Phishing 101: What is Phishing?

Phishing 101: What is Phishing?

Phishing is one of the seven common types of cyber attacks. The others are malware, man-in-the-middle attacks (MitM), denial-of-service attacks (DDoS), SQL injection, zero-day exploit and DNS Tunneling. The objective of a phishing attack is for the victim to hand over sensitive information by revealing important data like their username and password, or for the individual to download malware.

The phishing attackers disguise malicious software with an email or website and spoof their email addresses, so it appears to come from a trustworthy source. They may also include links that redirect users to fake websites masked as legitimate web pages, where users are prompted to share confidential information. Phishing may also come in the form of text messages that appear to come from your bank or delivery companies. Thus, not only should you not provide your personal information, but you should also not click on links inside texts from numbers that you do not recognize, as that you may unknowingly download a malware program.

Moreover, in addition to coming from trustworthy sources, phishing attacks may also rely on fear and urgency. For instance, emails may include subject lines warning the individual about their compromised online banking information and urging them to provide their information fast. Perhaps that’s one of the reasons why phishing attacks have increased during the COVID-19 crisis. There are some ways to detect phishing attempts, including carefully investigating the email’s domain, the email’s subject and body, use of scare tactics that try to alarm or confuse, misspelling, errors or unprofessional tone in the email, and being redirected to a landing page with unsecure connections that denote an unsafe website or misspellings. However, it is important to state that these attackers, their technologies, and the social engineering techniques they deploy are also evolving to put off the counter-cybersecurity protection.

Phishing attacks use social engineering, which typically involves some form of phycological manipulation of the target into opening infected documents or providing personal information. Humans are the weakest organizational and cybersecurity link, and social engineering techniques are applied to take advantage of human error and negligence. Before the attack, cyber-criminals can prepare by collecting information on their targets for some time. They may research the individual by on social media sites like LinkedIn or Facebook. Attackers use the information they collect on known interests of the target to personalize the phishing attacks to entice the target to click on malware-laced attachments. For instance, if the hacker gains access to the information that the target is a huge fan of a certain artist, the hacker may offer discounted tickets in the email.

For example, in 2016 and 2017, devastating cyberattacks named Petya and the new variant NotPetya were deployed. The attack disrupted, paralyzed and destroyed the Ukrainian power grid, banking systems, and government agencies. The attackers used phishing to convince the employees of the bank and government to download a seemingly innocent Microsoft Word document that had malware. The phishing email was purporting to be a job applicant’s resume, which allowed the hackers to make admin-level changes once opened. This example demonstrates how attackers targeted HR departments due to their unique need to open attachments from unknown sources, and subsequently personalized their attacks.

Therefore, it is important to create cybersecurity awareness among individuals, employees, and businesses to enable them to identify and avoid these threats. This security awareness training needs to encourage a company-wide cybersecurity culture and transparency. Appropriate cyber-hygiene practices such as antivirus protection, download and acceptable use policies, data access policies, data back-up policies and encryption frameworks must be fully integrated into the employee training and on-boarding procedures.  Moreover, individuals and employees must limit the amount of personal information they share on social media to limit the resources available to the attackers. Lastly, employees must be clearly instructed on how to report, respond, and escalate a cyberattack once they have identified it.

To conclude, phishing attacks can significantly damage the businesses legally and financially, as it may diminish the operations, productivity, and integrity of data of businesses. Phishing can further lead to the public disclosure of embarrassing or damaging emails, causing loss of reputation and the public trust, which destroys an organization’s brand irreparably. Therefore, it is fundamental that cybersecurity awareness must be embedded in the company culture and prioritized, among other operational and legal risk management practices.

Written by Elif Babaoglu, a third year law student at Osgoode Hall Law School and an information privacy and cybersecurity enthusiast.