BUSINESS TRANSFORMATION

The evolution of phishing and how it is becoming more sophisticated

Imagine this scene: John Doe is surfing the net when an email notification pops up on his laptop screen. His bank is asking him to update his credit card information within the next 24 hours as a security measure, with a clickable link. As the message sounds urgent, he is prompted to act immediately. After clicking the link, filling out the details and submitting the form, he finds the website unresponsive. He decides to try again after some time. Meanwhile, he receives a notification that a transaction was made on the same credit card without his approval. Upon contacting the bank, he learns that the original message was a fake, and the link was malicious. This is a classic example of a phishing attack.

Phishing is a socially engineered cybercrime that lures targets into divulging sensitive information such as usernames, passwords, payment information, etc. Cybercriminals commit this type of crime by impersonating trusted entities (people or companies) that the target might do business with.

The first attack

The first reported phishing attack was in 1990 involving AOL, an American web portal and online service provider. Attackers used AOL’s platform, pretended to be its employees, and used its messenger to trick users into divulging login credentials. The gullible ones fell prey.

One hopes that these ploys are seen for what they are. However, email hackers are constantly sharpening their skills and perpetrating increasingly sophisticated frauds.

The six most common types

Email phishing:

This is the most common Type of phishing attack. Due to the nature of emails, this kind of phishing targets a very large group of people in one go. The tell-tale signs of these emails are its greetings which are generic and impersonal closings.

Smishing:

This is similar to email phishing but uses SMS to trigger a reaction.

Spear phishing:

This targets specific people, and so the email is personalised for the individual that is meant to be targeted. The target is not suspicious since the email source appears to be legitimate. Even the email format and content are carefully designed to look professional.

Whaling:

This is a higher form of spear phishing where the attack is even more targeted at specific people, mostly executives and high-net-worth individuals. Here too, emails are crafted to look professional and appear to come from a trusted partner or supplier.

Angler phishing

This is also called social media phishing and the attacks happen through social media platforms.

These attacks take different forms:

• Email containing a malicious link that appears to come directly from social media websites.
• Messages with a link or attachment posted on social media sites.
• A call from a pretend customer service agent — The hacker watches social media sites for any complaint raised about a company’s product/service and picks his target by pretending to be a customer service agent of the company.

Vishing:

This uses phone conversations to steal confidential information.

The latest tactic

The latest phishing technique is called browser-in-browser. It is remarkable since even the most cautious and advanced users can fall for it.

How does it work? The hacker creates an original site with a juicy offer which requires users to have an account to have access to. The option for third-party login (Google, Facebook, Apple etc.) is also available.

At this point, we may want to note that websites today are incredibly easy to create. The layout tools and scripting languages used have become so flexible and powerful that any interface can be built, even draw a fake window on a page.

When the target chooses this account creation method, a familiar login window opens. The window displays the correct URL, logo, input fields and other UI elements — all mimicking the original one to the T. The catch is, all these are just an image on the phishing page. The login credentials you enter on this webpage don’t go to Google or Facebook servers, but to the cybercriminal’s server. Before you know it, you have been tricked into giving out confidential information.

Watch out and stay safe

Cybersecurity threats come in different forms. Hackers use all kinds of tactics and different platforms to coax valuable information out of people.

What makes phishing dangerous is that it relies on human vulnerabilities, rather than on system errors. Anyone can become a victim. Incidentally, one of the most sensational phishing attacks in history happened in 2016, when Russian hackers managed to get access to the personal Gmail account of John Podesta, the then campaign chairman of Hillary Clinton.

Look out for signs next time you are rushed into downloading an attachment, clicking a link, or sharing sensitive information. Make sure you don't get hoodwinked.

For organizations on the digital transformation journey, agility is key in responding to a rapidly changing technology and business landscape. Now more than ever, it is crucial to deliver and exceed on organizational expectations with a robust digital mindset backed by innovation. Enabling businesses to sense, learn, respond, and evolve like a living organism, will be imperative for business excellence going forward. A comprehensive, yet modular suite of services is doing exactly that. Equipping organizations with intuitive decision-making automatically at scale, actionable insights based on real-time solutions, anytime/anywhere experience, and in-depth data visibility across functions leading to hyper-productivity, Live Enterprise is building connected organizations that are innovating collaboratively for the future.