Cybercrime is rampant, incessant, and seemingly unstoppable these days. If we take the global internet as a whole into account -where more than half of the global population is now connected- there are several types of cyber attacks taking place every second. Not only are there several types of cyber attacks taking place, but thousands if not tens of thousands of attempts at breaching accounts, identity theft, brute force password cracking attempts, and, last but not least, social engineering attacks. Among the most popular social engineering scams is phishing. Phishing is a socially engineered scam. The term may sound rather innocent and not at all related to online security, but there is a reason it is spelled with a ‘ph’ (and yes, it is inspired by fishing). Now, that may sound bizarre, but the phishing paradigm is one of two cyber attacks that cybercriminals love to use (the other being ransomware). Phishing is spelled differently because of the roots of the term itself. Phishing originated somewhere in the mid-90s, but public awareness surrounding it came much later into the 2000s. From a cybersecurity standpoint, it is critical for organizations and regular individuals to know how to protect themselves from the horror of phishing.
The Roots of Phishing
According to an official definition from phishing.org; “There is also a good reason for the use of “ph” in place of the “f” in the spelling of the term. Some of the earliest hackers were known as phreaks. Phreaking refers to the exploration, experimenting, and study of telecommunication systems. Phreaks and hackers have always been closely linked. The “ph” spelling was used to link phishing scams with these underground communities”. Back in the infancy of phishing in the mid-90s, no one knew that this would become a major criminal practice of unprecedented scale in the future. It was first mentioned in a Usenet newsgroup named AOHell. Phishing was born together with America Online (AOL) which was the largest internet provider at the time and hackers would often congregate via AOL in the ‘warez’ community -where it all started. It began with password theft, primitive forms of credit card fraud that were hit-or-miss. If the cybercriminals were successful with the credit card numbers, this was further used to open more AOL accounts and launch more webs of spam and fraud from there, which resulted in the shutdown of these ‘hacker’ communities in 1995 when AOL instated security measures into their service. These shutdowns forced cybercriminal ‘phishers’ to get creative, inspiring the social engineering scene. This is when phishers would pose as AOL workers and send messages to users, literally ‘fishing’ for victims. The idea was to send fake messages requesting confirmation of an account or billing information and many fell for these scams at the time. Phishers then went even further and set up AIM instant messaging accounts which bypassed AOL’s ability to punish scamming and eventually forced AOL to include a warning for all users to be cautious about phishing. Much later, phishers adapted to the times and started focusing on online payment systems like PayPal, as well as creating fake e-commerce websites.
Trillions of dollars have been lost due to the simple, but effective, social engineering scam that we know as phishing today. At present, phishing is a nasty practice. Cybercriminals have perfected their craft and the scale of the craft, where fraudulent websites are almost indistinguishable from the real thing, and brutal fileless memory techniques give naive victims that click on a malicious link no chance. As far as the scale of phishing today, cybercriminals can now automate and send out ready-made templates that imitate well-known companies to trick people, for example. Even still, now there are other techniques out there using different platforms for the same purpose such as vishing or smishing. Vishing is where the ‘v’ is for ‘voice’ (voice message scams), and the ‘s’ in smishing stands for SMS (text messaging scams).
To use Webroot’s definition, social engineering is defined as; “..the art of manipulating people so they give up confidential information”. Cybercriminals will use social engineering precisely because it’s a good bang-for-the-buck situation. Phishing, in this case, requires very little resource, time, and money to get going. It is always easier to exploit someone’s psychological state, trust, and good nature than it is to hack into a high-security firewall. Social engineering scams today can be launched in the form of enormous campaigns, that mercilessly collect stolen data from oblivious internet users. Social engineering scams have breached global supply chains, led to BEC (Business Email Compromise) and vendor compromise all over the world. Yet, even when the pandemic set in phishers tirelessly worked to exploit a mostly at-home workforce with fake stimulus checks and CDC warnings. Phishers have even infected Netflix. There is no website, app, or service that has not fallen to a phishing incident today.
Phishing And Cybersecurity Recommendations How to Prevent It
The lifeblood of socially engineered phishing scams is the exploitation of human psychology, trust, and good nature. Unfortunately, millions upon millions of people are still very light internet users and do not have the knowledge or interest concerning cybersecurity which inevitably makes them the victims of a phishing attack sooner or later. This is why it is very important to never fully trust any bit of information on the internet. Phishers can now even spoof HTTPS and fake SSL certificates (the lock in the address bar which deems a website safe). Alas, all is not lost and here are some recommendations if you want to keep phishers far away and erect an iron wall between you (or your organization) and their attempts;
- Read and re-read emails that you do not immediately recognize. These e-mail (especially with strange attachments) are most likely phishing attempts
- Check the exact address of the sender of the email by hovering over the details in the incoming message
- Set up your email spam filters so that they are strict
- Never download anything that pops up in your browser, or is attached in an email if you do not explicitly know where it is coming from
- Be wary of urgent offers, cries for help, or emails from people claiming to hold your part of the inheritance from your rich mysterious grandmother who has passed away
- Stay away from any request from financial information or passwords as a legitimate institution will never enact this process via email
It is important that, when wanting to use public wifi, you realize some of these connection points may be scams and so it is recommended to double-check that wifi connection or use mobile data that you have purchased from a reputable provider. Finally, the last bit of recommendation is technical. Securing every device you or your organization owns with cybersecurity solutions is something you must do before even connecting to the internet or creating an account anywhere. Install anti-malware, anti-virus, and a premium Virtual Private Network (VPN). Additionally, it is critical that you use a privacy-oriented specialist browser that comes with security features out-of-the-box and does not collect data about you or your browsing habits. Cybersecurity hygiene means never oversharing data about yourself, and always verifying where your online activity.