phishing

Phishing, vishing, smishing, spearphishing–or what we call the Pantheon of Ishings here in Levinland–are the most common vectors of cyberattack. 

Mark Twain popularized the saying, “There are three kinds of lies: lies, damned lies, and statistics,” but the stats don’t lie when it comes to the Pantheon of ishings. Eighty five percent of U.S. targets–companies large and small, not for profits, government agencies–have been the target of a phishing attack, and more than one in five data breaches last year were phishing-related. 

The effectiveness and simplicity of phishing is the reason for its prevalence. There is no need to discover an as-yet-undiscovered software vulnerability. Hackers don’t need to code malware that can hide from security software. Phishing exploits the human element. We are bombarded with emails all the time on work and personal devices, and one bad click is all hackers need to gain access to our digital lives.  

Technological penetration is the prime factor here. Email has a high penetration rate–over 90 percent of all internet users in the United States have at least one email account. Compare that to the roughly 67 percent adoption rate for Facebook, and 22 percent for Twitter. The near universality of email has made it the primary communication mode for authenticating ourselves online.

As the Pantheon of Ishing aptly telegraphs, hackers aren’t limited to email. They also target victims using voice, SMS text and other forms of communication. 

Here are the primary “ishing” attacks:

Phishing: A hacker sends out emails, often by the thousands, hoping to get someone to download an attachment or click on a link. Attachments will usually contain some form of malware, and links can either direct a target to a site designed to steal a user’s credentials (often by mimicking a familiar login page) or the link might prompt the victim to download programs or files. 

Once a target is compromised, the hacker can exfiltrate data, infect a device or network with ransomware, steal payment information, intercept incoming and outgoing communications–the possibilities are endless.

Phishing emails create a sense of urgency with subject lines that scream “URGENT” or “IMPORTANT.” Phishing emails often include typos and grammatical errors. The reason is quite ingenious: some hackers intentionally send poorly written messages to filter out less gullible targets.

Spearphishing: A hacker tries to get a particular individual or a smaller group of people to open an email by spoofing an account of someone known to their target. They often use domain names similar to their target’s email address (e.g. gmai1.com or gmail-support.com).

In the age of social media, it’s relatively easy for a hacker to glean enough information about a target to craft a convincing email, especially using information available on LinkedIn accounts, which can provide current employment information as well as the colleagues who might naturally be in contact with a target.

Vishing: Vishing, or voice phishing, is a phishing scam done by phone. The tricks are the same as email phishing, especially when it comes to getting a target to panic. The goal with vishing is usually to get a target to disclose a Social Security number, credit card information or to wire money. 

Vishers often claim to represent government agencies, financial institutions, or tech support calling about a specific problem.

The 2020 Twitter hack that hijacked the accounts of several public figures including Elon Musk and Barack Obama used a combination of vishing and spearphishing. The threat actors contacted the social media company’s tech support workers via phone and convinced them to provide access to internal tools that were then used to compromise over 130 accounts. 

Smishing: The goal is to compel a target to click on a link or provide credentials to other accounts containing sensitive information.

Smishing has increased dramatically during the Covid-19 pandemic. Hackers use information about outbreaks or vaccination appointments to lure targets. Smishing attacks also tick upward during the winter holiday season where messages are sent with updates about package deliveries. 

Fun fact: Amazon CEO and founder Jeff Bezos was the target of a successful 2020 smishing campaign. A message sent via WhatsApp installed malware that exfiltrated large amounts of data from his phone over the course of several hours. 

While the method of communication varies, the techniques utilized are fairly consistent and rely on distraction or panic on the part of their target. To protect against -ishing attacks, do the following:

  • Slow down and think before you click, download, or provide information: Victims of -ishing scams often recognize telltale or suspicious signs shortly after the damage has been done. Treat every incoming call, text, and email with suspicion, especially when it claims to be urgent.
  • Educate others: Hackers and scammers thrive in a low-information environment. Companies and organizations should invest in cybersecurity training to recognize phishing attacks, and friends and relatives should tell less tech-savvy people in their lives about the dangers, especially the elderly, who are frequent targets.
  • Use 2-Factor authentication: While 2-factor authentication, or 2FA isn’t bulletproof, it does add an extra layer of protection to accounts that have had their credentials compromised.

Takeaways: 

  • Hackers will use several methods of communication, including email, for phishing campaigns.
  • -Ishing campaigns very often rely upon a false sense of urgency to elicit a response from a target before they’re able to consider the risks.
  • Education and 2-Factor authentication can offer a degree of protection against -ishing attacks.