Let us learn about phishing email. Today, we live in a digital age, an amalgamation of ones and zeros, floating in different corners of the World Wide Web. Every part of our lives is slowly moving towards this digitization, be it finances, education, networking, or consumerism, it is all just one click away. There is no doubt that this digital age has made our lives easier and better by giving us greater freedom and connectivity, but it has also made us more vulnerable.
Our data/sensitive information on the digital platforms is constantly under threat by negative forces that lurk in this realm. A new scam is created every day. Methods like phishing and whaling are constantly used to cheat people and corporations of their sensitive data. Thus, cybersecurity is extremely important and the best way to keep yourself safe is by understanding these threats. One of such threats, and arguably the most dangerous one, is Email Phishing.
Phishing is defined as a fraudulent attempt to obtain sensitive information or data by pretending to be a trustworthy entity, for example, credit card details, passwords,s, and usernames, etc. The criminal tries to emulate an official source via email, text message, or other digital media. Email phishing is the most widely known and used tactic on the spectrum. It is designed to target a large audience and can often be seen in the form of emails from big corporations like Walmart, target, etc. The structure of the message is simple and convincing. The email usually provides a link to a third-party website, which has been created by the criminal, demanding some form of sensitive information.
1. The most famous email phishing scam that changed the course of history was the 2016 google scam that derailed Hillary Clinton’s path to the presidency. The message said that a third person had gained access to the target’s email and provided a link to allow them to change their password. Once the link was clicked on, the hackers had access to the organization’s personal documents.
2. In 2013 and 2015, Facebook and google were scammed and lost over 100 million dollars through a large scale fake invoice scam. A Lithuanian hacker pretended to be a large scare Asia-based Manufacturer that both companies used as a vendor, and sent out a series of fake invoices.
3. In 2014 Upsher-Smith Laboratories, a US-based drug company lost more than 50 million dollars in the span of three weeks. The criminals impersonated the CEO and sent emails to the company’s accounts payable coordinators, instructing them to facilitate nine fraudulent wire transfers. An Austrian aerospace parts manufacturing company named FACC also lost over 61 million dollars in a similar scam.
4. A European cinema chain called Pathe lost 21 million dollars when two high ranking executives became the target of an email phishing scam. Over the course of a month, the hacker was able to extract multiple payments by pretending to be the CEO.
5. In June 2015, the Ubiquiti Networks Inc., an network technology company for service providers and enterprises, lost 46.7 billion dollars due to a phishing email. The US Securities and Exchange Commission reported that the attack was carried out by employee impersonations and fraudulent requests crafted by external entities targeting the finance department. The money was transferred from a company subsidiary in Hong Kong, to overseas accounts held by their parties. The transfer was done by the employees themselves who were tricked into thinking the requests were legitimate because the spoofed email addresses and domains were very realistic.
6. In 2020, COVID 19 based phishing scams have also become a major trend. The first one was reported in March 2020 by Vade Secure and exploited the vulnerability and fear caused due to the virus and the lockdown. Everyone, including the WHO and state and federal health agencies across the world, fell victim to these.
7. In December of 2015, hackers were able to attack the Ukrainian electric utility company and cause a major blackout. They did so by sending a phishing email to a power plant employee. This blackout was the second time in the history of the world where a malicious email caused a major power outage.
8. Another common scam is that of the fake Google login. The hacker creates a fake google login page and sends it to the targets via email with a message that reads, “we have updated our login credential policy, please confirm your account by logging in.”
9. Company tech support requests scams are most prevalent in the workplace. Under this, employees received emails from the IT department asking them to install new software. Once they install the software, ransomware is automatically installed onto the network, giving the hackers complete access to sensitive information.
10. Tecnimont SpA is an Italian engineering company which fell prey to an elaborate phishing scam under which the cybercriminals sent the companies executives emails scheduling conference calls to discuss a confidential acquisition in chine. They lost 18.6 million dollars.
Email phishing attacks are of multiple types, they can be mass-based or targeted and generic or personalised. Different hackers used different techniques that suit their needs best: CEO phishing – CEO phishing is most common in business environments. For this, hackers pretend to be a high-ranking executive and send emails to the employees demanding personal information or authorising large scale wire transfers to fraudulent companies. For example, Spear phishing – spear-phishing attacks are targeted and personalised.
Here hackers pretend to be known individuals such as friends, family or co-workers and send emails asking for money transfers (in most cases) or sensitive information. They create a sense of trust and urgency to ensure their task gets fulfilled. For example – Deceptive phishing – this is the most common form of email phishing. Under this, hackers impersonate legitimate companies in order to steal personal data and login credentials. They create a sense of panic or urgency to make sure that the targets engage.
Day by day phishing attacks are getting more complicated and convincing, thus it’s important to be sceptical and aware. Given below are a series of indicators that can help identify a phishing email.
By keeping yourself aware and educated, or organising seminars over phishing in the workplace, you can greatly reduce the chances of falling victim to the scam.
Once you are sure of the illegitimacy of the email, even if you fall victim to the scam, the next step is to go to the authorities. Most countries have cybercrime agencies which specialise in such crimes. For example – FBI cybercrime division, The Indian Cyber Crime agency etc. Phishing emails should be reported to the nearest police station, and they will direct you through the process.
We hope these tips help you to recognise phishing scams immediately and avoid falling prey to them.
So, have you made up your mind to make a career in Cyber Security? Visit our Master Certificate in Cyber Security (Red Team) for further help. It is the first program in offensive technologies in India and allows learners to practice in a real-time simulated ecosystem, that will give you an edge in this competitive world.