It has been estimated that over 100 billion spam emails are sent daily worldwide. Spam emails are a common annoyance, but most users generally don’t deal with them because of the effective spam filters on most email servers. However, shady marketers are always developing ways to slip through spam filters to promote products or services. There would be little cause for concern if it was just spam slipping past filters. However, phishing emails also slip through the gaps and they are a real danger. According to one study, over 500 million phishing emails make it to users’ inboxes everyday.
Attackers send out phishing emails to trick users into divulging sensitive information with messages that appear trustworthy (they may use the same character style, logos, copyright information, legitimate links, etc). Links within these emails lead the user to a fraudulent or compromised website or instruct them to download an attachment which, unbeknownst to the user, infects their computer with a virus.
Like spam, mass phishing emails are also used to catch victims. But more and more phishing attacks are targeting specific groups of people or companies. There are different variations on the targeted phishing email. The following are three common attacks:
Rather than the mass phishing approach, attackers using spear phishing to first gather information about the individual, group, or company they are attacking so they can better trick them into entering information into a fraudulent website or to download a virus.
This method is very similar to spear phishing. The difference is that the attacker sends variations of the same email from different servers to a group or company. Also, the attacker will send groups of emails over the span of a few hours, rather than all at once like the mass phishing approach. This approach is successful for attackers because the emails differ from each other, and because the emails are sent in bundles.
Whaling is a highly targeted form of spear fishing. This attack is aimed at company executives and high-profile individuals.
Once an attacker steals the victim’s sensitive information (username and password, credit card details, SSN, etc) they may use the victim’s credit card, transfer funds from the victim’s bank account to their own, lock the victim out of their bank account, or steal the victim’s identity.
Common Phishing Characteristics
Although there are many variations and techniques in phishing attacks, there are common characteristics users can look for to protect themselves.
Phishing emails are unrequested, and no matter how they are written they always ask the user to click on a hyperlink, a clickable image, or download an attachment. The reasons always appear logical. They may specify a cost for a product you recently purchased that you need to verify. Or they may tell you that your account has been compromised and you need to click on the link to log into your account and begin an investigation.
These emails may have multiple hyperlinks, including some to the company’s real website—adding to the illusion the attacker is trying to create. But some of the hyperlinks are disguised and lead to a fraudulent or hijacked website where you are prompted to enter your username and password or other sensitive info.
Tips for Avoiding a Phishing Attack
- Don’t put personal information into pop-up windows unless you are sure it is a trusted site.
- Avoid clicking on links within emails. Open a new browser page and type in the address/URL for the site you intended to visit and compare the name of the website in the address bar to the one in the email.
- Upgrade your software (OS and browser). The latest version of most browsers come with anti-phishing filters.
- When browsing the Internet, block pop-up windows, don’t sync your sensitive information, configure security settings, and enable malware protection.
- Delete all suspicious messages.
- Only accept trusted certificates—don’t ignore browser warnings.
- Be wary of (and don’t click on) links that take you to an unfamiliar site or IP address.
- Look for the green address bar activated by an EV Certificate. Click on the lock icon and read what it says.
- Forward phishing emails to firstname.lastname@example.org, to the organization being impersonated, and to email@example.com.
Like spam, phishing emails will probably not go away in the near future. But that doesn’t mean you need to become a victim. Knowing how attackers will try to trick you will help you become better at avoiding them.