What is phishing? And how to recognise it
We have got used to an email box filled with spam. But nowadays email clients such as Gmail or outlook are smart enough to filter this automatically for you, making sure to dump them into the bottomless spam folder. But if you open up this pandoras box you notice some rather interesting emails. Some apparently from your favourite shop, your bank or government agency. But some get through, and they are a valuable tool in the Scammer’s playbook.
What is phishing?
Phishing, in which fraudulent bulk e-mail messages guide naïve users to legitimate-looking but fake websites – where they are prompted to reveal personal information such as account numbers or passwords
- Sid Kirchheimer
As you can see in the definition above, phishing uses a consumer’s familiarity with a site or a brand to trick them into providing information. But this can also extends to the downloading of malicious software that users would not usually do. This is all down to the trust they place in the brand/website and how it lowers their guard. But this is not constrained to personal attacks, with the growth of corporate phishing being prominent in recent times.
What is the aim of phishing?
Scammers use this form of scam to gain information, or push malicious software. As more and more of our communication goes through the internet (whether that is banking, ecommerce, government administration ect.), this channel is seen as more lucrative for scammers.
By using mass emailing the scammer can stay anonymous whilst sending a high volume of phishing emails globally the best part (for them) is that it is more personalised than using general spam. By targeting services and brands the consumer is familiar with, the success rate is higher.
Here’s a checklist of the kinds of data phishing scammers want!
- Credit Card/bank details
- Pushing malware onto your computer (for various purposes)
- Business and corporate data/credentials/secrets
Recent trends in phishing
The problem of phishing is to the scammers a lucrative industry, one that is deeply rooted in technology. And just like any technology industry it is constantly shifting and evolving.
The target of phishing used to be predominately individuals, with scammers looking to score on a person-to-person basis. Yet 2018 saw this shift. The main movers-and-shakers of the phishing world have set their sights on the corporate world, where organisations are now being targeting. The top targets are Email and online services (26% of all attacks) which overtook financial institutions (21%).
A specific area of growth has been against Software-as-a-Service (SaaS), which grew tremendously by 237%. This is also joined by attacks on social media platforms. As mentioned earlier, users reliance and trust in these kinds of platforms I growing, and phishing scammers are taking advantage.
The geography and domains
The United States is still top of the scammers hitlist with the number of attacks growing. In fact it was targeted by 86% of all attacks. Other notable targets include India, Turkey and Columbia. But that doesn’t mean there haven’t been decreases elsewhere. Canada, Italy and France experienced decreases in activity in 2017
The actual location of the phishing site themselves also paints an interesting picture. Most phishing locations can be found on “compromised web hosting networks” according to PhishLabs. The most popular choice by far is the United states (56%), with France (4%), Germany (4%) and the UK (3%) lagging far behind. This alongside the fact that 49% of phishing sites use the .com TLD (top level domain), indicates that phishing scammers want users to feel that they are on a reliable and trustworthy site.
One very worrying trend is the adapting of phishing scammers to the safety indicators consumers use to keep themselves safe. At the core of this is the certification used by websites. Users have been taught from various sources to look out for this particular indicator as a sign of trust. And they used to be correct in this assumption, as in 2016 only 5% of phishing sites had this certificate. Yet this number has skyrocketed in 2017 with nearly one third of phishing site now having HTTTPS.
More often than not, phishers tend to use registered domains maliciously created rather than compromising legitimate sites. The catalyst for this change can be trace back to the use of free hosting providers.
Case study: URL Padding
In order to trick unsuspecting users, scammers have been getting clever. In order to make users fee like they are on a legitimate site they are padding the url with symbols such as hyphens whilst including a legitimate part of the branded URL.
For example www.amazon------------------/shoes/converse.tk
This takes advantages of the rather small amount of screen real estate available on most mobile phones. Therefore the user will most likely see the www.amazon----- section. This along with a well-designed fake of the site is often enough to fools users of it authenticity.
Mobile is ever-growing or users around the world. As a platform, mobile phone contain easy avenues for targeting.
Are you using the latest mobile phone? If not have you ever ignored that ‘update now’ notification over and over (or even worse perhaps the manufacturer has stopped providing updates…). This, alongside the myriad apps that can be downloaded (of questionable quality) has meant a surge in its emphasis for phishing.
Tips to beat the phishing scammers!
1. Thinking about clicking on a random link? Think again!
Be cautious when opening an email or message and seeing a hyperlink (link to a different website). This can often be hidden in text or on a picture. If you are not a 100% sure that an email is legitimate think twice and see if you can find the page with a simple google search instead.
2. Look and feel: Spelling/grammar and formatting
This is a classic way of spotting a scam. Phishing scammers, just like the internet itself, are global creatures. Therefore the language they are trying to communicate with you in might not be their first language. Unlike the communication department of a large organisation, they don’t have the time, patience or knowledge to check their language. This also extends to the media used such as photos. This can often look odd, with low resolution or odd cropping.
Do you really think legit company would allow these kinds of messages to go through to their customers? No, so when you see this, think twice!
3. Requests for personal information
If an email or message asks for information such as your account details, username/password or other information of that nature always think twice. Institutions will never ask for that kind of information via email or messages as they know that these are unsecure. Also, it doesn’t make sense for an organisation to ask for information that is both sensitive and already know to them.
4. Urgency or threats
Another tactic by phishing scams is to focus on imminent threats. This could include such things as your account being closed down, a suspect transaction that needs to be dealt with ASAP etc. Also explicit threats such as with a fine or prosecution if some kind of action isn’t taken.
Organisations such as banks or government authorities are used to increase this pressure. Scammers are counting on you being worried or flustered… but don’t fall for their trap. Take a breathe and really consider if the organisation would be asking in this way or asking for this kind of information. If you have doubts use a search engine to gather the contact details of the organisation and confirm if they actually sent this piece of communication to you.
So Scamfighters, be careful out there and avoid the traps these ‘phish-ers’ leave for you. If you follow the above tips and use your common sense, you’ll be ready for anything that comes your way!
Thank you for report a misuse case.