and can result in device infection and the theft of highly sensitive data. What's more, almost everyone is at risk of falling victim to a phishing attack. But what actually is it? How does phishing work? And can you steer clear of it?
The History of Phishing
The act of phishing can be traced back to the mid-1990s when computers looked and worked very differently from those we use today. During this time, AOL (America Online), a popular American dial-up service, was the internet provider of choice for many. This made it a key target for phishers, who chose to impersonate AOL staff in order to steal valuable login information from victims.
Five years later, over 50 million computers became infected with something known as the Love Bug. This was a virus that spread among devices via social engineering. As the name suggests, this ploy relied on the lure of love to swindle victims. Targets would receive an email with an attachment that the sender claimed was a love letter. Curious individuals chose to open this attachment but did not realize that they were giving way to a dangerous scam.
The Love Bug virus would replicate itself in order to spread, making it a kind of computer worm. It was also an accelerated version of a previous bug created by the perpetrator, which was capable of stealing passwords. This new version of the virus was able to use Visual Basic scripts in Outlook as an entry point, which then allowed the operator to hack victims' email accounts and send phishing emails to everyone within their address list.
The way in which phishing methods can be spun to play on one's emotions is what often makes it so successful. The Love Bug virus preyed on loneliness, whereas other phishers use a sense of urgency in their communications to scare the victim into complying. So, let's get into how these attacks work in detail.
How Does Phishing Work?
To better understand how phishing works, let's look at a typical example of phishing, known as credential phishing. This malicious venture seeks to steal login credentials from users to hack accounts. This could be done to spread phishing messages further, steal data, or simply mess around with someone's profile. Some people have their social media accounts hacked for no other reason than to post inappropriate or hateful language.
Let's say that Alice receives an email from Walmart stating that there has been suspicious activity noted on her online shopping account. The email would also request that she log into her account via a provided link so that she can check on the issue or verify her identity.
It's likely that Alice would feel nervous or scared seeing this, and would naturally worry that someone had compromised her account. This concern may push Alice to comply with the email's request so that she can seemingly sort the issue out as soon as possible. It's this fear that the phisher heavily leans into. They may even state that the account is under threat, or could be shut down if Alice doesn't take action.
So, assuming that she is carrying out a corrective procedure, Alice clicks on the provided link, which leads her to a Walmart login page. Then she enters her login credentials in order to sign in. At this point, it's already too late.
The Consequences of Phishing
What Alice doesn't know is that this is not the legitimate Walmart login page. Rather, it is a malicious website designed to steal her data.
When she enters her login credentials on this page, the attacker controlling it can intercept and steal them. From here, the attacker may directly hack Alice's Walmart account to make unauthorized purchases, or may even use other private information on Alice's account, such as an email address or home address, to exploit her further.
The attacker will sometimes change the password of the compromised account after logging in so that they can lock the victim out while they conduct the scam.
Alternatively, the phisher may take whatever private information they have gathered and sell it on an illicit marketplace. There are hordes of different underground marketplaces on the dark web, where one can buy anything from a gun to someone's credit card details. Sensitive data is highly valuable on these sites, with social security numbers, passwords, and even passports being listed for sale.
Malicious actors can stand to make thousands or even millions of dollars through the illegal sale of data on the dark web, so it's no surprise that many are doing what they can to get their hands on it.
Impersonation is a key element of phishing. Of course, an attacker isn't going to flat-out tell you that they're an attacker. If this were the case, their success rate would be incredibly low. Instead, malicious actors will pretend to be an official entity, such as a retailer, social media outlet, or governmental body. This air of legitimacy adds to the attacker's alleged credibility and gives the target a sense of false trust.
Though some phishing attacks can be carried out in mere minutes or seconds, some take days or weeks to complete. If the attacker needs to develop greater trust with the target to lure them into divulging highly sensitive information. For example, an attacker could pretend to be a colleague at a large corporation who needs the target's information to verify something, reinstate their account, or similar.
Over time, the phisher will build an air of professionalism that blinds the victim to what is really happening. They may exchange multiple emails, through which the victim's guard drops more and more. It's this gradual shift from wary to willing that phishers try to forge within their targets.
And phishing can also be used to spread malware. This could be anything from elusive spyware to highly dangerous ransomware. So, phishing can affect a device and its owner in a variety of ways.
While it may be easy to assume that you'd never fall for a phishing attack, these scams are becoming more and more sophisticated by the year. Phishing pages can now look identical to the sites they're duping, and attackers are adept at wording their emails in a convincing yet professional way.
So, what can you do to avoid phishing?
How to Avoid Phishing
.jpg?q=50&fit=crop&w=1500&dpr=1.5)
Phishing most commonly takes place via email, though it can be conducted through any kind of messaging service. Because email addresses cannot be replicated, a phisher will likely create one that is almost identical to the official address. This is why it's important to check the sender's address for unusual spelling or other errors.
Additionally, you need to be wary of any links provided to you through email, regardless of how much you think you can trust the sender. Phishers will sometimes hack accounts to send emails to all available contacts. People are much more likely to open a link if it is from a friend, family member, or other trusted individual, which also plays into the success of the phishing attack.
So, no matter who sends you a link, you should always verify it first. You can do this using a link-checking website that can determine whether a link is malicious or safe. You can also use a domain checker to see if a website is legitimate. For example, if you've received what seems to be a link to Instagram's login page, but the domain is only a few days old, you're probably dealing with a scam.
You should also utilize your email provider's anti-spam features to filter out malicious emails so that they do not arrive in your direct inbox.
It's also crucial to equip your device with high levels of security to ward off malware. Though phishing can be used to spread various kinds of malware, much of it can be stopped in its tracks via the use of legitimate antivirus software. Nobody wants to pay a fee for something that simply runs in the background, but it can make all the difference if you're ever targeted by a malicious attacker.
Spelling mistakes within communications can also be another scam indicator. Official entities will often ensure that their messages are written with the correct spelling and grammar, while some cybercriminals may be a little sloppy here.
Phishing Is Everywhere but Can Be Stopped
Phishing is a huge concern for us. This kind of attack puts our data and devices at risk, and can have dire consequences. Check out the tips above if you want to protect yourself against this malicious cybercrime, and stay vigilant.