Phishing

Phishing is a form of social engineering attack that aims at encouraging internet users to reveal sensitive information such as bank login credentials and credit card numbers through websites that appear legitimate. Attackers, in this case, pretend to be companies or acquaintances that send messages containing links to phishing websites. Ollmann (2004) conducted a survey that revealed 57 million internet users received phishing emails in the United States and 2 million victims were compromised. Another survey revealed that there were 1,862 data breaches in 2021, with each breach costing businesses an average of $4.65 million (Fowler, 2022). This study discusses the types of phishing attacks, their implications, challenges and ways of identifying and preventing them.

Phishing attacks in the airline, education and healthcare sectors in the United States led to losses of about US$100 million (Sadiq et al., 2021). Attackers used email phishing to steal workers’ login credentials and personal information. Phishing attacks can be reduced and prevented by educating employees, changing passwords regularly, avoiding unknown links to suspicious websites, installing firewalls, updating browsers, using antivirus software and verifying websites’ security. Web extensions can also be used to warn users when they attempt to log in to malicious websites through compromised URLs. Companies can also use modern technologies to prevent their networks from accessing unapproved or suspicious websites.

In 2020, 88% of cybersecurity experts reported an increase in phishing attacks. Phishing attacks trigger data breaches which have significant consequences for any organization. Facebook, Google, Ubuquiti Networks, FACC and Crelan Bank have experienced phishing attacks leading to combined losses of $283 million. In addition, phishing attacks lead to reputational damage, business disruption and regulatory fines. Victims of phishing attacks risk financial loss, corrupted files, and shared documents.

Internet users and organizations should be aware of the types and techniques used in phishing. Phishing attacks aim to encourage users to visit fake websites where they are required to enter login credentials or sensitive information. Attackers may use multiple attack vectors but their end goal is the same (Chiew et al., 2018). Phishing attempts to exploit the gullibility of internet users to steal confidential data (Hong, 2012). Once cybercriminals upload a virus to a victim’s computer, they steal sensitive data such as passwords and login credentials for malicious purposes (Shestak & Pavlyukova, 2020).

Email phishing is where an attacker sends fraudulent messages that contain links to malicious websites. These links direct users to websites that are very similar to legitimate websites, but often have misspelled domain names or extra domains. These phishing emails often have infected attachments, misspelled email addresses, and create a sense of urgency (Jakobsson, 2005). Internet users are advised to avoid opening or downloading unfamiliar documents, hovering over links in emails using a mouse, and clicking links in emails from unfamiliar senders. 

Malicious links are very common and successful in tricking users through phishing attacks (Mansfield-Devine, 2018). CISCO revealed that 86% of organizations in 2021 had at least one employee clicking a phishing link (CISCO, 2021). Cybersecurity experts are working on devising ways of identifying these malicious links to reduce cases of phishing and ransomware attacks. However, progress in preventing these attacks is relatively slow since attackers are always finding new ways of manipulating internet users. It is also difficult to defend against highly sophisticated attacks from multiple threat actors.

Phishing is a persistent problem because businesses encounter more cybersecurity problems everyday which requires greater defense. There is no single strategy or solution to prevent all phishing attacks. This leaves internet users vulnerable to cyber criminals who can manipulate them into revealing sensitive information. Organizations should educate their employees on phishing attacks to promote awareness and reduce successful attacks. They should also use effective anti-phishing, anti-malware and anti-spam software to prevent malicious messages from reaching employees. Internet users should avoid using public hotspots to access websites with faulty and unsigned certificates because they allow attackers to successfully access and steal confidential information (Bauer et al., 2008). 

Smishing is a type of phishing attack that is conducted over mobile text messaging. Cybercriminals use malware or fraudulent websites to deceive their victims into revealing sensitive information. They send text messages to several internet users hoping that some users will click on the links provided in the messages. The acquired personal data is then used to commit cybercrimes such as fraud. Smishing victims can be sent text messages that seem to be from their bank asking them to provide financial or personal information such as their ATM or account number and pin. Internet users should carefully check the senders’ numbers, use multifactor authentication, avoid responding to unknown senders and call their banks directly when in doubt.   

In the Ishikawa diagram below, the first event, failure incident, is located on the far-right section of the diagram. The identified causes of failure are:

1.      Ineffective firewalls                                         10. Insecure desktop tools

2.      Ineffective spyware detectors                          11. Unverified source addresses

3.      Poor security protocols                                   12. Ineffective spam filters

4.      Insider threats

5.      Ineffective anti-phishing software

6.      Ineffective pop-up blockers

7.      Lack of user awareness

8.      Phishing-based Trojans

9.      Ineffective anti-malware software

 

 

 

In

 

 

 

 

 

 

 

Fig 1: Ishikawa diagram

The flow chart below analyzes the process that can be used to identify phishing attacks. It analyzes how a message can be used to conduct a phishing attack. The new message in a user’s inbox marks the beginning of the flow chart. The flow chart has decision steps to guide users on making the correct decisions in the event of a dilemma.

