In this article, you will learn about how attackers use psychology to bypass technical security measures.
Note: Attempting to phish the credentials of someone without their express consent is illegal. The information presented in this course in no way encourages or condones phishing, and should not be used to attempt a phishing attack.
Phishing is one of the most well-known types of cyber attacks. The average internet user has never heard of Kali Linux or written Python scripts to guess passwords, but everyone knows not to respond to an email from a down on their luck Nigerian Prince (well, almost everyone).
One of the reasons that phishing is so common is because it works! No matter what technical controls are in place to secure a system, humans within the system are still hackable. The practice of tricking humans to get important data or access is also known as social engineering.
Estimates range on how effective phishing is, but given that it can be used for everything from credential theft to loading malware in systems, Verizon labeled it the biggest threat to small organizations in 2020.
Sometimes phishing attacks can seem comically implausible, such as this phishing email from an unfortunate astronaut lost in space below. However, with phishing attacks becoming both more common and more sophisticated, it’s vital to be able to identify and stop phishing attacks.
Phishing, a practice that targets humans to get money, information, or access, is a type of what?
Different Types of Phishing
All types of phishing rely on social engineering to get a victim to take some action, but there are different methods and targets beyond email, for example:
- Vishing (from “voice phishing”), which refers to the spam calls in which an attacker claims to be from a victim’s bank or law enforcement and tries to extract information.
- Smishing (from “SMS phishing”) is when an attacker attempts to do the same thing over text message, by sending a malicious link.
- Webpages, which we’ll discuss in this article.
Phishing is also categorized by who it targets. Many phishing campaigns send out mass spam emails to individuals and organizations, hoping to catch a victim in a wide net. But sometimes, an attacker has a specific target in mind and sends that target a dedicated, personalized email. This is known as spear phishing. If the target is extremely sought after, like the CEO of a company, it is known as whaling.
Whether it is used to trick someone into sending money, to harvest login credentials, or to download malware, phishing targets humans as an initial attack vector.Multiple choice
Which of the following is NOT a type of phishing?
How Does Phishing Work?
Sometimes phishing attacks are just emails or phone calls that attempt to get a victim to send an attacker money or payment information. Others, such as those that get people to click on links that download malware onto their systems, require more technical finesse. For example, an attacker could:
- Embed a PDF or Word document with malicious code.
- Attach it to a phishing email.
- Social engineer a user into downloading and opening it, executing the malicious code.
Often, this malicious code contains the functionality to further spread the virus by sending more phishing emails to the user’s contacts.Multiple choice
What is one way that attackers hide malware in phishing emails?
They include it as image files in the body of the email.
Malware can only be distributed via phishing websites, not emails.
They hide malicious code in attached documents.
Email spoofing refers to when an attacker falsifies their email headers to make it appear as though the email is coming from someone else. Spoofing is a common component in phishing emails, used in as many as 90% of email fraud attacks.
When you typically send an email, the “from” field is automatically filled out. If my email is john_johnson[@]gmail[.]com, and I send an email to my friend, my friend will see that the email came from my email address. However, you can also send emails with simple scripts (here are instructions for sending an email in Python).
When you write and send an email using a programming script, you can configure the email headers to be whatever you want – meaning that an attacker can put any email as the “sender”, even yours. In order to really see what is going on in an email, you can download it and open it in a code editor, but most email providers allow you to see the email headers from within your email. For example, in Gmail, if you open an email of interest, click on the three vertical dots in the upper right-hand corner, and click on “Show original”, you can see the email headers.
These email headers provide valuable information that can help detect phishing, such as the “return-to” address, sender IP, and whether the email failed any protections such as SPF and DKIM, which help to fight spoofing (they are the reason emails are automatically sent to your spam folder). If you see a suspicious email, it is always wise to open the headers before responding in order to see if any protection fields “failed”, and to look at the original sender IP. You can read more about email spoofing here.
The headers of a phishing email, showing that it failed SPF protections.Multiple choice
Email headers can reveal all of the following information EXCEPT:
Where email replies will be sent.
Whether the files in the email are malicious.
Whether the email passed or failed authentication protections such as SPF and DKIM.
The sender’s public IP address.
Not Just Emails: Webpages That Steal Your Password
Webpages that harvest credentials are especially effective phishing tools. Because these pages often forward victims to a legitimate webpage after stealing their login information, the user never realizes they were phished. These webpages can also encourage you to download malware unknowingly.
If someone were trying to steal Codecademy logins they could occupy a typo-squatting domain like
codeoademy.com in the hopes that a user would accidentally type in the wrong domain. A malicious actor could also disguise their domain with a link shortener like bitly to get someone to click through to a disguised domain.
Below, we’ve set up our own credential harvesting webpage that looks identical to the Codecademy login page. We did this by downloading the HTML files for Codecademy. In the screenshot, the page is on a local server we can monitor, but we could choose to host it on any domain we owned.
When someone lands on this page, they think it’s the real
codecademy.com! When they enter their username “admin” and password “password” and log in, that login information gets sent to our backend.
Because we can program the “Log in” button to redirect to the real Codecademy page, unless a potential victim had looked at the domain and noticed that something was off, they would have had no indication that the page just sent their information to us. This is one potential way that an attacker can use a website to trick someone into handing over their credentials. It seems like there are a million ways we can be expertly deceived on the web. Let’s talk about how to detect these!Fill in the blank
Fill in the following sentence with the correct phishing techniques.
Phishing is a type of attack that can take many forms. For example, , (voice phishing), and (SMS phishing) are all threats. Attackers can also send emails that look like they are from legitimate senders by using spoofing.
- social engineering
Click or drag and drop to fill in the blankCheck answer
Fortunately, there are ways that we can train both ourselves and our organizations not to fall for phishing! Although many phishing websites are near copies of the originals, phishing emails can be easier to spot. Below are three examples of phishing, two emails and one webpage. Can you spot the indications on each that it isn’t legitimate?
This one is pretty convincing. Did you spot the giveaway? The sender is paypal[.]accounts@gmail[.]com. Remember, anybody can register a @gmail.com address. The real PayPal will always use a business domain: @paypal.com. Another method? You can open developer tools on any buttons in an email to see where they are taking you. Developer tools is a cybersecurity expert’s best friend. It can reveal many secrets that attackers don’t want you to see.
This is also a pretty convincing email, especially if Tom Atwood is in your contacts. In fact, once an attacker compromises an email address, they can use it to distribute more phishing emails to the people in the victim’s contacts list, utilizing email spoofing to make the emails appear to come from known contacts. The fact that the attacker addresses the victim by name would also make this an example of spear phishing. What’s the giveaway here? Take a closer look at that URL – the second “g” in “google” is really a “d”. This means that the link is probably taking you to a malicious fake website which will ask you to log in to Google Drive and steal your credentials.
This webpage is very similar to the real Social Security webpage, visible here. However, two things are a bit off. Firstly, all official U.S. government websites should have a
.gov domain, not a
.com, and secondly, have you ever seen a username and password field without an option for “forgot password?” Looking at the domain will probably provide the best information, but paying attention to small details such as missing or malfunctioning buttons, and grammar or