Phishing, pronounced fishing, is a social engineering technique designed to steal passwords, credit card details, and other sensitive information. The ultimate goal is to use these credentials to gain access to even more information, such as social media and bank accounts.
A phishing attack can be carried out via email, telephone, or a text message and usually contains a link to a site controlled by the attackers which will prompt you to enter your login details. The email might be designed to look like a regular Dropbox or Facebook email, for example, and link to a fake site that looks exactly like Dropbox or Facebook. You can find plenty of examples here.
Facebook phishing and other attacks
Phishing emails often contain innocent sounding content, such as “somebody mentioned you on Facebook” or “I shared a document with you on Dropbox.” The attacker expects you to click on these links without verifying their authenticity and then enter your credentials. Often the phishing website will then redirect you back to the login page of the real site, where you will be asked to enter credentials again, this time legitimately. As you are now logged into the actual website, the hope is that all suspicion will go away.
Meanwhile, the attacker has gathered and stored your username and password and can use them at will. If they have gained access to your email account, they can reset the password of every account linked to your email address, then control these too.
Worse, the information found in your email inbox might allow an attacker to plan the perfect time to come after your financial accounts, such as during an illness or a long flight.
Spoofing addresses and phishing emails
Attackers mainly use two technological tricks to successfully phish people — spoofing emails or phone calls; everything else revolves around the use of good timing, credible language, and excellent design.
Email addresses and phone numbers are very easy to spoof, so you cannot rely on an email address claiming to come from firstname.lastname@example.org to really have been sent by Facebook. Many email services will check for cryptographic signatures that prove an email was sent from a particular domain, but these signatures are still not standard across the web, so their absence is not proof of a fake message.
Similarly, a call from a known number, for example from your bank, might arrive on your phone. But there is no proof that this call really originates from this number. When in doubt about a spoofed number or email address, write or call back and wait for an answer.
Fake URLs and phishing websites
In addition to spoofing email addresses, attackers will register URLs that mimic those of legitimate sites. They often do this by slightly replacing the order of letters, such as goolge.com. Another tactic is to register innocent looking domains and use legitimate-sounding domains as subdomains, such as facebook.com.importantsecurityreview.co.
As the attacker really is the owner of these subdomains, they can get a HTTPS security certificate for it, making the site appear legitimate.
The difference between phishing and spearphishing
Spearphishing is a phishing attack aimed particularly at you, rather than being spread around like spam to whatever email address they can find. These phishing attacks have proven to be particularly fruitful, as emails might be personally directed and be tailored to a specific context, or often fit into a larger, sophisticated attack.
To use the fishing analogy: instead of dropping your bait into the ocean and waiting for any fish to bite, spearphishing precisely follows around a single fish and attacks it individually.
For example, if you are a freelancer you might find a request for your services in your inbox. It might then ask you to upload your reference letters to a Dropbox folder, and instead of linking to this folder directly, you are directed to a phishing site. After you type in your password on the phishing site, you might be redirected to a real Dropbox folder, and never suspect any foul play.
Spearphishing attacks are very common in large organizations, where criminal enterprises, competitors, and governments might target employees, often found on LinkedIn, to gather intelligence about the organization and find any weak spots in the network.
Spotting an attack and phishing protection
Two-factor Authentication can offer protection against some phishing attacks, as it makes it difficult for the attacker to repeatedly access your account. But sophisticated phishing attacks will not simply store your credentials, but log into your account simultaneously. This way the attacker can immediately find out if the gathered credentials are working, and if not, ask you again for the password.
If attackers encounter a captcha or Two-factor Authentication, they will ask you to enter the code into a window on their fake site and then use it to log into your real account.
Facebook and some other companies allow you to upload your PGP key to their servers. After doing so, all emails you receive from Facebook will be encrypted and signed, making it far easier for you to verify their authenticity. Also, if someone were to be able to get access to your email account, they would not be able to read your notifications or reset your Facebook password.
Unfortunately, the only durable protection against phishing attacks is healthy skepticism, due diligence, and a strong awareness. Many organizations regularly test their employees on their ability to detect and avoid phishing scams. In companies where cyber security is of the highest importance, repeatedly falling for such phishing tests are grounds for termination of employment.
Read more: What is smishing? And how to avoid it.