Phishing Attacks

March 25, 2021

What is a Phishing Attack?

Phishing is a type of cyberattack that uses email, SMS, phone, or social media to entice a victim to share personal information — such as passwords or account numbers — or to download a malicious file that will install viruses on their computer or phone.

Why is it called phishing?

The term “phishing” goes back to the mid-1990s, when malicious adversaries first began trying to steal passwords from an early online-services website called America Online (now known as AOL). Attackers were “fishing” for a victim by setting a hook and waiting for someone to take the bait.

The “ph” spelling can be traced back to an earlier form of cybercrime called “phone phreaking,” in which hackers manipulated telephone signals to make free long-distance calls.

Learn More

As the COVID-19 pandemic continues to take hold in various regions around the world, phishing remains the primary initial access vector for threat actors. Learn more about cyber threats heightened by COVID-19 in our recent blog post

Types of Phishing

Spear phishing

Spear phishing is a phishing attempt that targets a specific individual or group of individuals. One adversary group, known as Helix Kitten, researches individuals in specific industries to learn about their interests and then structures spear phishing messages to appeal to those individuals. Victims may be targeted in an effort to reach a more valuable target; for example, a mid-level financial specialist may be targeted because her contact list contains email addresses for financial executives with greater access to sensitive information. Those higher-level executives may be targeted in the next phase of the attack.

Pharming

A pharming attack does not require its victim to click a link. Instead, it redirects a user to a bogus website that either collects sensitive personal information or installs a virus on the user’s computer.

Smishing

Smishing is a phishing campaign conducted through SMS messages instead of email. Smishing attacks are unlikely to result in a virus being downloaded directly. Instead, they usually lure the user into visiting a site that entices them to download malicious apps or content.

Vishing

Vishing is a phishing attack conducted by telephone. These attacks may use a fake Caller ID profile to impersonate a legitimate business, government agency or charitable organization. The purpose of the call is to steal personal information, such as bank account or credit card numbers.

Session hijacking

Session hijacking occurs when an attacker uses a stolen security token to impersonate a legitimate user.

When a user logs into a password-protected system, such as an online bank, the system issues the user a token and creates a session. The user is then authorized to perform specific actions, such as transferring funds or making purchases. When the user logs out or is timed out, the token is revoked and the session is ended. In session hijacking, the attacker steals the token and uses it to continue the session, and is then able to perform any action the legitimate user could perform.

Whaling

Whaling, also called business email compromise (BEC), is a type of spear-phishing that targets a high-profile victim, such as a CEO or CFO. Whaling attacks usually employ a sense of urgency to pressure the victim into wiring funds or sharing credentials on a malicious website.

Learn More

The difference between phishing, spear-phishing and whaling attacks is on the scale of personalization. Phishing is the least personalized, whaling is the most, and spear-phishing lies between.Spear Phishing vs. Phishing vs. Whaling

Cloning

A cloning attack copies a legitimate email from a trusted sender and alters it by replacing a link or file to direct the recipient to a malicious website designed to harvest sensitive information.

Domain spoofing

Domain spoofing usually substitutes a false URL to deceive users into thinking they are visiting a legitimate site. For example, in a spoofed domain, a “W” may be replaced with two “V”s, or a lowercase “L” with a capital “I.” The user is unlikely to notice the difference and is deceived into entering sensitive data on the malicious site.

2021 CrowdStrike Global Threat Report

Download the 2021 Global Threat Report to uncover trends in attackers’ ever-evolving tactics, techniques, and procedures that our teams observed this past year.

Download Now

The Most Impersonated Organizations in Phishing Scams

To assess exactly which organizations are being impersonated the most in phishing scams, the CrowdStrike data science team submitted an FOIA request to the Federal Trade Commission and asked for the total number of phishing scams reported as impersonating the top 50 brands and all U.S. federal agencies.

The results show the U.S. public which emails from brands and organizations they need to be the most cautious of, and which are the most lucrative to impersonate for phishing criminals.

Here are the top 20 most impersonated organizations in 2020:

table of the most impersonated industries in phishing

Amazon accounts for 41.5% of all impersonation complaints analyzed, with 1,262 phishing incidents reported to the Federal Trade Commission. Apple accounts for 33.3%, with 1,012 complaints. Together these powerhouses account for 74.7% of all impersonation complaints analyzed.

The third most impersonated organization is not a private enterprise.The Social Security Administration is the most impersonated federal agency in the U.S. for phishing scams (223). To top it off, out of all of the U.S. Federal Agencies the Social Security Administration department accounts for a staggering 91.8% of all phishing scam complaints. 

