Phishing
Phishing is a form of social engineering and scam where attackers deceive people into revealing sensitive information[1] or installing malware such as ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim.[2] As of 2020, it is the most common type of cybercrime, with the FBI's Internet Crime Complaint Center reporting more incidents of phishing than any other type of computer crime.[3]
Not to be confused with Fishing or Pishing.
The term "phishing" was first recorded in 1995 in the cracking toolkit AOHell, but may have been used earlier in the hacker magazine 2600.[4][5][6] It is a variation of fishing and refers to the use of lures to "fish" for sensitive information.[5][7][8]
Measures to prevent or reduce the impact of phishing attacks include legislation, user education, public awareness, and technical security measures.[9] The importance of phishing awareness has increased in both personal and professional settings, with phishing attacks among businesses rising from 72% to 86% from 2017 to 2020.[10]
Types[edit]
Email phishing[edit]
Phishing attacks, often delivered via email spam, attempt to trick individuals into giving away sensitive information or login credentials. Most attacks are "bulk attacks" that are not targeted and are instead sent in bulk to a wide audience.[11] The goal of the attacker can vary, with common targets including financial institutions, email and cloud productivity providers, and streaming services.[12] The stolen information or access may be used to steal money, install malware, or spear phish others within the target organization.[5] Compromised streaming service accounts may also be sold on darknet markets.[13]
This type of social engineering attack can involve sending fraud emails or messages that appear to be from a trusted source, such as a bank or government agency. These messages typically redirect to a fake login page where the user is prompted to enter their login credentials.
Techniques[edit]
Link manipulation[edit]
Phishing attacks often involve creating fake links that appear to be from a legitimate organization.[40] These links may use misspelled URLs or subdomains to deceive the user. In the following example URL, http://www.yourbank.example.com/
, it can appear to the untrained eye as though the URL will take the user to the example section of the yourbank website; actually this URL points to the "yourbank" (i.e. phishing subdomain) section of the example website (fraudster's domain name). Another tactic is to make the displayed text for a link appear trustworthy, while the actual link goes to the phisher's site. To check the destination of a link, many email clients and web browsers will show the URL in the status bar when the mouse is hovering over it. However, some phishers may be able to bypass this security measure.[41]
Internationalized domain names (IDNs) can be exploited via IDN spoofing[42] or homograph attacks[43] to allow attackers to create fake websites with visually identical addresses to legitimate ones. These attacks have been used by phishers to disguise malicious URLs using open URL redirectors on trusted websites.[44][45][46] Even digital certificates, such as SSL, may not protect against these attacks as phishers can purchase valid certificates and alter content to mimic genuine websites or host phishing sites without SSL.[47]
Filter evasion[edit]
Phishers have sometimes used images instead of text to make it harder for anti-phishing filters to detect the text commonly used in phishing emails.[48] In response, more sophisticated anti-phishing filters are able to recover hidden text in images using optical character recognition (OCR).[49]