Auth & identity
November 27, 2023
Author: Alex Lawrence
A phishing scam is one of the oldest tricks in the online fraudster playbook: pose as a trusted source or person of authority to gain access to someone’s personal, financial and/or business accounts.
A nightmare for many individuals and businesses, phishing scams were recently cited as the most common type of cybercrime by the FBI’s Internet Crime Complaint Center, with more incidents than any other type of computer crime.
Let’s take a look at what phishing scams, generally referred to as phishing attempts or phishing attacks, are made of, how they look, and how to get ahead of them before the damage is done.
Phishing’s origins trace all the way back to AOL in 1995, when Khan C. Smith, a well-known spammer and hacker (where’s his Hollywood star?), apparently invented the term when using the aptly-named hacking tool “AOHell” to impersonate AOL staff and “phish” for passwords among them.
Today, in our increasingly digital, AI-fueled world, phishing attempts have evolved to deploy across a much wider array of channels, so for businesses and individuals, understanding what constitutes a common indicator of a phishing attempt is more critical than ever.
Let’s unpack the various makings of a phishing attempt, with an eye on how to better identify and protect against these attacks.
The lasting success of phishing attempts speaks to the inventiveness and sophistication of the modern hacker. Today’s phishing attempts are intricate, highly manipulative methods no longer limited to emails – they can occur via text messages, social media, and even phone calls.
Nevertheless, the goal has always been the same throughout its history: in order to succeed, a phishing attempt must trick individuals into providing sensitive data like login credentials, credit card details, or personal information.
A blend of understanding human psychology and behavior coupled with technological mastery is table stakes for any would-be phishing attacker. Let’s drill down on what phishing looks like, and how it’s done.
Email is a primary vehicle for phishing attempts, and has been one of the more common and persistent techniques throughout history. A seasoned social engineer will find particular success with the text-heavy, often personal nature of emails and the inbox. Here’s an example of how one such attack might go down in your own inbox.
Imagine receiving an email from “Microsoft Outlook Support,” with a subject line “Urgent: Password Expiration Notice.” It appears legitimate, featuring the Microsoft logo and a professional design. The message warns that your Outlook password has expired and urges immediate action to avoid account lockout. This is a classic phishing tactic, where the scammer mimics an authoritative source, Microsoft, to create a sense of urgency and legitimacy.
The email contains a link, deceptively designed to look like an official Microsoft URL, leading to a fake password reset page. This page, again skillfully mimicking the source, prompts you to enter your current credentials and set a new password. In this telltale step, by entering your details, you unknowingly hand over your login information directly to the attacker. And just like that, you’ve been phished.
This phishing example showcases the common attacker’s strategy: posing as a trusted entity, prompting urgent action, and leading you to a malicious site where you inadvertently compromise your own security.
Phishing attacks often begin with a deceptive email or message from a seemingly ‘legitimate’ organization or individual. Using a technique called social engineering, phishing messages are designed to instill urgency or fear, prompting the recipient to respond with the requested information or click on malicious links. These links often lead to fake websites that mimic legitimate ones, tricking victims into divulging sensitive information.
So what is a common indicator of a phishing attempt? It’s usually a predictable cocktail of markers. All phishing attack methods share some traits, and while phishing attacks can be highly personalized and quite convincing, there are several common indicators of a phishing attempt that individuals can look out for:
Phishing scams are not just technology hacks; they also exploit human psychology. Social engineering is the deliberate and manipulative use of persuasive messages to influence the behavior of someone online. Through social engineering, a victim might be influenced to break certain standard security procedures with a sense of urgency, exploiting their natural human curiosity.
For example, a phishing email may claim that there has been suspicious activity on the recipient’s account and urge them to click on a link or provide personal information to verify their identity. By preying on human emotions and our natural vulnerabilities, social engineering allows scammers to trick individuals into divulging information or unwittingly downloading malicious software.
Without a modicum of legitimacy, phishing messages and emails would rarely find a victim. To appear authentic, they often replicate the logos, color schemes, and overall layout of communications from genuine organizations. This effectively lowers the guard of potential victims and makes them more likely to divulge sensitive information or click on malicious links.
Links in phishing emails often lead to websites that are clones of legitimate sites, designed to steal login credentials or personal information. These sites may have URLs that are subtly different from the authentic ones – a tactic known as clone phishing. With phishing, the devil’s truly in the details.
Phishing has evolved over time, from more broad attempts at scale using generic language, to highly personalized messaging targeting specific individuals of higher potential value to an attacker.
Spear phishing and whaling are advanced phishing techniques that target such specific individuals or organizations. These methods are more personalized and hence, more difficult to detect.
Spear phishing attacks are tailored to their targets. They may include specific information about the victim, such as their job title, workplace, or personal interests, gleaned from online research or previous data breaches. These emails may appear to come from a trusted colleague or superior, making the request seem more legitimate. As a result, spear phishing attacks have a higher success rate than a generic phishing attempt.
Whaling attacks are a form of spear phishing attack directed at high-level targets (whales), such as senior executives. These attacks are thoroughly researched and often mimic the tone and language used in official business communication. The goal of a whaling attack is often to gain access to high-value information or to authorize financial transactions fraudulently.
Whaling attacks are highly sophisticated and require a great deal of planning, making them even more dangerous than other phishing attempts.
While regular training and awareness programs can help in educating individuals about the risks of phishing, fortifying your website or app’s authentication strategy and flows can greatly reduce phishing attempts and attacks before they even occur, with multi-factor, ‘unphishable’ authentication solutions and device fingerprinting at the helm.
“Unphishable” multi-factor authentication (MFA) from Stych helps prevent phishing attempts by requiring users to authenticate their identities using multiple factors: something they know (like a password), something they have (like a hardware token or registered device), and something they are (like a fingerprint or other biometric data).
Additionally, Stytch offers device fingerprinting, which identifies unique characteristics of a user’s device, such as the operating system, browser version, screen resolution, and IP address. This helps safeguard against OTP bot attacks and other potential breaches.