Anatomy of a Phishing Attack: How Hackers Trick You

They’ve been used against us for over two decades, so phishing attacks are hardly new. They have evolved, however. No longer limited to email, they can also be delivered by social media and SMS text messages. It’s the ever-evolving delivery of the same old scams in new clothing.

Modern-Day Phishing: The Minefield in Your Mailbox

Phishing is a form of cyberattack that is delivered predominantly by email. In a 2017 report by Symantec, they determined that there were 135 million phishing emails sent every day, and 1.5 million fraudulent websites were created every month to facilitate these scams.

Those are big figures. Two factors make phishing attacks popular with cybercriminals or “threat actors.” Firstly, they are easy attacks to conduct. At its most basic level, a phishing attack is the simplest form of cyberattack. All you need to do is send emails. The second reason is phishing scams are successful. People are duped by them all the time. It’s a threat actor’s dream – a simple attack that works.

The Anatomy of a Phishing Attack

The basic premise is a phishing email mimics an email from a genuine entity. It may masquerade as an email from an organization you recognize, like PayPal, X (formerly Twitter), or Facebook. It might impersonate a figure of authority, such as a law enforcement agency or a senior executive in your own organization.

The email tries to compel you to perform an action.

• It may ask you to click a link that takes you to a fraudulent copy of a genuine website. When you log in, they harvest your credentials, which they can use on the genuine website – or any other system where you’ve used the same ID and password
• It may try to get you to open a malicious attachment that will infect your computer and network with malware, such as ransomware.
• It might try to coerce you into making a payment. Not only do they get the money from the payment, they also obtain your credit card details.
• Emails that appear to be from senior executives or board members try to persuade personnel in the accounts department to make a transfer to a customer or supplier. The bank details provided are those of the threat actor, of course.

With hundreds of millions of phishing emails being sent every day, it’s no surprise that they are successful. If you have enough shots at a goal, some of them will go in. Whether someone falls for a phishing email or not isn’t always a reflection of their intelligence. Anyone can make a mistake in haste.

If the message in the phishing email happens to strike a chord with you, it’s very easy to take it at face value and react to it without stopping to think. Which is just what the threat actors are hoping for. And new users come to the Internet all the time, both young and old. They’re not experienced in spotting these types of scams.

Setting Up the Phishing Attack: Psychological Warfare

The wording of phishing emails has changed a lot over the years. Twenty years ago, it was common for them to have outlandish cover stories involving lost inheritances, Nigerian princes, and the widows of retired spies.

They were badly written and peppered with poor grammar and spelling mistakes. There’s a theory that says they were written this way because if none of that put you off, you were probably gullible enough to fall for the trap.

That theory doesn’t stand scrutiny, however. If you’re not bothered by the ridiculous cover story and bad grammar, you’re likely to be someone at the lower end of the educational spectrum. And probably in a lower-paid job. Why would the scammers purposefully filter out everybody else and focus on the least well-off segment of society?

Nowadays, most phishing emails are skillfully put together. They have the appropriate logos, footers, disclaimers, and other company liveries so that they look real. Attention is paid to grammar and spelling so they sound real.

And above all, they are phrased to generate a sense of urgency so that the victims are more likely to react immediately and get snared. Psychology and an understanding of human nature are involved in the setting of the trap.

These are typical subjects for phishing emails:

All Brands Available!

Phishing emails have been created to exploit users of just about any online system or service you can think of. You might ask, what good is my Twitter account to a cybercriminal? They don’t want your Twitter account. They want to get their hands on a set of authentication credentials that you use.

People have a dreadful habit of using the same password again and again, all over the web. Once the threat actors have your login details for one system, they’ll pop them into an automated script that’ll try them on every popular web service.

And getting an email telling you to verify your credentials on something as innocuous as Twitter isn’t going to ring the same alarm bells that a similar message would from, say, a payment service such as PayPal.

The threat actors work the numbers so the odds are in their favor. If you get an email saying your account has been compromised on a service that you don’t even subscribe to, that’s something of a giveaway that it’s a phishing email.

That’s why they often pick on popular platforms like Twitter, Facebook, and Instagram because so many people have one of those accounts.

Where Do They Get All the Email Addresses?

Data breaches seem to be a fact of modern life. There’s always some organization or other in the news admitting they’ve been breached and lost data. Everyone from Facebook to LinkedIn, from British Airways to Marriott Hotels, has lost millions of personal records in the last few years.

The data from all the breaches are gathered into huge collections that are available on the Dark Web. Threat actors can purchase the data at extremely low cost, and feed it into automated systems that send the emails out.

Different Types of Phishing Emails: What to Expect

There are a variety of phishing attacks, each using a type of psychological tactic, such as instilling a sense of fear and/or urgency, pretending to be an authority, or even playing on the caring personalities of people to guilt you into doing what they want.

Knowing the different types of phishing methods will help you understand the tactics they use, and help you recognize the signs before it’s too late.

Unsophisticated Phishing

These emails are very simple, involving nothing more than, well, an email. There is no infrastructure or framework behind them to make the scam more believable. Even these primitive scams have a number of variants.

