Phishing occurs when hackers attempt to obtain sensitive information such as passwords or credit card details by pretending to be a reputable organisation via electronic communication channels. The hackers craft these emails in such a way that they appear to come from a legitimate organisation, thus fooling the victim into trusting the email.
Classic phishing attacks involve sending mass amounts of fraudulent emails to as many people as possible and hoping to fool even a small fraction of the individuals into handing over their sensitive information. However, in recent years, phishers have crafted more sophisticated schemes to fool individuals into handing over their private information unwittingly.
Despite the variety in approaches, all scams have the same end goal; obtaining sensitive information from the victim which the scammer can use for their own nefarious purposes.
Here we detail some of the common phishing techniques:
Spear phishing:
Spear phishing is much like the classic phishing attack, except targeted to specific individuals or organisations. The hacker may have searched through social media and the internet to find personal information which could be incorporated into the email to make it seem more believable and increase their chances of success. Whale phishing is a subset of spear phishing; it specifically targets an individual who is high up in a company, such as an executive.
Scammers typically target employees who can authorise payments, or have access to the company’s accounts for other legitimate reasons, and fool them into making payments to their own fake accounts under the disguise of being a legitimate vendor.
Session Hijacking:
In session hijacking, the phisher exploits the web session control mechanism to gain unauthorised access to a web session and use it to gather information from their victim. The most simple of session hijacking attacks, the scammer uses a procedure known as “session sniffing“, in which the phisher can use a sniffer to intercept relevant information so that they can access the Web server illegally.
Content Injection:
These scams involve the phisher changing the content of a reliable website. This often redirects the user to a page outside of the legitimate website where they are asked to enter their personal information, which the phisher then uses for malicious reasons.
Malware:
Hackers use attachments sent in emails to harbour malware. Once the victim downloads the attachment, the malware begins to run on their computer. The malware then collects data on the user’s computer, which can then be accessed by the scammer. Similar to malware, ransomware is software which denies the user access to their device, or certain files on the device, until the user pays a ransom to the scammer. The scammer often asks for the payment in Bitcoin or another cryptocurrency
Malware may be installed via malicious advertising (“malvertising”), which exploits Adobe PDF or Flash to install the malware on the computer.
Link manipulation:
This is a prevalent way in which phishers trick their victims into giving them private information. The phisher sends a link, often via email, to a fake website. When the user clicks on the link, and
are told to log in as usual. When input their login details, the phisher collects them and uses them to commit identity theft. The fake website looks exceptionally similar to the real website, and may only differ in URL. Hovering the mouse of the hypertext in the email can expose the link as a fake.
Keyloggers:
Keylogger is a type of malware that logs inputs from the keyboard of the victim’s computer. The phisher then receives this information, from which they can pick out login details. Some high- security websites try to avoid this type of attack by using mouse clicks to make entries of usernames and passwords through a virtual keyboard.