The next day you find out your online bank account was accessed and money was transferred to another account. This is a basic phishing attack that can target anything from personal info to banking access, to sensitive work or financial information.
Phishing has been around for a long time, at least in internet terms, and little has changed since the first attack to gain private info was deemed “phishing.”
The first recorded mention of the word phishing in relation to an attack of this type was back in January of 1996, on a Usenet group called AOHell. The group itself was a cheeky reference to the popular internet service provider America Online, a common hunting ground for newly minted phishing scams.
Posing as America Online employees, malicious individuals would message other users on the platform requesting everything from billing to account information. Having never been seen before these attacks were largely successful, and phishing became the go-to method for simple, effective, and low-cost attacks.
While the exact method of attack has evolved to be more sophisticated, the basic concept has remained the same. It’s continued to be one of the most effective methods of intrusion in both personal and enterprise computing. The weakest link in a given information security defence is almost always the individual using the system, and hackers will often use phishing scams to exploit this knowledge.
So why are these attacks still so successful? After over 20 years why are they still a problem? We’re going to take a look at a few of the reasons why we’re so easily fooled by this specific type of attack, and review a few simple ways they can be removed as a threat.
Anatomy of a Phishing Scam
Phishing attacks come in a variety of forms and levels of sophistication, but the general premise will always be the same. The aim is to confuse, misdirect, or deceive the victim into believing a legitimate source is requesting some form of private information. This could be anything from user account names to passwords or financial information.
These attacks can be used as a direct means to gain access to a secure system, or as a supplemental attack to bolster other attempts to gain access. As an example, using phishing attacks to gather personal information about a company’s personnel before a more serious attack occurs at higher levels would be a supplemental attack.
Hacks of this nature can come from a simple email or phone call, or be a sophisticated setup with web pages, pop-ups, and clone sites or domains established months in advance. Some of the most advanced phishing scams can take months or even years of preparation securing look-a-like domains and creating web pages designed to trick the victim into believing the requests for information are legitimate.
This can make it incredibly difficult to mitigate phishing scams on a wide scale, and it’s one of the main reasons phishing attacks continue to be a popular avenue of attack for malicious hackers. They are generally easy to implement, don’t require a huge investment of resources, and can be used on a wide scale for maximum effect.
What Makes Us so Vulnerable to Phishing Scams?
With enough targets just about any phishing scam will eventually be deemed as successful. Even a 1% success rate on a given phishing scam could yield huge results when given an attack size in the tens of thousands, a realistic number for massive spam phishing that reaches a huge group of users.
Humans have a hard time saying no, particularly when under pressure. We’re susceptible to trusting what people say at face value, resulting in ease of access for scammers identifying as legitimate businesses or individuals. The data exists to support this, showing that frauds and scams are one of the most pervasive forms of crime in the world. This makes phishing scams a perfect storm of abuse to take advantage of those who are less vigilant about their information security.
Even experts can sometimes be fooled by advanced phishing scams. When a website is created to look like, act like, and feel like the exact domain you think you are visiting, it can be easy to let information slip without even knowing it.
This can be seen in the commonly used clone type attack, specifically one designed to emulate a common wireless access point for a business to gain access to the company’s web portal using employee information.
A WiFi hotspot is set up to look and act like the company’s normal web portal, broadcast the same SSID and have an exact duplicate of the company’s login page. Just about anyone could fall victim to this kind of phishing attempt without even knowing it.
Even simple attacks have effective avenues of entry. When someone receives an e-mail from definitelyabank.com asking for account information, they may not realize that the actual address present in the email is definitelyabanksupport.com
This kind of deception can be extremely difficult to combat as the average computer user is likely aware of the existence of phishing, but not familiar with the various nuances that allow it to succeed. This lack of information and awareness leads to many individuals falling prey to phishing scams.
Research by ITGovernance shows that phishing attempts involving entertainment are by far the most successful types of attack, with Holiday e-card alerts leading the pack in success rates. More troubling is that they highlight the Dunning-Kruger effect, a cognitive bias that causes people with low affinity or knowledge to believe they have superior intellectual skills.
To put it simply, most people are more likely to fall victim to phishing scams because they think they know enough about phishing to evade them. This further reinforces the extreme value of education and training to combat advanced phishing techniques in both the workplace and at home.
Phishing scams create the perfect combination of trust, misdirection, and deception to take advantage of natural human inclinations. Until a more serious approach is taken to combat the success rates of phishing scams, we’ll continue to fall victim to the simplest of social manipulations, resulting in huge losses in both the corporate and private sectors.
How Can You Avoid Phishing Attempts?
Security awareness education is likely the best way to combat phishing attempts both at home and in the workplace. This involves a multi-faceted approach to both educating the end-user on the nature and types of scams, as well as general security awareness and best practices.
- Keep software up-to-date: Scammers can use vulnerabilities in browsers or operating systems to make their scams appear more real, making them easier to fall victim to. Keeping all your software updated with the latest security patches can help mitigate advanced phishing attempts and scams
- Use a good antivirus software: The best antivirus software will almost always include some kind of phishing prevention mechanism. While these are never going to be foolproof, they can help reduce the likelihood of you falling prey to a phishing attempt.
- Use a VPN to mask your identity: The end goal of most scams is to glean personal information about the user. Using a VPN can help keep your identity protected and reduce the chance of repeat attacks.
- Verify site security yourself: Websites that deal with secure financial information will always have a valid SSL certificate and the https:// address prefix. The security certificate itself and be viewed to ensure the advertised site is actually where you want to be. Every major website these days has one of these security certificates, and they are meticulously logged and tracked to help protect users. Make use of them in your daily browsing!
- Keep your personal information personal: Sharing personal information over the web is always a risky decision. On a secure site you trust and have verified, it’s generally safe to share some info, but if you’re ever in doubt you should get the company’s phone number from their main site and give them a call.
- Never share passwords with anyone, and change them regularly: Don’t ever share passwords or sensitive account information.
- Stay informed on new phishing scams: Even experts can be caught off-guard by new phishing attempts. Keep yourself informed about the various types of phishing scams and ways you can defend against them.
Protect yourself from phishing scams with Surfshark
Only $1.99/mo. 30-day money-back guarantee with every planBuy NOW