If you have ever used emails, you have probably received fake messages prompting you to enter your card details, email login or other sensitive information. You may have received links to fake pages on social media or instant messaging apps as well. No matter if you are a regular person, a government official or a corporate executive, you can become a victim of such an accidental or deliberate attack. Such attempts to deceive you are known as phishing.
So, what exactly is phishing?
By definition, this is a fraudulent attempt to obtain sensitive information by sending a spoofed message to an unsuspecting person, prompting them to visit a fake website that looks like a legitimate website, or to download and install malware on their computer.
“Phishing” is a homophone of fishing, as scammers use online lures, setting out “traps” to “fish” for information. The term was first used in 1996 by hackers stealing AOL accounts and passwords. They were using the accounts as currency that they called “phish”.
The first attack on a payment system was in 2001 (E-gold). In 2003, a number of domains resembling the official PayPal and eBay domains were registered, and the first phishing attack against a bank was reported. Since then, thousands of attacks have been executed each year and the losses are estimated to be more than $26 billion (https://www.ic3.gov/Media/Y2019/PSA190910). Leaving money aside, massive data breaches and identity theft are among the more serious consequences of phishing attacks.
There are different techniques that scammers use in an attempt to gain unauthorized access to information. Bulk phishing is easier as it often requires only a massive spam campaign, but sometimes scammers target high-ranking officials or companies, so they can be quite inventive. If you are familiar with these techniques, it is more likely that you will notice if something is wrong. Here are a few examples of the most common techniques they use:
- Link manipulation. This is the most common technique as it is easy to execute. It is also the one that is most likely to trick people into providing their information, thinking they are on a legitimate website. Any email or website used by the scammers can be an exact copy of the real one, with only a single link or button being fake. There are different ways to trick you into believing the URL you have to click is legitimate:
- IDN spoofing / homophone attack
An internationalized domain name that uses non-English characters is used. The Latin “a” and the Cyrillic “а” look alike, for example. You can’t tell the difference if you see such a domain in an email message. In the security field, this is known as "IDN Homograph Attack". Most internet browsers employ algorithms for preventing this type of attacks - recent versions of most major browsers will display a domain's punycode notation if there is any mixed homograph use.
- Subdomain. Scammers register either some junk domain like asdasdfgh.com or a seemingly legitimate one, and then create a subdomain like your-bank-login.com.asdasdfgh.com. If the subdomain is longer, it gets harder to see the real domain. Many people simply see the first part and believe they are visiting the real website.
Some browsers, like Google Chrome and Safari have already made attempts to make their browsers more secure against these types of attacks by eschewing the importance of the URL and showing only the domain name itself. This practice is still controversial and it remains to be seen if it would be widely accepted.
- Mixing fake and legitimate links. Some email filters and malware scanners can be tricked if a message/website includes a lot of links to the real website – legal information page, contact page, etc. Only a single fake link is added. Even if you check manually random links to see what URL they point to, you will not see anything suspicious unless you come across the only fake link.
- Hidden URLs. Web and desktop email clients usually display HTML emails. It is easy to add any link in a <а>any-text-here</a> HTML tag, so if you don’t pay attention, you can click on any random link that is hidden behind some words like “Login”, “Visit site”, etc.
- URL Shorteners. Free services like TinyURL and Bitly are often used to mask the real web address you will end up on. Email filters and scanners often miss shortened URLs as they do not lead directly to phishing websites.
- Redirections. This technique is simple, but clever. Once you enter your login details or card information on the fake website, you are redirected to the real one. This way, you may think that you simply mistyped something, so if you try again, the information you enter will be accepted. Unless you pay attention to the specific page that prompts you to enter your details, you won’t notice something is wrong afterwards.
- IDN spoofing / homophone attack
- Using images. Email filters often scan for specific text/links or look for patterns. If some of the text is replaced by an image of that text, it will be much harder for a phishing message to be detected. Brand logos in emails and on websites can be obfuscated for the same purpose.
- iframe redirection. Nowadays, most websites are protected and cannot be embedded in an iframe, but this technique can still be used. A legitimate website is displayed in a frame within a fake website and additional fields or a popup requesting information are displayed on top of it.
