Phishing 101

Phishing 101: A Guppy’s Guide to Getting Hacked

While the number of people falling for foreign prince email scams — simply send a few personal details (that will allow the hacker to steal your identity) in return for wealth and riches beyond belief — seems to be dropping, phishing remains a major issue. In fact, the number of phishing campaigns pursued by hackers around the world increased 65% in the last year. End users are still being taken in, so we’ll cover the basics here in Phishing 101.

Why is it Called ‘Phishing’?

Coined by hackers in 1996, the term “phishing” is an online analogy to the sport of angling. It means sending out email ‘lures’ to hook ‘fish’ in the form of data and passwords from the ‘sea’ of Internet users. The bait might not be good enough for everyone to click, but as long as some do, the information netted can be used as currency among cyber criminals. Changing the “f” to “ph” is considered a nod to the original form of hacking known as phone phreaking.

How Does it Work?

Hackers mimic the emails, forms, and websites of legitimate companies in an effort to lure people into clicking on links or providing personal information. Links in phishing emails typically lead to compromised websites that can silently install ransomware viruses on the user’s computer. Forms or requests for account updates collect information such as credit card numbers, social security information, passwords, and other identifiers.

The victim typically doesn’t realize they’ve been compromised until long after the event, and oftentimes only after their identify or finances are affected. In the past, an attack was carried out relatively quickly. As soon as the victim gave up their information, the hacker moved in and stole money from the compromised bank account. Today, it’s often more lucrative for hackers to sell that information on the Dark Web, resulting in longer-lasting, even more devastating attacks.

Have you ever gotten an email from your bank or medical office asking you to update your information online or confirm your username and password? Maybe a suspicious email from your boss asking you to execute some wire transfer? That is most likely a phishing attempt, and you’re among the 76% of businesses that were victims of a phishing attack in the last year, according to Wombat Security’s recent State of the Phish report.

Why is Phishing so Popular?

Phishing is the most widely used method for spreading ransomware, according to PhishLabs’ 2017 Phishing and Threat Intelligence Report, and it has increased significantly since the birth of major ransomware viruses like Petya and Wannacry. Anyone can become a victim of phishing, and, in turn, ransomware attacks; however, hackers have begun targeting organizations that are more likely to pay the ransoms.

Small businesses and education, government, and healthcare companies often, unfortunately, don’t have valid data backups, so they are unable to roll back to a pre-ransomed version of their data. Instead, they have to pay their way out or cease to exist. In addition to considerable ransom costs, businesses that fall victim to phishing campaigns are often branded as untrustworthy, and many of their customers turn to their competitors, resulting in even greater financial loss.

Why are effective phishing campaigns so rampant despite public awareness from media coverage?

  1. Volume: There are nearly 5 million new phishing sites created every month, according to Webroot Threat Report. There are now even Phishing as a Service companies, offering phishing attacks in exchange for payment. One Russian website, “Fake Game,” claims over 61,000 subscribers and 680,000 credentials stolen.
  2. Effectiveness: Over 30% of phishing messages get opened, and 12% of targets click on the embedded attachments or links, according to the Verizon Data Breach Investigations Report. In short, these hackers have gotten really good at looking legitimate.
  3. Ease of Execution: New phishing campaigns and sites can be built by sophisticated hackers in a matter of minutes. While there are far more honest ways to earn money, these individuals have made a living out of duplicating their successful scam campaigns.

How Can I Protect Myself?

Now that we’ve covered the basics behind phishing scams, we’ll break down the elements inside it next. Read Phishing, Part 2: How to Spot an Attack.

You can also use these tips to avoid the 5 most common social engineering scams, and test your cyber skills with our Facebook phishing competition.