The Lady in Waiting
The Lady in Waiting
The Lady in Waiting
1990s. The term "phishing" is said to have been coined by the well known spammer and
hacker in the mid-90s, Khan C. Smith.
Phishing
From Wikipedia, the free encyclopedia
Jump to navigationJump to search
Not to be confused with Fishing or Pishing.
An example of a phishing email, disguised as an official email from a (fictional) bank. The sender is attempting
to trick the recipient into revealing confidential information by "confirming" it at the phisher's website. Note the
misspelling of the words received and discrepancy as recieved and discrepency, respectively.
Part of a series on
Information security
Related security categories
Computer security
Automotive security
Cybercrime
o Cybersex trafficking
o Computer fraud
Cybergeddon
Cyberterrorism
Cyberwarfare
Electronic warfare
Information warfare
Internet security
Mobile security
Network security
Copy protection
Digital rights management
Threats
Adware
Advanced persistent threat
Arbitrary code execution
Backdoors
Hardware backdoors
Code injection
Crimeware
Cross-site scripting
Cryptojacking malware
Botnets
Data breach
Drive-by download
browser helper objects
Computer crime
Viruses
Data scraping
Denial of service
Eavesdropping
Email fraud
Email spoofing
Exploits
Keyloggers
Logic bombs
Time bombs
Fork bombs
Zip bombs
Fraudulent dialers
Malware
Payload
Phishing
Polymorphic engine
Privilege escalation
Ransomware
Rootkits
Bootkits
Scareware
Shellcode
Spamming
Social engineering (security)
Screen scraping
Spyware
Software bugs
Trojan horses
Hardware Trojans
Remote access trojans
Vulnerability
Web shells
Wiper
Worms
SQL injection
Rogue security software
Zombie
Defenses
Application security
o Secure coding
o Secure by default
o Secure by design
Misuse case
Computer access control
o Authentication
Multi-factor authentication
o Authorization
Computer security software
o Antivirus software
o Security-focused operating system
Data-centric security
Code obfuscation
Data masking
Encryption
Firewall
Intrusion detection system
o Host-based intrusion detection
system (HIDS)
o Anomaly detection
Security information and event management (SIEM)
Mobile secure gateway
Runtime application self-protection
v
t
e
Contents
1Types
o 1.1Email phishing
1.1.1Spear phishing
1.1.2Whaling and CEO fraud
1.1.3Clone phishing
o 1.2Voice phishing
o 1.3SMS phishing
o 1.4Page hijacking
2Techniques
o 2.1Link manipulation
o 2.2Filter evasion
o 2.3Social engineering
3History
o 3.11980s
o 3.21990s
3.2.1Early AOL phishing
o 3.32000s
o 3.42010s
o 3.52020s
4Anti-phishing
o 4.1User training
o 4.2Technical approaches
4.2.1Filtering out phishing mail
4.2.2Browsers alerting users to fraudulent websites
4.2.3Augmenting password logins
4.2.4Monitoring and takedown
4.2.5Transaction verification and signing
4.2.6Multi-factor authentication
4.2.7Email content redaction
4.2.8Limitations of technical responses
o 4.3Legal responses
5See also
6References
7External links
Types[edit]
Email phishing[edit]
Most phishing messages are delivered by email, and are not personalized or targeted to a specific
individual or company–this is termed "bulk" phishing. [9] The content of a bulk phishing message
varies widely depending on the goal of the attacker–common targets for impersonation include
banks and financial services, email and cloud productivity providers, and streaming services.