The Most Impersonated Industries in Phishing Scams

While the most impersonated organizations are clear, which is the most targeted industry? The CrowdStrike team explored this too, with the help of the Federal Trade Commission.

table of industries with the most phishing impersonation scams

The data received by the Federal Trade Commission reveals retail is the most impersonated industry sector in 2020, representing 43.9% of all impersonation complaints analyzed – 1,335 in total. Technology on the other hand represents 35.7% of all complaints analyzed, with 1,087 complaints received. U.S. federal agencies come in third place, with 243 reported phishing incidents.

Phishing Email Examples

As COVID-19 spread around the planet, many people were filled with emotions like fear, uncertainty and hope — the top ingredients for an effective phishing campaign. Cyber criminals are now taking full advantage of these emotions when disseminating malicious email spam (malspam) across the globe.

The CrowdStrike data science team is closely tracking COVID-19-related malspam and below are some of the phishing emails they’ve observed in the wild:

Example #1: Impersonating a doctor

The first example comes from a cyber criminal impersonating a doctor who claims they have a remedy for the virus.

example phishing email impersonating a doctor

Upon clicking on the attached file, a powerful trojan is injected with features such as keystroke logging and password stealing.

Example #2: Impersonating a government organization

In this example, the cyber criminal is masquerading as the Ministry of Health from Colombia. The email urges the reader to download a document that supposedly contains the neighborhood areas where COVID-19 has been detected.

example of phishing email scam impersonating a government

The email has a non-malicious PDF document attached, which simply contains the logo of the organization used as a lure and a link to an archive with the password in the message. This multi-step phishing strategy incentivizes the user to manually download and execute the payload and diminishes the chances of the message being blocked by spam filters by avoiding using weaponized documents as an attachment.

The payload is a commodity remote access tool (RAT) named Warzone, which is malware that has the ability to bypass UAC controls. It also has remote execution capabilities, a keylogger, a camera recorder, and can be used to steal the credentials from Google Chrome, Firefox, Thunderbird and Microsoft Outlook.

Example #3:

In this example, the phishing email appears to be coming from a worldwide package delivery company. The email claims that the receipt’s package is ready to be picked up and that they must download the e-voucher.

example of a phishing email

How to Recognize a Phishing Scam?

Phishing graphic

Typical characteristics of phishing messages make them easy to recognize. Phishing emails usually have one or more of the following indicators:

1. Asks for sensitive information

Legitimate businesses won’t request credit card information, social security numbers or passwords by email. They will also not send you a link to log into a system outside of their domain.

2. Uses a different domain

A message from Amazon will come from @amazon.com. It won’t come from amazon-subscriber@subscriber-services.com. Check the domain by looking at the Sent field.

3. Contains links that don’t match the domain

Hover the cursor over any links to make sure they will take you to the site you expect. Also look for https:// at the start of the URL, and do not click on any link that does not use HTTPS.

4.Includes unsolicited attachments

A legitimate company won’t send an attachment. It will direct you to its site, where you can download a document safely.

5. Is not personalized

Companies that do legitimate business with you know your name. They will use it rather than addressing you in a generic manner, such as “Dear Valued Member”.

6. Uses poor spelling and grammar

Of course, hackers aren’t ignorant, so it seems odd that their malicious messages would typically include so many spelling and grammar errors. The suspicion is that attackers use grammatical errors to weed out cautious users and entrap the uneducated or distracted, who will make easier targets.

How to Protect Against Phishing Attacks

How common is phishing?

Phishing is very common. According to Accenture, 60% of Americans say they or a family member has been a victim of a phishing attack, and 15% will be targeted more than once every year. The number of phishing attacks has also been increasing in the U.S., with a growth of 65% in the last year.

What happens if you open a phishing email?

Simply reading a phishing message is normally not unsafe. The user must click a link or download a file to activate malicious activity. Be cautious about all communications you receive, and remember that although phishing may most commonly happen through email, it can also occur through cell phone, SMS and social media.

What happens if you click a phishing link on your phone?

Phones are computers, and like any desktop, they can become infected by viruses when a malicious link is clicked. Typically, however, malicious links don’t download viruses directly to a phone. Instead, they direct the user to a website or the app store, where they are encouraged to download malicious content.

Before downloading an app, check the reviews for quantity and quality, only connect to trusted devices and treat any incoming messages with the same caution that you’d treat any message that lands in your computer inbox.

Is phishing illegal in the United States?

Federal laws against fraud apply to phishing. Twenty-three states and Guam have laws specifically against phishing.

Sentences for phishing are usually one to three years in jail and/or fines of at least several thousand dollars, although they may be as high as $10,000 or more per offense.

How to Report a Phishing Attack

Users can’t prevent phishing attacks, but they can protect themselves and help slow the tide by reporting phishing emails when they recognize them. Do your part to be a good internet citizen. Report phishing to: phishing-report@us-cert.gov.