            Failure in preventing phishing attacks can be caused by:

i.                    Ineffective firewalls                                        

ii.                  Ineffective spyware detectors                      

iii.                Poor security protocols                            

iv.                Insider threats

v.                  Ineffective anti-phishing software

vi.                Ineffective pop-up blockers

vii.              Lack of user awareness

viii.            Phishing-based Trojans

ix.                Ineffective anti-malware software

x.                  Insecure desktop tools

xi.                Unverified source addresses

xii.              Ineffective spam filters

 

 

 

 

 

 

 

 

 

 

 

 

 

             No

  

 

                                                       Yes

 

                            Yes

 

                                                                                                                                                       No

                                                       No                                                                                   

                                                                     

                                                                         Yes

                                                                       

                                                        No

 

                   Yes                                                                     Yes

 

                                                           No

 

Figure 2: Flow chart diagram

After identifying the causes of phishing attacks, the group developed the failure analysis table shown below.

Event number	Failure cause	Assessment	Assignment
1	Ineffective Firewalls	Unknown	Automatically track network traffic
2	Ineffective spyware detectors	Unknown	Use spyware that provide full protection across networks and devices
3	Poor security protocols	Unknown	Develop effective security protocols
4	Insider threats	Unknown	Perform regular security awareness training
5	Ineffective anti-phishing software	Unknown	Regularly update anti-phishing software
6	Ineffective pop-up blockers	Unknown	Use updated pop-up blockers
7	Lack of user awareness	Unknown	Educate internet users on phishing
8	Phishing-based Trojans	Unknown	Use effective spyware software
9	Ineffective anti-malware software	Unknown	Use effective and updated anti-malware software
10	Insecure desktop tools	Unknown	Use secure desktop tools
11	Unverified source addresses	unknown	Only visit websites with verified source addresses
12	Ineffective spam filters	Unknown	Purchase effective spam filters

 

Table 1: Failure Analysis Table

Phishing has for long been a persistent problem in cybersecurity. Phishing attacks is the most common method of stealing sensitive information from internet users. Cybersecurity experts have deployed several countermeasures to prevent phishing attempts but cybercriminals have always found ways of getting around them by exploiting weaknesses in their defenses (Garera et al., 2007). The literature used in this report have all been in agreement about the state and nature of phishing. This study has discussed the types of phishing attacks and how they affect organizations. It also provides information on how organizations can identify and mitigate phishing attacks.

 

 

 

 

 

 

References

Bauer, K., Gonzales, H., & McCoy, D. (2008, December). Mitigating evil twin attacks in 802.11. In 2008 IEEE International Performance, Computing and Communications Conference (pp. 513-516). IEEE.

Chiew, K. L., Yong, K. S. C., & Tan, C. L. (2018). A survey of phishing attacks: Their types, vectors and technical approaches. Expert Systems with Applications, 106, 1-20.

CISCO. (2021). Cyber security threat trends: phishing, crypto top the list. https://cloudmanaged.ca/wp-content/uploads/2021/09/2021-cyber-security-threat-trends-phishing-crypto-top-the-list.pdf

Fowler, B. (2022). Data breaches break record in 2021. https://www.cnet.com/news/privacy/record-number-of-data-breaches-reported-in-2021-new-report-says/#:~:text=The%20number%20of%20reported%20data%20breaches%20jumped%2068%20percent%20last,of%201%2C506%20set%20in%202017.

Garera, S., Provos, N., Chew, M., & Rubin, A. D. (2007, November). A framework for detection and measurement of phishing attacks. In Proceedings of the 2007 ACM workshop on Recurring malcode (pp. 1-8).

Hong, J. (2012). The state of phishing attacks. Communications of the ACM, 55(1), 74-81.

Jakobsson, M. (2005, February). Modeling and preventing phishing attacks. In Financial Cryptography (Vol. 5). Security: Terms, Laws, Threats and Protection. In 2021 International Conference on Computing Sciences (ICCS) (pp. 148-151). IEEE.

Mansfield-Devine, S. (2018). The ever-changing face of phishing. Computer Fraud & Security, 2018(11), 17-19.

Ollmann, G. (2004). The phishing guide understanding & preventing phishing attacks. NGS Software Insight Security Research.

Sadiq, A., Anwar, M., Butt, R. A., Masud, F., Shahzad, M. K., Naseem, S., & Younas, M. (2021). A review of phishing attacks and countermeasures for internet of things‐based smart business applications in industry 4.0. Human behavior and emerging technologies, 3(5), 854-864.

Shestak, V., & Pavlyukova, E. (2020, May). Phishing Attacks: Legal Regulation in the USA. In Shestak, VA & Pavlyukova, EV (2020). Phishing attacks: legal regulation in the USA. Technology of the XXI century in jurisprudence: Materials of The Second International Scientific-Practical Conference (22 May 2020). Yekaterinburg: Ural State Law University.