[10]
Attackers may use the credentials obtained to directly steal money from a victim, although
compromised accounts are often used instead as a jumping-off point to perform other attacks, such
as the theft of proprietary information, the installation of malware, or the spear phishing of other
people within the target's organization.[4] Compromised streaming service accounts are usually sold
directly to consumers on darknet markets.[11]
Spear phishing[edit]
Spear phishing involves an attacker directly targeting a specific organization or person with tailored
phishing emails.[12] This is essentially the creation and sending of emails to a particular person to
make the person think the email is legitimate. In contrast to bulk phishing, spear phishing attackers
often gather and use personal information about their target to increase their probability of success
of the attack.[13][14][15][16] Spear phishing typically targets executives or those that work in financial
departments that have access to the organization's sensitive financial data and services. A 2019
study showed that accountancy and audit firms are frequent targets for spear phishing owing to their
employees' access to information that could be valuable to criminals. [17]
Threat Group-4127 (Fancy Bear) used spear phishing tactics to target email accounts linked
to Hillary Clinton's 2016 presidential campaign. They attacked more than 1,800 Google accounts
and implemented the accounts-google.com domain to threaten targeted users. [18][19]
A recent study tested the susceptibility of certain age groups against spear fishing. In total, 100
young and 58 older users received, without their knowledge, daily simulated phishing emails over 21
days. A browser plugin recorded their clicking on links in the emails as an indicator of their
susceptibility. Forty-three percent of users fell for the simulated phishing emails, with older women
showing the highest susceptibility. While susceptibility in young users declined across the study,
susceptibility in older users remained stable. [20]
Whaling and CEO fraud[edit]
Whaling refers to spear phishing attacks directed specifically at senior executives and other high-
profile targets.[21] The content will be likely crafted to be of interest to the person or role targeted -
such as a subpoena or customer complaint.[22]
CEO fraud is effectively the opposite of whaling; it involves the crafting of spoofed emails
purportedly from senior executives with the intention of getting other employees at an organization to
perform a specific action, usually the wiring of money to an offshore account. [23] While CEO fraud has
a reasonably low success rate, criminals can gain very large sums of money from the few attempts
that do succeed. There have been multiple instances of organizations losing tens of millions of
dollars to such attacks.[24]
Clone phishing[edit]
Clone phishing is a type of phishing attack whereby a legitimate, and previously delivered email
containing an attachment or link has had its content and recipient address(es) taken and used to
create an almost identical or cloned email. The attachment or link within the email is replaced with a
malicious version and then sent from an email address spoofed to appear to come from the original
sender. It may claim to be a resend of the original or an updated version to the original. Typically this
requires either the sender or recipient to have been previously hacked for the malicious third party to
obtain the legitimate email.[25][26]
Voice phishing[edit]
Main article: Voice phishing
Voice phishing, or vishing,[27] is the use of telephony (often Voice over IP telephony) to conduct
phishing attacks. Attackers will dial a large quantity of telephone numbers and play automated
recordings - often made using text to speech synthesizers - that make false claims of fraudulent
activity on the victim's bank accounts or credit cards. The calling phone number will be spoofed to
show the real number of the bank or institution impersonated. The victim is then directed to call a
number controlled by the attackers, which will either automatically prompt them to enter sensitive
information in order to "resolve" the supposed fraud, or connect them to a live person who will
attempt to use social engineering to obtain information.[27] Voice phishing capitalizes on the lower
awareness among the general public of techniques such as caller ID spoofing and automated
dialing, compared to the equivalents for email phishing, and thereby the inherent trust that many
people have in voice telephony.[28]
SMS phishing[edit]
SMS phishing[29] or smishing[30] is conceptually similar to email phishing, except attackers use cell
phone text messages to deliver the "bait".[31] Smishing attacks typically invite the user to click a link,
call a phone number, or contact an email address provided by the attacker via SMS message. The
victim is then invited to provide their private data; often, credentials to other websites or services.
