Shutterstock / New Africa
Phishing is a specific type of cyberattack used to gain access to sensitive data like addresses, personal information, passwords, login credentials and banking details. In it, people are contacted by email, text message or telephone and tricked into handing details or money over.
The term phishing dates back at least 25 years to the days when AOL was a big internet service provider. Some users would pretend to be AOL staff in chatrooms and trick other users into sharing passwords and credit card numbers. This was sometimes referred to as fishing for information.
The first use of the term phishing seems to be from a hacker called Koceilah Rekouche, who developed an automated tool for tricking users in 1995. As a nod to the existing term phreaking, which related to people who played with, reverse engineered and hacked the telephone network, he called this automated fishing, phishing.
What does the attacker get out of phishing?
Money. Or access to your email to spread further attacks. Once cybercriminals have access to your email they can send emails from your address to your contacts to trick them. When it comes to more advanced phishing attacks, the rewards can be massive.
One attacker used phone calls and emails, pretending to be a senior member of staff at a company selling healthcare products, to trick a finance department into making bank transfers of £18.5 million to accounts in Hong Kong, China and Tunisia.
Phishing is already the most prevalent cybercrime, and becoming increasingly more common and sophisticated. In 2020, the FBI recorded 241,342 phishing cases, more than twice as many as the next most common cybercrime. When you consider how many unsuccessful attempts are made for every successful one and scale the number up globally, you can see the vast scale of the problem.
What are the different types of phishing attack?
Often phishing attempts will be a crude, scattergun effort that spams hundreds of thousands of people with emails in order to trick only the most gullible. But there are also more targeted versions called spearphishing attacks. These may involve the cyberattackers doing some research about an individual or a company in order to make their messages more believable. You may receive an email from your boss asking for log-in details, for instance, but the address is faked. In some cases it could even come from the real email address, if that has already been compromised.
These emails may also send you to a malicious website via a link that is either a faked version of a well-known website or a real website that has been compromised. This website will then ask you to log in and will steal your username and password, or request some other sensitive information or perhaps even request a payment for goods or services that will never be provided.
At the higher end, phishing will involve very sophisticated social engineering attacks that involve lots of research, phone calls, emails and other fakery designed to trick individuals or companies out of extremely valuable information or large amounts of money.
How to prevent phishing?
For software makers, tech support and IT departments, stopping phishers is a constant cat-and-mouse game. Every time a way is invented to put up new defensive hurdles, the phishers learn a way to jump over them. Email spam filters that look for suspicious bits of text are sidestepped by including text as images, and so on.
The main way is to be aware and cautious. There are numerous tricks employed by attackers, such as registering domain names that are deliberately designed to confuse. You can change Latin letters in well-known website names to visually identical but technically different Cyrillic letters.
The National Cyber Security Centre in the UK says that phishing emails are getting harder to spot, and some will still get past even the most observant users. It publishes a detailed guide to avoiding attacks that includes tips like turning on two-factor authentication (2FA) on your important accounts such as email. This means that even if an attacker knows your passwords, they still won’t be able to access that account.
You should also be wary of emails that refer to you as “valued customer”, “friend”, or “colleague” rather than your name, it could be a sign of crude, mass-broadcast spam. Likewise, poor spelling and grammar, or low-quality graphics from large companies should be a warning sign. Emails with a sense of urgency, demanding a hurried response and asking for money or data should be treated with caution. Whenever possible, you should verify them through another medium before taking action.