What Are Phishing Attacks and How Do You Prevent Them?
Many have heard of phishing attacks regarding fraudulent online attacks. Phishing is when an attacker exploits a person rather than technical weaknesses in services or applications. Phishing attacks are particularly dangerous and efficient because the attacker tricks the victim into accessing something legitimately but on behalf of the attacker. This makes phishing attacks specifically difficult to mitigate.
Attackers are looking to steal any type of information from the user. The most obvious is to obtain user credentials (username/password) that can be used to gain access to systems or services. Credit card information is naturally also something attackers want to gain access to for financial gains. However, even personally identifiable information (PII) is sought after as it can be used for future attacks.
Many well-known companies and organizations have endured severe data breaches due to phishing attacks. Ever heard of Hillary Clinton’s presidential campaign in 2016 that had emails stolen/leaked? That was a phishing attack.
There are different types of phishing attacks, and several will probably sound familiar. Let’s take a look at some of the most common kinds of phishing attacks.
Different Types of Phishing Attacks
The word “phishing” comes from real world fishing. It’s an analogy to luring the target with some kind of bait to get them “on the hook”. And just as there are many fish in the sea, there are various styles of phishing. Here are the most important ones to know.
Email Phishing
Impersonation emails that appear to originate from a well-known legitimate business is a very common phishing method. The emails can take different shapes or forms but can, for example, include attached documents that claim to be an order, invoice, receipt, or shipping confirmation. The attacker's goal is to get the target to click a link or open a document that could execute some code or take the user to a fake website.
These emails can be very believable where the sender’s email address is spoofed to look like it’s coming from a legitimate business. The company logo, address, and more could be a copy of the real company. It is not unusual that the email stresses some sense of urgency to make the target act faster without thinking things through.
Once the user has landed on the fake website, which can also be made to look like the legitimate company website, the page prompts the user to log in. This is where the attacker can steal the users' credentials.
These attacks are typically very broad in nature. Deceptive emails are blasted out to many email addresses simultaneously, with the intention to get a small number of users on the hook.
Here’s an example of one I got recently:
Spear Phishing
Spear phishing is somewhat the opposite of email phishing because it does not target a broad audience but instead targets a specific individual. It is very common for the attacker to impersonate the target's manager, boss, friend, colleague, or someone else that the target trusts. The attacker requests the user to give up some kind of information or do something for them that would compromise information that can later be used in further attacks.
In a version of spear phishing called whaling, the attacker impersonates a top executive and targets another executive at the company with the intent of gaining access to information or money.
Website Spoofing
Like how email phishing mimics emails from a legitimate company or organization, website spoofing works similarly, but instead, a fake website is used. This could be a website linked from a phishing email or a website that is stood up for users to just visit.
Once on the website, user information such as PII, credit card details, or user credentials can be stolen. Phishing websites can even damage the user's computer if malicious code is executed.
It is not uncommon that spoofing is combined with an email phishing attack. For example, perhaps a link in the fraudulent email points to a fake website that the attacker uses to steal information.
And More
There are many more types of phishing attacks, too many to fully describe and outline here. Here is a sample of some additional common ones.
Smishing - SMS-based phishing.
Vishing - Voice phishing is a social engineering attack, which could be a phone call pretending to be the IRS, for example.
Social media phishing - Phishing messages sent in direct messages on social media platforms such as Facebook, Instagram, X, LinkedIn, and others.
AI phishing - Phishing messages generated using AI to more precisely target the individual.
Quishing - QR code phishing, where scanning the QR code lands the user on a fake website or something similar.
…and more
Mitigations
Unfortunately, there is no single technology or solution that can stop all different types of phishing attacks. Just like many other cyber attacks, a layered approach is needed. It starts with the user making sure that they are aware of different types of attack vectors and know to be suspicious of emails, SMS, and other types of messages they receive on a daily basis. Just because a message is coming from your boss doesn’t mean you can trust it, for example.
To spread knowledge about phishing attacks, larger organizations sometimes run through simulation campaigns. This could involve messages sent to their employees to see how they react and if they actually are tricked into doing something they shouldn’t. This is a fairly significant undertaking for an organization, but is also a very good approach.
From a technical standpoint, one of the best approaches is implementing a strong phishing-resistant authentication method. Several options are available these days, and many are relatively easy to implement (at least if you use the Curity Identity Server). FIDO-based authentication options tightly couple an authentication device, such as a YubiKey or a fingerprint reader, with the service that the user creates an account for. This means that the authentication will not work with a fake website that is made to just look the same as the legitimate site.
Conclusion
Phishing attacks are very common and fairly easy and cheap for attackers to execute. On top of that, they can be very difficult to protect against. User awareness is a very important aspect in mitigating these types of attacks, but there are technical mitigations that can help. Internal awareness programs that educate users are a very good first step and should be paired with strong phishing-resistant authentication techniques such as FIDO-based multi-factor authentication like YubiKeys and Passkeys.