Furthermore, due to the nature of mobile browsers, URLs may not be fully displayed; this may make
it more difficult to identify an illegitimate logon page.[32] As the mobile phone market is now saturated
with smartphones which all have fast internet connectivity, a malicious link sent via SMS can yield
the same result as it would if sent via email. Smishing messages may come from telephone numbers
that are in a strange or unexpected format.[33]
Page hijacking[edit]
Page hijacking involves compromising legitimate web pages in order to redirect users to a malicious
website or an exploit kit via cross site scripting. A hacker may compromise a website and insert
an exploit kit such as MPack in order to compromise legitimate users who visit the now
compromised web server. One of the simplest forms of page hijacking involves altering a webpage
to contain a malicious inline frame which can allow an exploit kit to load. Page hijacking is frequently
used in tandem with a watering hole attack on corporate entities in order to compromise targets. [citation
needed]
Techniques[edit]
Link manipulation[edit]
Most types of phishing use some form of technical deception designed to make a link in an email
appear to belong to the organization the attackers are impersonating. [34] Misspelled URLs or the use
of subdomains are common tricks used by phishers. In the following example
URL, http://www.yourbank.example.com/, it can appear to the untrained eye as though the
URL will take the user to the example section of the yourbank website; actually this URL points to
the "yourbank" (i.e. phishing) section of the example website. Another common trick is to make the
displayed text for a link suggest a reliable destination, when the link actually goes to the phishers'
site. Many desktop email clients and web browsers will show a link's target URL in the status bar
while hovering the mouse over it. This behavior, however, may in some circumstances be overridden
by the phisher.[35] Equivalent mobile apps generally do not have this preview feature.[citation needed]
Internationalized domain names (IDNs) can be exploited via IDN spoofing[36] or homograph attacks,
[37]
to create web addresses visually identical to a legitimate site, that lead instead to malicious
version. Phishers have taken advantage of a similar risk, using open URL redirectors on the
websites of trusted organizations to disguise malicious URLs with a trusted domain. [38][39][40] Even
digital certificates do not solve this problem because it is quite possible for a phisher to purchase a
valid certificate and subsequently change content to spoof a genuine website, or, to host the phish
site without SSL at all.[41]
Filter evasion[edit]
Phishers have sometimes used images instead of text to make it harder for anti-phishing filters to
detect the text commonly used in phishing emails.[42] In response, more sophisticated anti-phishing
filters are able to recover hidden text in images using optical character recognition (OCR).[43]
Social engineering[edit]
Most types of phishing involve some kind of social engineering, in which users are psychologically
manipulated into performing an action such as clicking a link, opening an attachment, or divulging
confidential information. In addition to the obvious impersonation of a trusted entity, most phishing
involves the creation of a sense of urgency - attackers claim that accounts will be shut down or
seized unless the victim takes an action.[44] This occurs most often with victims bank or insurance
accounts.[45]
An alternative technique to impersonation-based phishing is the use of fake news articles designed
to provoke outrage, causing the victim to click a link without properly considering where it could lead.
These links are designed to take you to a professional looking website that looks exactly like the
legitimate organization's website.[46] Once on the attacker's website, victims can be presented with
imitation "virus" notifications or redirected to pages that attempt to exploit web browser vulnerabilities
to install malware.[47]
History[edit]
1980s[edit]
A phishing technique was described in detail in a paper and presentation delivered to the 1987
International HP Users Group, Interex.[48]
1990s[edit]
The term "phishing" is said to have been coined by the well known spammer and hacker in the mid-
90s, Khan C. Smith.[49] The first recorded mention of the term is found in the hacking
tool AOHell (according to its creator), which included a function for attempting to steal the passwords
or financial details of America Online users.[50][51]
Early AOL phishing[edit]
Phishing on AOL was closely associated with the warez community that exchanged unlicensed
software and the black hat hacking scene that perpetrated credit card fraud and other online crimes.
AOL enforcement would detect words used in AOL chat rooms to suspend the accounts of
individuals involved in counterfeiting software and trading stolen accounts. The term was used
because "<><" is the single most common tag of HTML that was found in all chat transcripts
naturally, and as such could not be detected or filtered by AOL staff. The symbol <>< was replaced
for any wording that referred to stolen credit cards, accounts, or illegal activity. Since the symbol
looked like a fish, and due to the popularity of phreaking it was adapted as "Phishing". AOHell,
released in early 1995, was a program designed to hack AOL users by allowing the attacker to pose
as an AOL staff member, and send an instant message to a potential victim, asking him to reveal his
password.[52] In order to lure the victim into giving up sensitive information, the message might
include imperatives such as "verify your account" or "confirm billing information". [citation needed]
Once the victim had revealed the password, the attacker could access and use the victim's account
for fraudulent purposes. Both phishing and warezing on AOL generally required custom-written
programs, such as AOHell. Phishing became so prevalent on AOL that they added a line on all
instant messages stating: "no one working at AOL will ask for your password or billing information".
