Phishing attacks: The phisherman, the phish, the bait and the hook

Image

There’s a good chance that you have heard the word phishing or probably even been a victim in the past, however you do not understand what it really means and how to protect yourself from being a victim.

According to CNBC, there were 225 million phishing attacks in 2022 which depicts a 61% increase from the number of reported cases in 2021. Sadly, as the number of cases increases, it is also becoming increasingly difficult to spot a potential phishing attack because the attack methods are becoming more sophisticated by the day.

However, no matter how sophisticated a phishing attack method is, there are fundamental principles it must follow and by understanding these principles and taking steps to protect against them, we can mitigate the risk of falling victim to these types of attacks.

This post seeks to give you an overview and ultimately suggests ways to protect yourself against phishing attacks. So, let’s dive in

The word phishing was coined around 1996 by criminals stealing America Online accounts and passwords. By analogy with the sport of angling, these Internet scammers were using e-mail lures, setting out hooks to "fish" for passwords and financial data from the "sea" of internet users.

According to the description above, there are four basic elements of a phishing attack and they include:

• The phisherman
• The phish,
• The bait and
• The hook

The Phisherman

This element refers to the threat actor, looking to carry out a phishing attack. They are trying to gain other personal information from people surfing the net by misrepresenting who they actually are or what they do.

The phish

This basically refers to the victims of a phishing attack (you and I). However, Phishing attacks can target anyone, but some groups are more likely to be targeted than others. For example, individuals with access to sensitive information, such as employees of financial institutions or government agencies, may be targeted in spear phishing attacks. Additionally, small and medium-sized businesses are also increasingly becoming the target of phishing attacks. Additionally, individuals can be targets of phishing attacks, this happens when an attacker follows a digital footprint left by an unsuspecting individual.

The Bait

Attackers use a variety of tactics to lure victims into falling for phishing scams. One common tactic is to send an email that appears to be from a legitimate source, such as a bank or a government agency. The email may ask the recipient to click on a link or provide personal information, such as login credentials. Another tactic is to create a fake website that looks like a legitimate one, in order to trick people into entering personal information.

The Hook

The ultimate goal of a phishing attack is to gain access to sensitive information, such as login credentials, personal data, or financial information.  This information can then be used for identity theft, financial fraud, or other malicious purposes.

Now that we have an idea of what phishing and its elements are, it is important to note that there are various types of phishing attacks, each with its own unique characteristics. Spear phishing is a targeted attack that is typically aimed at specific individuals or organizations. Whaling is a type of spear phishing that targets high-level executives within an organization. Smishing is a type of phishing that is conducted through text messages. Each of these attack types will be discussed in subsequent posts.

To protect yourself from phishing attacks, there are several steps that individuals and organizations can take to protect against phishing attacks:

1. Be cautious of unsolicited emails or messages: Be especially wary of emails or messages that ask for personal information, especially if they come from unfamiliar sources.
2. Verify the sender's identity: Before responding to an email or message, make sure that it is legitimate by verifying the sender's identity. This can be done by checking the sender's email address, phone number, or website.
3. Don't click on links or download attachments from unknown sources: Phishing emails and messages often contain links or attachments that, when clicked, can download malware or redirect your browser to phishing websites.
4. Use anti-virus, and anti-phishing software: Many popular anti-virus software programs also include anti-phishing software, which can help identify and block phishing emails and messages.
5. Keep software and security solutions up-to-date: Make sure that you have the latest updates and patches for your operating system, web browsers, and anti-virus software.
6. Be aware of social engineering tactics: Phishers may use social engineering tactics to trick you into providing personal information. Be aware of these tactics and take steps to protect yourself.
7. Keep an eye on your accounts: Regularly monitor your financial accounts for any suspicious activity.
8. Use Multi-Factor Authentication (MFA): Multi-factor authentication adds an extra layer of security to your accounts by requiring a second form of verification, such as a code generated by an authenticator app on your phone, in addition to your password.
9. Be cautious of phone calls: Be suspicious of phone calls that ask for personal information or try to trick you into giving away sensitive data.

By following these steps, you can reduce your risk of falling victim to a phishing attack. However, it's important to keep in mind that phishers are constantly coming up with new tactics, so it's important to be vigilant and stay informed about the latest phishing scams.

About the Author:

Image

With over 7 years of experience in cybersecurity and a decade of expertise as a freelance technology writer, Emmanuel Ojoawo is a true force to be reckoned with. As a seasoned cybersecurity professional and skilled content and technical writer, they bring a unique blend of technical knowledge and creative storytelling to every project. With a passion for keeping the digital world secure and a talent for simplifying complex topics, Emmanuel loves working in the cybersecurity field.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.