How to detect a phishing attack
If you expect an email from some organization (your bank, a hosting provider, a social network), it is very likely that if you receive one, it will be legitimate. If you receive an email out of the blue, though, you should always be suspicious until you make sure that the message you have received is legitimate. Here are a few things you can do to double-check if the email is real or if a scammer sent it:
- Check what the email is about. Phishing emails usually try to trick you by telling a story. They ask you for some information and ask you to click a link or open an attachment. This is the first thing that should ring a bell as companies do not usually send such emails out of nowhere. Whether you won the lottery, you have to pay a fake invoice even if you don’t remember ordering anything, or an unauthorized attempt to log into your account was detected, you are prompted to follow a link to a fake website. You should ignore such emails and you should contact the company/organization to double-check if they really sent you anything and if your account with them is in good standing.
- Check what link you are asked to follow. If you have any doubts whether an email you have received is legitimate, mouse over any link you see in it to see the web address the link leads to. This is valid for both web-based emails and for desktop email applications. If the URL is unfamiliar, if it has spelling mistakes or it looks suspicious (bank-support-now.com, for example), you should not click on it and you should delete the email right away. As mentioned above, fake and real links can be mixed in a message, so you should inspect the actual link you intend to click.
- If you do click a link, check the full URL in the browser address bar. If needed, you can copy it to a text editor to be able to see the full link. Look for the actual domain name (example.com), this will tell you if you are visiting the real website or a copy.
- Check the SSL certificate of the website. Note that nowadays, any website, even a fake one, can have an SSL certificate. SSL certificates do nothing more than ensure that you are connecting to the domain name you see in the address bar. Even EV SSL certificates, which are supposed to verify the underlying organization, do not offer the security benefits they claim to offer. Security researcher Troy Hunt has published some lengthy articles over the alleged usefulness of EV certificates - https://www.troyhunt.com/extended-validation-certificates-are-really-really-dead/
How to prevent phishing attacks
There are some things you can do if you want to prevent phishing attacks, or at least to reduce the chance that you or your company can fall victim to such attacks. As elaborate as an attack can be, these steps can greatly help you avoid or minimize any damage.
- Use Two-Factor Authentication
More and more companies offer two-factor authentication (2FA) for their services. This is an additional layer of security that can stop an unauthorized party from entering your accounts even if they have your login details. If available, you should choose a dynamic one-time option – an SMS, a time-based, one-time passcode (TOTP), or a push notification if you use an app on your phone. You should avoid options such as a permanent PIN code or a predefined answer to a question as it is easier to give these on a fake website.
Popular 2FA applications
- Educate your employees
If you run a business or an organization, any employee can fall victim to a phishing attack. This is true for any person working with emails, but especially for people with less technical knowledge. If any work email/computer gets compromised as a result of a phishing attack, the operation of the entire organization will be at risk. Clients’ information may get stolen, for example, and this can have a detrimental effect on the company’s reputation.
This is why you should educate your employees and help them detect phishing attacks more easily. If they are aware of the possible threats, they will surely be more careful when they open emails and visit websites. It is recommended to have regular training courses on that matter so that your employees are up to date with the latest threats. The cost of a potential data breach as a result of a phishing attack can be much higher than hiring a security specialist to lead a training course.
- Enable email filters for your mailboxes
A good email filtering system can greatly reduce the chance of a phishing email reaching your Inbox. Most phishing emails include specific words and phrases. Anti-spam platforms like SpamAssassin filter messages based on such words. All our hosting plans, for example, include this platform by default. It comes with a Bayesian filter that can learn from messages you mark as spam manually. This way, the platform adapts and starts filtering messages more effectively, thus minimizing the chance that you open a fake message.
- Set up SPF/DKIM records for your domains
SPF, or Sender Policy Framework, defines which mail servers are allowed to send out messages for a particular domain name. DKIM, or Domain Keys Identified Mail, is a digital signature added to the headers of each email message that shows the message is genuine. To enable either one, you should simply create a TXT record in the DNS zone of your domain name, or in simple terms – add a new record wherever the DNS records of your domain name are managed. You can use an SPF/DKIM record generator online or ask your hosting provider for assistance. For DKIM to work properly, your mail server must sign your outgoing messages.
If an SPF/DKIM record is created, receiving mail servers check if a message they have received comes from an authorized server and/or if it is signed with the correct digital signature. If there is some discrepancy, they can reject the message or mark it as spam. This way, nobody will be able to send out messages and mask them as if you sent them. Adding the records will protect not only other people that will receive messages from you, but also your own mailboxes. If you run a business, a scammer may try to send you a message and mask it as if it was sent from one of your own mailboxes, asking you for private company information.
- Use antivirus software
Most antivirus applications have evolved and offer proactive protection. They often include web protection that silently monitors all web addresses you open. If they detect that a website is fake or attempts to download any malware on your computer, they will block the access to it. The advantage of using such a protection is that even if you click on a link in a fake message, the software will simply not allow you to proceed to the fake website. Some antivirus applications offer email monitoring as well. Of course, you should always be careful as no software can offer 100% protection.