A user using both an AIM account and an AOL account from an ISP simultaneously could phish AOL
members with relative impunity as internet AIM accounts could be used by non-AOL internet
members and could not be actioned (i.e., reported to AOL TOS department for disciplinary action). [53]
[tone]
. In late 1995, AOL crackers resorted to phishing for legitimate accounts after AOL brought in
measures in late 1995 to prevent using fake, algorithmically generated credit card numbers to open
accounts.[54] Eventually, AOL's policy enforcement forced copyright infringement off AOL servers, and
AOL promptly deactivates accounts involved in phishing, often before the victims could respond. The
shutting down of the warez scene on AOL caused most phishers to leave the service. [55]
2000s[edit]
2001
o The first known direct attempt against a payment system affected E-gold in June
2001, which was followed up by a "post-9/11 id check" shortly after the September 11
attacks on the World Trade Center.[56]
2003
o The first known phishing attack against a retail bank was reported by The Banker in
September 2003.[57]
2004
o It is estimated that between May 2004 and May 2005, approximately 1.2 million
computer users in the United States suffered losses caused by phishing, totaling
approximately US$929 million. United States businesses lose an estimated US$2 billion per
year as their clients become victims.[58]
o Phishing is recognized as a fully organized part of the black market. Specializations
emerged on a global scale that provided phishing software for payment (thereby outsourcing
risk), which were assembled and implemented into phishing campaigns by organized gangs.
[59][60]
2005
o In the United Kingdom losses from web banking fraud—mostly from phishing—
almost doubled to GB£23.2m in 2005, from GB£12.2m in 2004,[61] while 1 in 20 computer
users claimed to have lost out to phishing in 2005. [62]
2006
o Almost half of phishing thefts in 2006 were committed by groups operating through
the Russian Business Network based in St. Petersburg.[63]
o Banks dispute with customers over phishing losses. The stance adopted by the UK
banking body APACS is that "customers must also take sensible precautions ... so that they
are not vulnerable to the criminal."[64] Similarly, when the first spate of phishing attacks hit the
Irish Republic's banking sector in September 2006, the Bank of Ireland initially refused to
cover losses suffered by its customers, [65] although losses to the tune of €113,000 were
made good.[66]
o Phishers are targeting the customers of banks and online payment services. Emails,
supposedly from the Internal Revenue Service, have been used to glean sensitive data from
U.S. taxpayers.[67] While the first such examples were sent indiscriminately in the expectation
that some would be received by customers of a given bank or service, recent research has
shown that phishers may in principle be able to determine which banks potential victims use,
and target bogus emails accordingly.[68]
o Social networking sites are a prime target of phishing, since the personal details in
such sites can be used in identity theft;[69] in late 2006 a computer worm took over pages
on MySpace and altered links to direct surfers to websites designed to steal login details. [70]
2007
o 3.6 million adults lost US$3.2 billion in the 12 months ending in August 2007.
Microsoft claims these estimates are grossly exaggerated and puts the annual phishing
[71]
Year Campaigns
2005 173,063
2006 268,126
2007 327,814
2008 335,965
2009 412,392
2010 313,517
2011 284,445
2012 320,081
2013 491,399
2014 704,178
2015 1,413,978
2011
o In March 2011, Internal RSA staff were successfully phished, [77] leading to the master
keys for all RSA SecureID security tokens being stolen, then subsequently used to break
into US defense suppliers.[78]
o Chinese phishing campaigns targeted Gmail accounts of highly ranked officials of the
United States and South Korean governments and militaries, as well as Chinese political
activists.[79][80]
2012
o According to Ghosh, there were "445,004 attacks in 2012 as compared to 258,461 in
2011 and 187,203 in 2010”.
2013
o In August 2013, advertising service Outbrain suffered a spear-phishing attack and
SEA placed redirects into the websites of The Washington Post, Time, and CNN. [81]
o In October 2013, emails purporting to be from American Express were sent to an
unknown number of recipients. [82]
o In November 2013, 110 million customer and credit card records were stolen
from Target customers, through a phished subcontractor account. [83] CEO and IT security
staff subsequently fired.[84]
o By December 2013, Cryptolocker ransomware had infected 250,000 computers.