• They may ask you to get in touch by email or phone to discuss your prize, inheritance, or other good news. Over the course of several phone calls, you’ll be asked for bits of information so that the prize can be transferred into your bank account. The transfer takes place, but it is a withdrawal, not a deposit.
• The email may try to scare you into making a payment. Typically they look like they’ve come from the FBI or another law enforcement agency. They’ll accuse you of downloading music, films, pornography, or of non-payment of a speeding or parking offense or other invented allegation. To keep the matter out of court and prevent the fine from increasing, you’re encouraged to pay the outstanding charges right away. A phone number – in a strangely distant country – is provided to take your credit card details.
• Sextortion is a similar racket. The email will say it’s from a hacker who has hacked your computer and knows you’ve visited a pornography site. They’ll show you the username and password that you’ve used on the site. Whilst watching the pornography, the hacker was filming you through your webcam. To prevent friends, family, and colleagues from receiving the webcam footage, you need to pay in bitcoins. The username and password are ones you’ve used before, you recognize them. But you can’t ever remember doing what they’ve said – what’s going on? Nothing. It’s just a scare tactic. All that’s happening is a sort of mail merge. Along with the email addresses, the databases from the Dark Web contain the passwords that were used on the site when the data was stolen. As each email is addressed, the matching password is inserted into the body of the email. This makes it look like the scammers have some inside knowledge about you.

These phishing attempts are nothing more than brazen emails asking for money or credentials. And yet they find victims every day.

Phishing With Copycat Websites

Phishing emails that are backed with a facsimile website provide a more compelling and convincing experience for the victim. The email’s purpose is to pique their interest, raise their worries, or make them panic. To check if what the email says is true, the victim clicks the link that takes them to the copycat website. The website confirms what the email said, so they assume the email is genuine.

Like all phishing scams, they can be reskinned very quickly. Whatever is in the news will be used as fodder for phishing emails. There is software available that can take a copy of the login page from a genuine website. The threat actors don’t even have to come up with their own forgery. They use the “real” page and modify it extremely quickly.

If there is a genuine data breach on a popular site, such as Facebook, the threat actors send out emails ostensibly from Facebook, offering advice about the data breach and providing a link for you to follow to verify your account hasn’t been compromised. Needless to say, the site the link takes you to is their own copycat site.

These types of phishing attacks are seasonal too. At the end of the tax year, they’ll be reconfigured to look like tax office websites to back up the pretense that the tax refund phishing emails are genuine. In the run-up to December, they’ll be reskinned to impersonate courier companies.

This gives credence to the phishing emails that claim a courier couldn’t make a delivery to you and you need to reschedule delivery.

To give proof – if any were needed – that the threat actors don’t have a shred of compassion or humanity, there was a large wave of phishing emails touting scams based around the COVID-19 pandemic.

• Fabricated guidance from health organizations such as the World Health Organization or local health departments, “Open the attachment to learn more.”
• Falsified updates from local government and other authorities about lockdown policies and other procedures to address the risk.
• Fraudulent websites containing statistics, maps, and dashboards implanted with malware.
• Information about protecting yourself, your children, or the elderly contains malicious links or attachments.
• Nonexistent charitable appeals asking you to donate to help with the crisis.

Spear Phishing

Spear phishing is a targeted type of phishing attack. It is delivered to a specific person in the accounts department of an organization. It will appear to come from a senior executive or other high-ranking staff member and will look exactly like a genuine company email with fonts, footers, and corporate livery. It will address the recipient by name and ask for a payment to be made to a customer.

Of course, it’s urgent. It must happen as soon as possible and by no later than, say, 2:30 pm.

This type of phishing attack might seem relatively sophisticated compared to previous examples, but it is still worryingly simple to pull off. Many websites have a Meet the Team page. With no difficulty at all, you can find out who the board members and company officers are and who is on the accounts team.

The threat actors will send an email to anyone in the company asking any questions. Do they sell this product, are they hiring, where’s their nearest branch? It really doesn’t matter as long as they get a reply. The reply email provides the look and feel of the corporate emails, including logos, footers, and disclaimers.

SMS Text Phishing – Smishing

Although the vast majority of phishing is carried out by email, SMS text messages and other messaging platforms, such as WhatsApp, can also be used as the delivery medium. By forging the originating number, the threat actors can make a message look like it was sent from any number they wish to use.

If the forged number is in your phone’s contacts, your phone will unwittingly collude with the scammers and label the message as coming from a genuine source. With the short, pithy style of SMS texts, you’re more forgiving of awkward or poor English. You also don’t expect to get the whole story in a text or WhatsApp message. It’s normal practice to click a link to find out more.

Don’t Take The Bait – How to Spot a Phishing Email

There are some signs you can look for that give the game away:

• Look carefully at the sender’s email address. If the email address isn’t the same as the company domain, treat it with suspicion. Does it really say microsoft.com, or does it say rnicrosoft.com? Threat actors register domains that are one letter away from the real thing, so you need to look at each letter, not skim-read the email address.
• Hover your mouse pointer over any links in the body of the email and see where they are going to take you. It is easy to make the text of the link say anything. It doesn’t mean that is where you’ll go if you click it. Hovering the mouse over the link will produce a tooltip with the actual link destination in it. If it looks at all suspicious, don’t click it.
• Threat actors try hard to have perfect grammar and spelling, but they still make mistakes. Perhaps they’ve got the spelling correct, but the phrases and tone don’t match what you’ve come to expect from the real entity. If anything feels wrong, it probably is. The future of AI makes this one likely to become more sophisticated.
• Do the logo and other corporate livery look right, or are the images low resolution and amateurish?
• Genuine organizations never ask for passwords, account details, and other sensitive information.
• Sadly, if it is too good to be true, it isn’t true. You’re not suddenly rich.

If you’ve been through all of those steps and still don’t know if the email is genuine, go onto your browser and log directly into the account they are pretending to be from. Don’t click the link, go directly to the site in the way you always would.

If you’ve had a call claiming to be from the bank and it feels strange, ask for their number and ring them back. Been asked to make a sudden payment at work? Contact the person asking for the payment and explain you need to verify the details.

Taking a step backward, giving yourself time to think, and positively verifying everything is genuine before you proceed will keep you safe.