What is Phishing? Attack Techniques & Prevention Tips

Phishing is a type of online fraud that involves tricking people into providing sensitive information, such as passwords or credit card numbers, by masquerading as a trustworthy source. Phishing can be done through email, social media or malicious websites.

Phishing works by sending messages that look like they are from a legitimate company or website. Phishing messages will usually contain a link that takes the user to a fake website that looks like the real thing. The user is then asked to enter personal information, such as their credit card number. This information is then used to steal the person’s identity or to make fraudulent charges on their credit card.

Most phishing campaigns employ one of two primary methods:

Malicious attachments: Malicious attachments, which usually have enticing names, such as ‘INVOICE’, install malware on victims’
machines when opened.

Links to malicious websites: Malicious links point to websites that are often clones of legitimate ones, which download malware or whose login pages contain credential-harvesting scripts.

There are many types of email phishing scams, including:

Pharming/DNS cache poisoning

A pharming attack is a type of cyber attack that redirects a website’s traffic to a malicious imposter site. Pharming can be used to steal sensitive information, such as login credentials or financial information.

Typosquatting/URL hijacking

These spoof websites’ URLs look genuine but are subtly different from those they impersonate.

They aim to take advantage of typing mistakes when users enter URLs into their browser address bar.

For instance, they might:

• Use letters that are next to each other on the keyboard, such as ‘n’ in place of ‘m’;
• Swap two letters round; or
• Add an extra letter.

Clickjacking

Attackers use multiple transparent layers to place malicious clickable content over legitimate buttons. For example, an online shopper might think they are clicking a button to make a purchase but will instead download malware.

Tabnabbing

Tabnabbing is a phishing technique that tricks users into entering their credentials on a fake website by having it resemble the original website. This technique takes advantage of the fact that most users do not pay attention to the URL of the website they are visiting.

Most phishing emails are sent at random to large numbers of recipients and rely on the sheer weight of numbers for success. (The more emails are sent, the more likely they will find a victim who will open them.)

However, there are also many types of attacks – known as spear phishing – that target specific organisations or individuals. As with broader phishing campaigns, such emails might contain malicious links or attachments.

These types include:

Clone phishing

Clone phishing is a type of phishing attack where an email that appears to be from a trusted sender is from a malicious actor. The email will often contain a link to a clone of the original website that the sender is impersonating. This clone website will then prompt the user to enter their login credentials, which the attacker steals.

CEO fraud

CEO fraud is a type of scam in which a person poses as a CEO or another high-level executive to trick employees or others into providing them with confidential information or money. The scammer may contact victims via email, phone or social media, and use fake websites or other methods to make their scam appear legitimate.

BEC (business email compromise)

BEC is a type of cyber attack where attackers use email to trick employees into transferring money or sensitive company information to them. BEC attacks are often carried out by spoofing the email address of a senior executive or other trusted individual within an organisation to gain the victim’s trust.

The best way to avoid falling for a phishing email is to be aware of the common techniques that they use. Some of the most common techniques include:

1. Asking for personal or sensitive information: Phishing emails will often try to trick you into revealing confidential information, such as your credit card number or account passwords. They may do this by asking you to verify your account information or by providing a ‘secure’ link that leads to a fake website.
2. Creating a sense of urgency: Phishing emails will often try to create a sense of urgency by claiming that your account has been compromised or that you need to take immediate action to avoid a negative consequence.
3. Using spoofed email addresses: Phishing emails will often use spoofed email addresses that appear to be from a legitimate source, such as your bank or credit card company. They may also use the logos and branding of the legitimate company to make their emails seem more credible.
4. Including attachments or links: Phishing emails will often include attachments or links that lead to websites that are designed to steal your personal information. These websites may look identical to the legitimate website, but they will have a different URL.

If you receive an email that contains any of these elements, you should exercise caution before responding. You can also visit the website of the company that the email purports to be from to see if there are any announcements about phishing attempts. Finally, you can always contact the company directly to inquire about the email’s legitimacy.

• Implement appropriate technical measures

Use robust cyber security practices to prevent as many phishing attempts as possible from getting through your defences and ensure that, if they are successful, they don’t get much further.

• Build a positive security culture

Recognise that social engineering is successful because its perpetrators are good at manipulation. Don’t punish staff for falling victim but encourage them to report incidents. If there is a culture of blame, your employees will not admit to what is perceived as a mistake, putting your organisation at far greater risk.

• Learn the psychological triggers

All social engineering attacks exploit human psychology to get past victims’ natural wariness, such as:

• • Creating a false sense of urgency and heightened emotion to confuse their victims;
  • Exploiting the human propensity for reciprocation by creating a sense of indebtedness; or
  • Relying on conditioned responses to authority by seeming to issue orders from senior figures.
• Train your staff

Any staff member might succumb to a phishing attack, so all employees need to be aware of the threat they face.

Regular staff awareness training will help everyone understand the signs of a phishing attack and its potential consequences. They will then be able to report potential phishing emails, according to company policy.

• Test the effectiveness of the training

Simulated phishing attacks will help you determine the effectiveness of the staff awareness training and which employees might need further education.

IT Governance is a leading provider of IT governance, risk management and compliance solutions. Browse our range of staff awareness e-learning courses and phishing solutions:

Phishing Staff Awareness Training Programme

Phishing Staff Awareness and Challenge Game Package

Simulated Phishing Attack

Social engineering penetration test

Phishing Awareness Posters

What is phishing?
Phishing is a type of cyber attack where criminals trick people into sharing sensitive information, such as passwords or bank details, by pretending to be a trusted contact.

What does phishing mean?
Phishing means sending fraudulent messages (often emails or texts) that appear to come from legitimate sources in order to steal personal data or money.

What is a phishing email?
A phishing email is a fake message designed to trick recipients into clicking malicious links, downloading malware or sharing personal information.

What is a phishing attack?
A phishing attack is any attempt to steal data or access systems by impersonating a trusted organisation, often using email, SMS or fake websites.

What is spear phishing?
Spear phishing is a targeted phishing attack aimed at a specific individual or organisation. It often uses personal details to appear more convincing.

How to prevent phishing?
To prevent phishing:

• Train staff to recognise suspicious messages.
• Use multi-factor authentication.
• Deploy email filters and anti-malware tools.
• Verify requests before clicking links or sharing data.

How to report a phishing email?
In the UK, you can report phishing emails to the National Cyber Security Centre by forwarding them to [email protected]. You can also mark them as spam in your email client.