Written by StephanieStephanie graduated in information systems with an emphasis in cyber security management. She enjoys spending her time hiking with her children and her dogs, and playing video games with her husband.
Phishing started in the 1990's with a program called "AOHell", which was used to steal AOL users' account and payment information. From there, phishing became a tool used by many cyber criminals from clumsy scam artists to sophisticated social engineers. According to Ajmal Kohgadai, phishing campaigns have become a more dangerous threat:
"Phishing attacks have increased in sophistication. Today, these attacks impact all organizations no matter their size, preparedness, or cybersecurity posture. Phishing is effective because it doesn't rely on technology vulnerabilities but rather on the lack of security awareness of targeted employees."
Phishing campaigns rely heavily on the uninformed, but some phishing campaigns have become more sophisticated over the years and are harder to catch. The once easy-to-spot emails with poor grammar and stories of Nigerian princes have been replaced by convincing, authoritative emails asking for information in more subtle ways. In this article we will discuss some of the major phishing attacks.
The most common phishing campaign is deceptive phishing. In this attack, the cyber criminal sends an email, text, or instant message impersonating a legitimate company or someone you may know. Their goal is to gain your credentials and personal information.
Google Docs Phishing
The popularity of Google Docs has made it a definite target of cyber-criminals. This type of phishing send invitation emails, almost identical to the real Google Docs email invites, to those who use Google Docs. Once the email is opened, hackers will then have access to the victim's entire email and address book.
Malware-based phishing differs from deceptive phishing in that it requires you to download an attachment. This attachment includes harmful software that can perform tasks to retrieve your information. This attachment can come from an email, or from a website, and may seem benign in nature. The malware differ in design and what the cyber criminal is targeting:
- Keyloggers: Track any keyboard input and send targeted information to the cyber-criminal.
- Web trojans: Invisible malware that activates when users are logging in. Credentials are harvested and sent to the cyber-criminal.
- Session hijacking: Users' online activities are monitored carefully. Once the user has entered credentials into the targeted account, the malware can take unauthorized actions. Session hijacking can occur completely undetected by the user.
- An example of session hijacking: a user logs into their banking account and the malware transfers funds to another account without the user's permission or knowledge.
DropBox is used by millions of users everyday to share and access files, and this has become a goldmine for cyber criminals. Many phishers have used DropBox as their lure for phishing users' credentials. A recent campaign even involved an intricate page duplicate to DropBox. It was so believable that some users' entered in their credentials, which was then collected by the phishers.
Spearphishing campaigns require the cybercriminal to research potential targets on social media networks. From their research, they can send convincing, personalized emails. These emails will use the targets name, company, position, or other information to make the contact seem authentic. The goal of these campaigns is to gather user account information or to gain access to an organization's network. These campaigns are successful with a 70 percent open rate and a 50 percent click-rate.
Much like a spear phishing attack, the cyber criminal uses information gathered to target a bigger catch, a CEO. If the cyber criminal is successful in gathering the CEO's credentials from the phishing campaign, the criminal can then target the company using the CEO's information. This type of phishing is very dangerous as people are more likely to give personal information if their CEO asks for it, than from a spammy email.
Often known as "phishing without a lure", Pharming is considered especially malicious. Pharming consists of misdirecting people to websites that hackers have created in order to steal private information. This type of scam is particularly dangerous as it can happen to even those who have a "malware-free" computer.
Phishing scams should not be taken lightly as they can have disastrous effects on someone's private information. There are a few ways to avoid phishing campaigns, however getting the aid of an identity theft company might be the best path to take regarding the protection of your personal data. Although there are countless identity theft companies and services to choose from, tools like Best Company can help you find the right company to ensure your online security.