Phishing is one of the most popular forms of social engineering and cyberattacks in general. The key element in phishing attacks is that they are based on fake communications that appear to come from a trustworthy source.
The main goal is to steal personal information, including login credentials, sensitive corporate data, and credit cards. Besides using them for financial gain, attackers might also have motives for abusing the stolen data and using it in more devastating malicious attacks against a single victim or a specific company in the future.
Phishing allows attackers to easily access victims’ various online accounts and personal data, execute full identity theft, and even hijack entire computer networks in some cases. Once access is gained, attackers can threaten to expose the stolen data or sell it online until a ransom is paid.
The steps involved in a phishing attack are straightforward. The attacker, who is usually disguised as a trusted entity, seduces the victim into opening an email, text message, or simply participating in a voice call.
The victim is then tricked into clicking a malicious link that could redirect to a fake website requesting personal information or simply lead to the installation of malware. The image below graphically represents the steps involved in the process.
The most common use case of phishing is when an attacker sends an email to a victim that appears to originate from a legitimate source. For example, the email message might appear as having been sent from a bank where the victim has an account, claiming that the user’s password has been compromised or that the personal information must be updated because of the new bank policy.
Then, by following the included instructions in the message, the victim is tricked into opening a fake webpage that looks exactly like the original one of the bank (or any other service) and providing the requested personal information and an existing password.
In the end, after submission, the victim is redirected to the original page of the bank, thinking that something went wrong, not realizing that everything entered before was stolen on another webpage.
Variants of Phishing Attacks
The original concept of sending an email to victims, tricking them into clicking a URL link that points to a malicious website, is still popular and effective today. However, more sophisticated forms of phishing have evolved, allowing for more successful malicious activities.
Some of the new phishing variants are:
- Spear phishing
- Whaling
- Pharming
- Vishing
- Smishing
- Watering hole
- Social media phishing
- Microsoft 365 phishing
Prevention Against Phishing Attacks
The biggest threat in social engineering is the user’s lack of knowledge. The actors behind these attacks always try to find out what people are most interested in and, based on that, deceive and manipulate them accordingly.
Therefore, organizations must raise user awareness and educate employees through training sessions to spot, approach, and protect against phishing attacks.
Although different approaches can be used, integrating two-factor authentication is probably the most effective method against phishing attacks. It is easy to implement and is already used by most people today. In addition, enforcing a strict password policy can also be applied to protect against commonly applied weak protection.