What is a Phishing Attack?
Social engineering attacks are designed to trick or deceive victims into disclosing secure or private information. A simple example of this type of attack is a recently fired information technology worker who is able to slip past security because they do not know that the former employee does not work there anymore. Once inside their old workplace the IT worker pretends to be working but instead is really stealing data, deleting critical files, or uploading destructive software.
Phishing is one of the most common forms of social engineering attacks. The word “phishing” is a spin-off of the word “fishing”; the idea is that bait presented by the attacker knowing that most will ignore it but a few will bite on it. Phishing attacks usually involve an attacker sending an email or displaying a fake web page that claims to be from a legitimate business in an attempt to trick the victim into giving up personal information.
Many times the victim is directed to a website where they are asked to update their personal information, password, credit cart number, bank account number or other information that a legitimate company would have access to. Unfortunately, the web site is fake and is actually stealing the user’s information.
The Anti-Phishing Working Group (AWPG) reported that the number brands hijacked per year is on the rise. In August of 2009, there were a record high number of unique phishing sites at 56,362.
One of the reasons why phishing is so dangerous is because both the email and fake websites look legitimate. They contain the logos, color schemes, and wording used on the real sites and within the organizations that they are impersonating. This makes it difficult to tell that they are fake.
In addition, there are several different kinds of phishing attacks. These include:
- Spear phishing: Typical phishing attacks are sent like spam to many users while spear phishing attacks target specific users. The emails are customized to each victim using their real names and personal information.
- Pharming: Instead of sending a fake email and asking users to visit a bogus site, pharming automatically redirects users to the attacker’s site. This is done by the attacker actually taking control of the legitimate business’s website or web servers.
- Google phishing: This is when an attacker sets up a fake search engine and redirects traffic to fake sites. Some of the search results may go to the legitimate sites while searches for specific online banking and financial sites may be impostors.
Phishing sites tend to appear and disappear suddenly to avoid being traced. According the APWG the average time a site is online is only 3.8 days. The United States has overtaken China as the top country hosting phishing sites with over three quarters of the World’s hosted sites.
Because phishing uses social engineering to trick victims into responding to an email message or into visiting a fake site one of the most effective forms of defense is to teach users how to recognize phishing attempts. We will cover these signs and other techniques to protect yourself against phishing attacks in our next post.
