Phishing is the practice of sending email to users with the purpose of tricking them into revealing personal information or clicking on a link. A phishing attack often sends the user to a malicious web site that appears to the user as a legitimate site.
The classic example is where a user receives an email that looks like it came from eBay, PayPal, a bank, or some other well-known company. The “phisher” doesn’t know if the recipient has an account at the company, just as a fisherman doesn’t know if any fish are in the water where he casts his line. However, if the attacker sends out enough emails, the odds are good that someone who receives the email has an account.
The email may look like this:
“We have noticed suspicious activity on your account. To protect your privacy, we will suspend your account unless you are able to log in and validate your credentials. Click here to validate your account and prevent it from being locked out.”
The email often includes the same graphics that you would find on the vendor’s web site or an actual email from the vendor. Although it might look genuine, it isn’t. Legitimate companies do not ask you to revalidate your credentials via email. If you go directly to the actual site, you might be asked to provide additional information to prove your identity beyond your credentials, but legitimate companies don’t send emails asking you to follow a link and input your credentials to validate them.
Phishing to Install Malware
One phishing email looked like it was from a news organization with headlines of recent news events. If the user clicked anywhere in the email, it showed a dialog box indicating that the user’s version of Adobe Flash was too old to view the story. It then asked, “Would you like to upgrade your version of Adobe Flash?” If the user clicked Yes, it downloaded and installed malware.
Another email had the subject line “We have hijacked your baby” and the following content:
“You must pay once to us $50,000. The details we will send later. We have attached photo of your family.”
The English seems off, and the receiver might not even have a baby, making this look bogus right away. However, the attackers are only trying to pique your curiosity. The attached file isn’t a photo. Instead, it’s malware. If a user clicks on the photo to look at it, it installs malware on the user’s system.
Phishing to Validate Email Addresses
A simple method used to validate email addresses is the use of beacons. A beacon is a link included in the email that links to an image stored on an Internet server. The link includes unique code that identifies the receiver’s email address.
For the email application to display the image, it must retrieve the image from the Internet server. When the server hosting the image receives the request, it logs the user’s email address, indicating it’s valid. This is one of the reasons that most email programs won’t display images by default.
Phishing to Get Money
The classic Nigerian scam (also called a 419 scam) continues to thrive. You receive an email from someone claiming a relative or someone else has millions of dollars. Unfortunately, the sender can’t get the money without your help. The email says that if you help retrieve the money, you’ll get a substantial portion of the money for your troubles.
This scam often requires the victim to pay a small sum of money with the promise of a large sum of money. However, the large sum never appears. Instead, the attackers come up with reasons why they need just a little more money. In many cases, the scammers request access to your bank account to deposit your share, but instead they use it to empty your bank account.
There are countless variations on this scam. Lottery scams inform email recipients they won. Victims sometimes have to pay small fees to release the funds or provide bank information to get the money deposited. They soon learn there is no prize.
Vishing is a form of phishing that uses the phone system or VoIP. Some vishing attempts are fully automated. Others start automated but an attacker takes over at some point during the call.
Spear phishing and whaling are two types of phishing with email. Spear phishing targets specific groups of users and whaling targets high-level executives.