This section is part of the amber and green pathways.
Phishing is any attempt by attackers to steal valuable information by pretending to be a trustworthy party – a form of social engineering attack. So, an attacker might impersonate a bank to obtain credit card numbers or bank account details.
It gets its name from ‘fishing’ – as in ‘fishing for information’ in the ‘ocean of internet users’, the process of luring people to disclose confidential information. This image illustrates the etymology of the term – notice the earlier origin and influence from the context of the Telecom network.
Phishing relies on people trusting official looking messages, or conversations with apparently authoritative individuals, as being genuine. It is your trust that the attackers are seeking to compromise. It is widespread and it can be enormously costly to people who find their bank accounts emptied, credit references destroyed or lose personal or sensitive information.
The use of electronic technologies to perform phishing attacks was described in the late 1980s, but the term did not become commonplace until the mid 1990s when a program called AOHell allowed AOL users to impersonate other people (including the founder of AOL itself).
Phishing became increasingly common as more and more people connected for the first time and began receiving official looking messages that looked very much like those sent out by genuine organisations such as banks, stores and government departments. What most of these users did not realise was that not only could email addresses be faked, but that electronic data can be easily copied – just because an email claims to come from your bank and has your bank’s logo doesn’t mean that it is genuine.
Phishing emails may be indiscriminate. A phisher will create an email asking the user to get in touch with a bank or credit card company claiming that there is a problem with the account or that the bank may have lost some money. These sorts of messages make people justifiably worried and more likely to follow the instruction. The phisher will then include some plausible looking details such as the bank’s logo and address and then send it to millions of individuals. Among all the recipients, a few people will have accounts with that bank and will click the link in the message, or telephone a number, which will begin the process of eliciting further personal information.
Another well-known phishing tactic is taking advantage of natural disasters that occur, whether locally or across the globe (including the Coronavirus pandemic), by appearing to request donations to well-known aid organisations. Users who misplace their trust will use the link provided by the phisher and unknowingly leak their personal information. In addition to email, such messages arrive via text messages as well.
What to do
If you do receive an email that worries you from an organisation such as a bank or shop that you use, do not click on or follow the links in the message. Get in touch with their customer services department, or log in to your account through their website. Type in their web address or use the address in your list of favourite sites, or use their published phone number. Most organisations will have a published policy of not asking for sensitive information such as your password through email or over the phone so you should be suspicious of anything that contravenes this policy.
Social media phishing
Although email still accounts for the majority of phishing attacks, the technique is also used in social media sites as well as in text messages. The same rules apply – if in doubt, go to the official site and make contact with the company through their published links.
As we saw in the first week of the course, phishing can sometimes be targeted at individuals or specific parts of an organisation. These attacks, commonly called a ‘spear phishing attack’, will depend on detailed information about the target. For example, an attacker might use information gleaned from recent emails to craft a plausible reply that appears to come from colleagues of the targeted user.
Attackers may also include links to malware-infected software in personal messages posted in social media. This is especially common after major disasters or during fast-breaking news when people are likely to click on interesting looking links without thinking carefully.