Phishing is a type of cyber attack where a malicious actor poses as a reputable entity or business in order to deceive people and collect their sensitive information - such as credit card details, usernames, passwords, and so forth. Since phishing involves psychological manipulation and relies on human failures (instead of hardware or software) it is considered a type of social engineering attack.
Typically, phishing attacks make use of fraudulent emails that convince the user to enter sensitive information into a fraudulent website. These emails are usually requesting the user to reset his password or to confirm his credit card information, leading to a fake website that looks very similar to the original one. The main types of phishing are clone phishing, spear phishing, and pharming.
Phishing attacks are also being used within the cryptocurrency ecosystem, where malicious actors try to steal Bitcoin or other digital currencies from the users. For instance, this may be done by an attacker spoofing a real website and changing the wallet address to his own, giving users the impression that they are paying for a legitimate service when, in reality, their money is being stolen.
What are the types of phishing?
There are many different types of phishing and these are usually classified according to the target and attack vector. Hereby we list a few common examples.
- Clone phishing: an attacker will use a previously sent, legitimate email and copy its contents into a similar one containing a link to a malicious site. The attacker might then claim that this is an updated or new link, maybe stating that the old one has expired.
- Spear phishing: this type of attack is focused on one person or institution - usually recognized by others. A spear attack is more sophisticated than other phishing types because it is profiled. This means that the attacker first collects information about the victim (eg. names of friends or family members) and then basing on this data constructs a message whose main task is to convince the victim to visit a malicious website or download a malicious file.
- Pharming: an attacker will poison a DNS record which, in practice, will redirect visitors of a legitimate website to a fraudulent one that the attacker has made beforehand. This is the most dangerous of the attacks because DNS records are not within the user's control, thus making the user helpless to defend against.
- Whaling: a form of spear phishing that targets wealthy and important people, such as CEOs and government officials.
- Email Spoofing: Phishing emails typically spoof communications from legitimate companies or people. Phishing emails may present unknowing victims with links to malicious sites, where attackers collect login credentials and PII using cleverly disguised login pages. The pages may contain trojans, keyloggers, and other malicious scripts that steal personal information.
- Website Redirects: Website redirects send users to different URLs than the user intended to visit. Actors exploiting vulnerabilities may insert redirects and install malware onto users’ computers.
- Typosquatting: Typosquatting directs traffic to counterfeit websites that use foreign language spellings, common misspellings, or subtle variations in the top-level domain. Phishers use domains to mimic legitimate website interfaces, taking advantage of users who mistype or misread the URL.
- The ‘Watering Hole’: In a watering hole attack, phishers profile users and determine websites that they frequent. The phishers scan these sites for vulnerabilities and, if possible, inject malicious scripts designed to target users the next time they visit that site.
- Impersonation & Giveaways: Impersonation of influential figures on social media is another technique employed in phishing schemes. Phishers may impersonate key leaders of companies and, with the audience that that entails, they may advertise giveaways or engage in other deceptive practices. Victims of this trickery may even be targeted individually through social engineering processes aimed at finding gullible users. Actors may hack verified accounts and modify usernames to impersonate a real figure while maintaining verified status. Victims are more likely to interact with and provide PII to seemingly influential figures, creating an opportunity for phishers to exploit their information.
Recently, phishers are heavily targeting platforms like Slack, Discord, and Telegram for the same purposes, spoofing chats, impersonating individuals, and mimicking legitimate services.
- Advertisements: Paid advertisements are another tactic used for phishing. These (fake) advertisements utilize domains that attackers have typosquatted and paid to have pushed up in search results. The sites may even appear as a top search result in searches for legitimate companies or services, such as Binance. The sites are often used as a means to phish for sensitive information, which may include the login credentials for your trading accounts.
- Malicious Applications: Phishers may also use malicious apps as a vector for injecting malware that monitors your behavior or steals sensitive information. The apps may pose as price trackers, wallets, and other crypto-related tools (which have a base of users predisposed to trading and possessing cryptocurrency).
- Text and Voice Phishing: SMS phishing, a text message-based form of phishing, and vishing, the voice/phone equivalent, are other means by which attackers attempt to acquire personal information.
Phishing vs Pharming
Although pharming is considered by some as a type of phishing attack, it relies on a different mechanism. The main difference between phishing and pharming is that phishing requires the victim to make a mistake, whereas pharming only requires the victim to try to access a legitimate website that had its DNS record compromised by the attacker.
How to prevent phishing?
Be wary: your best defense to protect against phishing is to think critically about the emails you receive. Were you expecting to receive an email from someone about the subject in question? Do you suspect that the information that person is digging for is none of their true business? If there's a doubt, do your best to contact the sender through a different means.
Check the content: you may type part of the content (or the sender’s email address) on a search engine in order to check if is there any record of phishing attacks that used that specific method.
Try other means: If you think you receive a legitimate request to confirm your account credentials for a business that is familiar to you, try to do so through different means instead of clicking the link within the email.
Check the URL: hover over the link, without clicking it, to check if it starts with HTTPS and not just HTTP. Note, however, that this alone is not a guarantee that the site is legitimate. Check URLs closely for misspellings, unusual characters, and other irregularities.
Do not share your private keys: never give out the private key to your Bitcoin wallet, and be vigilant in determining if the product and seller you are about to give any cryptocurrency to is legitimate. The difference in dealing with crypto as opposed to a credit card is that there is no central authority to dispute a charge if you never received the good or service that was agreed upon. This is why one must be especially careful when dealing with cryptocurrency transactions.
Phishing is one of the most wide-spread and common cyber-attack techniques. While email filters of mainstream services do a good job at filtering spoofs from real messages, one must still be careful and maintain the last line of defense. Be wary of any attempts to gain sensitive or private information from you. If possible, always confirm through another means of communication that the sender and request are legitimate. Avoid clicking on links in emails about security incidences and navigate to the webpage on your own terms, while also keeping a lookout for the HTTPS at the beginning of the URL. Finally, be especially careful about cryptocurrency transactions as there is no way to reverse them in the event that the merchant does hold up to their end of the deal. Always keep your private keys and passwords private and never take any trust for granted.