- Keep regular backups of your content
If you have a website and somebody gets hold of your hosting account's login credentials, they can edit or delete the website. This can have a detrimental effect on your business. Considering that online presence is more important than ever, you should be prepared if anything like that happens. This is why you should keep regular backups of all your content. While restoring a backup is more about mitigating the damage, generating regular backups is a part of preventing a bigger problem.
ICDSoft, for example, keeps two daily backups of all hosting accounts for the past seven days, but the optional Extended Backups service will allow you to access backups for a whole year. This way, you will not have to worry about your content no matter what.
You can use your hosting account to keep a backup of your personal files as well. Unlike most hosting providers that do not allow archives to be stored on their servers, we do not have any such limitations as long as the content you upload is legal. If you get tricked into downloading and running software on your computer, your files may get encrypted and you may be asked to pay ransom to get them decrypted. Having a full backup of your private files will give you more security.
What if you get tricked nonetheless?
Phishing attacks keep getting more sophisticated. Fake emails are more difficult to detect, fake websites are often exact copies of the real ones. It is possible that you may get tricked and enter your personal or bank information on a fake website, or you can download and run some software on your computer. If this happens, you should know what to do to contain the damage.
In case that you download some application and your computer gets infected, shut it down as soon as you realize the application was not legitimate. If it isn’t too late, this can stop the scammers from taking control over your computer or the application from sending out sensitive information. Contact a computer specialist in your area or notify a network administrator right away in case the incident happened on a corporate network.
If you provided any login information, change your passwords immediately if you can still access your account. It is advisable to do that from a different computer as the one you use may have been compromised. Do not use any old passwords or ones that you already use for another service. Use long and complex passwords and enable two-factor authentication for all your accounts.
Contact the organization that suffered the data breach. If any of your accounts gets compromised, they can help you – they can suspend your services temporarily to prevent further damage or help you to restore a lost service (a stolen domain name or a deleted file, for example). They may be able to give you additional information about the location of the scammer. If you plan to contact the authorities, let the company know about that in advance, so that they can prepare the required information.
If you provided any financial information, such as your bank account number or credit card details, contact your bank immediately and ask them to block your account and cards. Many banks reject suspicious payment attempts nowadays, but if anybody steals your money nonetheless, you should file a chargeback and change your cards.
Other types of phishing
It is worth mentioning that using fake emails and websites is not the only way for scammers to attempt to collect personal information. Voice and SMS phishing are common these days as well. By using fake caller IDs, scammers invite users to provide personal or financial information on the phone or by sending a text message. As most phones today are connected to the Internet, sending a link via a text message is more or less the same as sending it via email.
Fake social network profiles, free wi-fi networks on public places specifically set up to spread malware and scripts disguised as advertisements are other methods that scammers use to gain unauthorized access to personal or financial information.
Phishing trends in 2020/2021
Nowadays, phishing attacks are more elaborate than ever. Scammers are getting more inventive, so you should be really cautious when you are prompted to click any link. New techniques detected in 2019 and 2020 involve using fake Google search results to direct you to a specific compromised website or pointing you to a non-existing link on a real website where only a custom 404 error page is compromised. If you are curious about these techniques, you can visit https://www.microsoft.com/security/blog/2019/12/11/the-quiet-evolution-of-phishing/ .
The number of detected phishing attacks in 2020 is half of what it used to be the previous years, but this doesn’t mean that the threat is diminishing. On the contrary, attacks are getting more focused, i.e. scammers change their tactics and use a quality-over-quantity approach. About a third of all data breaches in the past couple of years were the result of a phishing attack and half of them occurred due to a human error.
It is expected that the number of phishing attacks will increase in 2021 as many businesses have moved online, while people shop and access services online more than ever. KnowBe4, a security awareness training platform, expects that there will be a wave of phishing emails exploiting topics like a COVID-19 vaccine and returning to offices and workspaces.
Phishing is one of the biggest threats in the online world today. Websites get compromised and fake pages are added to them every day; millions of scam emails are being sent out from compromised hosting accounts and servers. As phishing attacks get more elaborate each year, it is very important to know how to differentiate a fake email or a website from a legitimate one. Continuous learning and keeping in touch with the latest techniques that scammers use can help you to avoid the threat. Should something happen, though, you should act fast and you should know what to do. We hope that our article will help you prevent any such unfortunate event.