What is phishing? Get a rundown on the methods here

Phishing is one of the oldest fraud methods since the invention of the internet. With the help of social en­gin­eer­ing, cy­ber­crim­in­als try to make you to give out passwords, banking or payment data through phishing e-mails or malware, for example. Tra­di­tion­ally phishing meant opening malicious links or at­tach­ments or un­will­ingly down­load­ing malware. However, modern phishing tactics can easily make you give criminals important data in­vol­un­tar­ily.

Even before the internet, cunningly stealing data was a common part of a criminal’s rep­er­toire. Shoulder surfing, i.e. spying over the shoulder, was most often used to obtain important data such as PIN codes, addresses, bank data or phone numbers.

Phishing can be seen as a further de­vel­op­ment of data theft in the internet era. As you might have guessed, phishing comes from the English word ‘fishing’. It’s easy to imagine phishing victims being lured in like fish with seemingly real-looking messages.

You’ve probably already received emails in your inbox in which your bank sup­posedly had an urgent request. Or perhaps Amazon wanted to deliver a parcel you never even ordered. Or you’ve received an in­her­it­ance worth millions of pounds from a pre­vi­ously unknown uncle. The list of phishing tactics is long and gets longer every year.

Phishing has only one goal: to obtain your data. It can be your bank in­form­a­tion, credit card data or passwords you use for your online bank, Amazon or email accounts or website backend. The more personal and sensitive your data is, the more criminals are in­ter­ested in it.

The data theft is carried out by phishing scammers per­suad­ing you to enter your personal in­form­a­tion on fake pages. The criminals can use the stolen data to cause you financial damage, steal your identity, carry out further phishing attacks to your contacts or corrupt company data.

Phishing is also often just the first step for further attacks with malware, ransom­ware, adware and scareware. Phishing email at­tach­ments with macros or malicious code are also used to install malware on computers.

Like tech­no­lo­gies and digital com­pet­ences are con­stantly evolving, phishing swindlers are also con­stantly changing their pro­ced­ures and methods. Tra­di­tion­al phishing still requires the in­vol­un­tary ‘help’ of the victim. You had to actively enter personal data or click on links and at­tach­ments. However, new phishing tactics no longer need to solely rely on your ‘par­ti­cip­a­tion'.

Common types of phishing are:

• Email phishing: Fake emails usually con­tain­ing links to malicious websites or down­load­able items or malware as at­tach­ments.
• Website phishing: Fake websites that trick you into entering important data or to install malware. This tactic is also called spoofing.
• Vishing: Also known as voice-fishing, vishing stands for scam calls via the telephone or otherwise scamming via voice.
• Smishing: Smishing is the use of fake SMS or messenger messages to trick you to click links, download malware or hand out sensitive data.
• Social media phishing: Phishing on social media can mean hijacking social media accounts or creating de­cept­ively real copies of real social media accounts. The goal is again to try to steal sensitive data from followers and other users.

Common phishing strategies can be divided into targeted spear-phishing that uses social en­gin­eer­ing, and more broad mass phishing.

Spear phishing means spying on a small target group or only a single victim. With the help of social en­gin­eer­ing criminals collect publicly available personal in­form­a­tion such as email addresses, lists of friends, career paths and job titles from social media, company websites or career pages.

Criminals then generate de­cept­ively real-looking emails that appear to be coming from your friends, col­leagues, other ac­quaint­ances or banks. These emails contain a link to a pro­fes­sion­ally made fake website that asks you to enter your password, bank details or other sensitive in­form­a­tion. Al­tern­at­ively, the fake email is meant to deceive you to open malicious file at­tach­ments. Spear phishing can also be used to spy data related to a company CEO to prepare large-scale cy­ber­at­tacks against companies or to steal company assets.

Whilst soph­ist­ic­ated spear phishing focuses on the quality, mass phishing campaigns focus on the quantity of victims. It aims to steal as much sensitive data as possible from as many potential victims as possible.

You can often recognise mass phishing from clearly fake email addresses, redirects to dubious, un­en­cryp­ted HTTP websites or URLs and bad grammar. The emails can also come from the Royal Mail or DHL, although you haven’t ordered anything. You might also receive messages from Amazon or PayPal even though you don’t even own an account.

As stated pre­vi­ously, new phishing tech­niques no longer rely on the par­ti­cip­a­tion of the victim. Clicking on sus­pi­cious links or entering data are therefore no longer ne­ces­sar­ily required. Opening a website or email infected with malicious code is enough to initiate a man-in-the-middle-attack.

It’s a term used when criminals are able to get between your computer and the internet to intercept your internet com­mu­nic­a­tion, including sensitive data. A man-in-the-middle attack is es­pe­cially treach­er­ous as it’s often difficult to detect those silent attackers lurking between your computer and internet servers.

To recognise phishing tactics and phishing emails, look out for the following 5 signs:

1. Emails or websites that use obviously incorrect grammar or broken English
2. Emails or websites from banks or other service provides that ask you to enter personal or payment in­form­a­tion or to verify your account
3. Email addresses from le­git­im­ate senders that don’t match the sending company’s name nor the sender’s name
4. Redirects to http websites or to sus­pi­cious URLs and the use of shortened links through a URL shortener like bit.ly
5. Emails coming from dubious addresses with odd, ad hoc requests. They can also contain sus­pi­cious file at­tach­ments such as .exe, .docx, .xlsx or ZIP and RAR archive files

Sometimes criminals manage to conduct such large-scale phishing attacks that they cause a lot of headlines. Below we’ve listed three of the most well-known ones:

The leaking of numerous emails from the American Demo­crat­ic Party in 2016 is one of the best-known and most sig­ni­fic­ant cases of phishing. The hacker groups Fancy Bear and Cozy Bear sent phishing emails to multiple Demo­crat­ic members of congress. The emails urged the re­cip­i­ents to promptly change specific passwords by clicking a link. This enables the attackers to obtain login data and gain access to various email accounts of high-ranking politi­cians. Wikileaks later published the data, which had a sig­ni­fic­ant impact on Donald Trump becoming the next President.

In 2017, hackers managed to pull off one of the most expensive phishing attacks of all time. By using phishing emails and a fake business identity they were able to steal around $100 million (around £85 million) from Google and Facebook. The hackers were able to succeed because the fake company they used was almost in­dis­tin­guish­able from a real business partner of Google and Facebook. The employees of these company giants un­know­ingly trans­ferred enormous amounts of money to overseas accounts con­trolled by the hackers.

In May 2022, EasyJet publicly announced that it had been the target of a ‘very soph­ist­ic­ated’ cyber-attack. Email addresses and travel details of around nine million customers were accessed by cyber criminals. According to the company, more than 2000 customers had their credit card in­form­a­tion accessed. Although the airline didn’t release a more detail de­scrip­tion of the attack, in its statement there was a public warning about phishing emails and opening or clicking sus­pi­cious links, pre­sum­ably coming from them.

Although large cor­por­a­tions, in­sti­tu­tions and gov­ern­ments are the prime targets for phishing attacks, in­di­vidu­als are also at risk becoming a victim of a cy­ber­crime. The National Cyber Security Center informs and educates the British people as well as companies of various cy­ber­se­cur­ity topics and threats. The British gov­ern­ment also offers in­form­a­tion on their website related to cy­ber­crime such as guidance, reg­u­la­tion and stat­ist­ics.