Phishing is one of the oldest types of cyberattacks that can result in online banking fraud, and remains one of the most pernicious: nearly a third of all breaches last year involved phishing, according to a 2019 Verizon Report.
And a lot of the discussion recently surrounding the sharp increase in coronavirus-related scams relates to phishing scams. But how much do you actually know about what phishing is?
We take a deep dive into the history of phishing, the most common types of phishing campaigns to be on the lookout for now, and how to protect against them.
Phishing attacks are the fraudulent attempt to obtain sensitive and personally identifiable information (PII) from companies or members of the public. Examples of PII are usernames, passwords and credit card details. Most often the perpetrators disguise themselves online as a trustworthy entity in order to persuade their targets to hand over their information.
The main thing to keep in mind with phishing campaigns is that they are a social engineering technique. This means that the fraudster is deliberately using something to bait their targets, whether it’s a link on a webpage to a fake news story designed to outrage, or a spoofed email purporting to be from the victim’s bank, which encourages them to click on a link taking them to a webpage under the fraudster’s control.
Types of phishing
The following are a few types of phishing and examples of how they would be practically carried out:
- Vishing/Smishing: these are two examples of vectors of phishing. Vishing refers to ‘voice phishing’, where social engineering is deployed over a telephone system, with a fraudster either attempting to convince the target to transfer money out of their bank account, or to hand over PII that can be used to compromise their account. Smishing refers to SMS or text phishing, often attempting to persuade the target to click on a malicious link.
- Spear phishing: another vector, where specific individuals or companies are targeted using personal information that has already been obtained by the fraudster through social engineering techinques in order to increase the probability of the scam’s success. For example, a fraudster might find out which bank an individual has an account with, and masquerade as an employee of that organization in an effort to persuade them to hand over further personal information such as account information. Sometimes the criminal will claim that there has been a security breach and advise their victim to move funds into an alternative ‘holding’ account (which, of course, is controlled by the fraudster themselves).
- Whaling: this is, in essence, spear phishing but aimed at high profile targets, such as C-level executives or celebrities. For example, CEO fraud (which the FBI calls Business Email Compromise), which occurs when fraudsters impersonate or compromise – through computer intrusion or social engineering techniques – email accounts belonging to company executives in order to persuade employees to conduct unauthorized transfers.
- Clone phishing: this is where a legitimate email from an authentic source has had its contents stolen and used to create an almost identical or completely cloned email. Sometimes the hacker sends out their email stating they are either resending a previous message, or are distributing an updated version of the original. However, this time, the email may include a malicious attachment, or a link with a misspelled URL imitating an authentic website but instead directing the individual to a website created by the fraudster.
Why is phishing such a problem?
Phishing came to prominence as a way for fraudsters to con people out of their money in the 1990s. By the year 2004, it was being reported that US businesses were losing around $2 billion a year as clients became victims of phishing attacks, and the practice of phishing was recognized as a fully organized part of the black market.
As time goes by, the problem gets bigger and bigger. Last year it was reported that phishing accounts for 90% of all security breaches, with around 1.5 million new phishing sites being created each month.
And perpetrators of this cybercrime are getting better and better at carrying out phishing attacks. Their job has been made easier by the constantly increasing hyper-connectivity and online presence of the general public.
For example, the rise of social media has removed the need for fraudsters to carry out targeted campaigns over email, when they can simply post a fake ad online and target thousands of potential victims at once.
Plus, attacks are becomingly increasingly sophisticated, as their methods and technology evolve.
This means that even criminals with very little technical know-how can embark on phishing campaigns, using off-the-shelf tools and templates bought on the black market or dark web.
These ‘phishing kits’ bundle website resources and tools that simply have to be downloaded onto a server. And once downloaded, all the attacker has to do is send out emails to potential victims.
How to stop phishing attacks
With attacks becoming increasingly easy for fraudsters to perpetrate and harder for individuals to spot, new campaigns are cropping up all the time – as seen with the spike in cases surrounding the coronavirus pandemic. To win this battle, everyone’s online security needs to put up much more of a fight.
The increasing use of multifactor authentication to validate identity more comprehensively is a welcome increase in online banking security but criminals can still find out static information such as passwords and account information all too easily.
Behavioral biometrics, on the other hand, cannot be imitated or stolen as they’re unique to each individual.
A comprehensive anti-fraud solution needs to leverage behavioral analytics and deep learning technology alongside other authentication factors, to evaluate the way in which a user typically types, moves their cursor, as well as many other online behaviors.
By comparing the real-time behavior of a user against their historical behavior it is possible to confirm whether it is really them, or whether a fraudster has taken over their account.
This means that, even if an individual falls victim to a phishing scam and passes over their information, the bank can still prevent fraud from taking place.