Understand your needs
Improve our services
Deliver personalised content
Save your preferences
Analyse visitor interactions
Your consent is voluntary – you can always change you cookie settings here.
“Your password has expired. Click here to change it now.” Let’s be honest — most people would click on the link without a second thought. We receive emails like these all the time, so we follow them almost automatically. That’s why phishing attacks are so effective and dangerous.
Feb 11, 2020 · 6 min read
Phishing is a scam technique that uses fake messages, websites, and social engineering to lure information or money out of people and businesses. It mostly depends on peoples’ habits and emotions to cloud their judgment. Phishing has been around since the early days of the internet, but it’s still one of the most widespread forms of cyberattack: 32% of all data breaches last year involved phishing.
Attackers usually use phishing tactics to get money. It can be as simple as tricking a person into making a bank transfer. But some cybercriminals will use malware to get more information about a person or a company that could be sold online. Emails are the most popular form of phishing. Some are so thoroughly researched and well-done that it can be hard to spot a fake.
For more information, check out our YouTube video explaining how phishing attacks work:
Phishing attacks that are tailored and targeted at a specific individual are called spear phishing. Before sending out the phishing email, the attacker researches their target. This includes information from their public accounts, data breaches they might’ve been a part of, and anything the hacker can find about them or the company they work for. With all this information, the cybercriminal can pretend to be someone trustworthy — like a co-worker, an old friend, or a representative of a popular service the victim often uses.
Whaling is another form of spear phishing where the attacker pretends to be a high-ranking member of a company: chief officer, board member, major shareholder, etc. They are trickier to impersonate, so the cybercriminal must put a lot more work into making it believable. However, as senior members have more influence in the company, the gains are also usually much greater. Their employees transfer funds or confidential information without asking too many questions.
The attacker needs a way to closely monitor their victim’s inbox for this type of phishing to work. They take a recently received email (preferably with a link or an attachment) and make a clone. Most of it is left the same, but the attachment contains malware or the link redirects to a fake website.
The new email will claim to contain updated information. For example, if there was an invoice in the original, the attacker might change the details so that the money transfer is sent to them instead. They will then spoof the sender’s email address or create a new address that is very similar to the original. A person who receives tons of similar emails every day will most likely not think twice about downloading the attachment and making the payment.
A lot of phishing attacks are carried out over the phone as well: smishing is SMS-based phishing and vishing (voice phishing) involves phone calls.
Smishing relies on their victims clicking links that lead to fake websites. In a recent FedEx/Amazon phishing scam, hackers used victims’ real first names and informed them that they needed to set delivery preferences for their FedEx packages. People receive similar texts very often, especially around Christmas time, so it may not strike you as odd at first glance. If you followed the link, you were eventually redirected to a fake Amazon website and asked to enter your credit card details to claim a free reward. Users who did so were billed $98.95 every month.
Vishing works a bit differently. It relies heavily on social engineering, creating stressful situations that push people to act without thinking. Attackers often try to scare their victims by claiming that someone tried to use their credit card, that they forgot to pay a fine, etc. Unfortunately, they often succeed. When people let emotion cloud their judgment, they give away online banking details and other personal information without thinking it through.
Want to read more like this?
Get the latest news and tips from NordVPN.