Phishing attacks are fairly simple. The aftermath of a phishing attack could be tragic and may lead to widespread data theft from your computer.
Hackers scheme to gain access to passwords, credentials, bank cards etc., which most often leads to identity theft or financial loss for the victim. The stolen information is their ticket to obtaining your identity. How do they do it? Easy.
Hackers pose as trusted acquaintances and lure you, their victim, by sending emails with malicious links. The links are inside the email and may be in the body of a sentence or a separate stand-alone link that will supposedly take you to another trusted place on the Internet. Completely unaware the link is malicious, you click it and you have just invited the thief into your (computer) home.
Phishing is widespread and the most common type of exploit there is in the cybercrime world. Recently, 73% of businesses surveyed said they have dealt with intensive phishing attacks in the last year. Ironically, companies and Government organizations continue to send non-malicious links in their emails to you. Clicking the legitimate links don’t prompt the download of malware that have the ability to freeze/infect a system. However, distinguishing the validity of the email, link and sender is a challenge for some people. When the bad link is clicked, the malware is downloaded or executed, and the hacker is now into your system.
For the best example of how phishing leads to access there is no better example than the hack of the Democratic National Committee. This incident is a part of the broader 2016 Presidential election hacking. The chairman of the Hillary Clinton campaign, John Podesta, was spear-phished. He received an email claiming that someone in the Ukraine was trying to gain access to his Gmail account. Mr. Podesta was prompted to change his credentials “immediately.” Who wouldn’t instantly try to minimize the threat once warned.
We now know that the warning was a tactic geared to exploit our human nature. The warning appeared to be a real Google alert and the password reset page had an authentic look and feel. The fraudulent page was a ticking time bomb. The second his credentials were entered and submitted, Russian hackers gained entry to the Democratic National Committee computer system and access to confidential emails. The rest is history.
In a very different approach but with the same results, hackers will impersonate websites that you trust. The placement of one letter in a web address (or removal) could determine the legitimacy of the web address. Typically, misplacing a single letter goes right over someone’s head. In you are viewing the communications from a small phone, low-light or just had a long day it is quite conceivable you will not see the misspelling of the web address. For instance, www.wallstreetjournals.com. The additional “s” at the end of the URL can transport a user to a malicious website where nefarious actors are lurking and waiting to gain credentials. This happens every day, yet still so many of us are fooled! It may take an extra minute to spell check a link, but it will be worth it in the long run.
Malware and phishing are not mutually exclusive, but typically pair together because it is the easiest form of hacking. You participate. I heard one hacker say “we couldn’t do without you”.
This may all sound elementary to people that have taken a cybersecurity class and feel they are up on this game. However, cyber professionals are also fooled. It is almost like parking in a no parking zone thinking you will only be 10 minutes and couldn’t possibly get a ticket in that time. You might get away with it for a few times. The issue is when you get a ticket and there is a realization the $50.00 you’ll pay could have been used elsewhere. With a successful deposit of malware on your computer the hacker could steal critical and personal data as well as access to your bank account. Worse, you may not realize there is an issue until something of real value has been taken. Even then, you most people have little indication there is a person hiding in their laptop. Like a ghost in an old house, the criminal goes back and forth across your precious data without leaving and fingerprints.