According to Dell SecureWorks, 0.4% or more of those infected likely agreed to the ransom
demand.[85]
2014
o In January 2014, the Seculert Research Lab identified a new targeted attack that
used Xtreme RAT. This attack used spear phishing emails to target Israeli organizations and
deploy the piece of advanced malware. Fifteen machines were compromised including ones
belonging to the Civil Administration of Judea and Samaria.[86][87][88][89][90][91][92]
o In August 2014, the iCloud leaks of celebrity photos was found to be based on
phishing e-mails sent to the victims that looked like they came from Apple or Google,
warning the victims that their accounts might be compromised and asking for their account
details.[93]
o In November 2014, phishing attacks on ICANN gained administrative access to the
Centralized Zone Data System; also gained was data about users in the system - and
access to ICANN's public Governmental Advisory Committee wiki, blog, and whois
information portal.[94]
2015
o Charles H. Eccleston plead guilty[95][96] in an attempted spear-phishing when he
attempted to infect computers of 80 Department of Energy employees.
o Eliot Higgins and other journalists associated with Bellingcat, a group researching the
shoot down of Malaysia Airlines Flight 17 over Ukraine, were targeted by numerous spear
phishing emails.[97][98]
o In August 2015, Cozy Bear was linked to a spear-phishing cyber-attack against
the Pentagon email system causing the shut down of the entire Joint Staff unclassified email
system and Internet access during the investigation. [99][100]
o In August 2015, Fancy Bear used a zero-day exploit of Java, in a spear phishing
attack spoofing the Electronic Frontier Foundation and launching attacks on the White
House and NATO.[101][102]
2016
In February, Austrian aerospace firm FACC AG was defrauded of 42 million euros
($47 million) through a BEC attack - and subsequently fired both the CFO and CEO.[103]
o Fancy Bear carried out spear phishing attacks on email addresses associated with
the Democratic National Committee in the first quarter of 2016. [104][105]
o The Wichita Eagle reported "KU employees fall victim to phishing scam, lose
paychecks" [106]
o Fancy Bear is suspected to be behind a spear phishing attack in August 2016 on
members of the Bundestag and multiple political parties such as Linken-faction leader Sahra
Wagenknecht, Junge Union and the CDU of Saarland.[107][108][109][110]
o In August 2016, the World Anti-Doping Agency reported the receipt of phishing
emails sent to users of its database claiming to be official WADA, but consistent with the
Russian hacking group Fancy Bear.[111][112] According to WADA, some of the data the hackers
released had been forged.[113]
o Within hours of the 2016 U.S. election results, Russian hackers sent emails from
spoofed Harvard University email addresses,[114] using techniques similar to phishing to
publish fake news targeted at ordinary American voters.[115][116]
2017
o In 2017, 76% of organizations experienced phishing attacks. Nearly half of
information security professionals surveyed said that the rate of attacks increased from
2016.
o In the first half of 2017 businesses and residents of Qatar were hit with more than
93,570 phishing events in a three-month span.[117]
o A phishing email to Google and Facebook users successfully induced employees
into wiring money – to the extent of US$100 million – to overseas bank accounts under the
control of a hacker. He has since been arrested by the US Department of Justice. [118]
o In August 2017, customers of Amazon faced the Amazon Prime Day phishing attack,
when hackers sent out seemingly legitimate deals to customers of Amazon. When Amazon's
customers attempted to make purchases using the "deals", the transaction would not be
completed, prompting the retailer's customers to input data that could be compromised and
stolen.[119]
2018
o In 2018, the company block.one, which developed the EOS.IO blockchain, was
attacked by a phishing group who sent phishing emails to all customers, aimed at
intercepting the user's cryptocurrency wallet key; and a later attack targeted airdrop tokens.
[120]
2020s[edit]
2020
o On July 15, 2020, Twitter suffered a breach that combined elements of Social
engineering (security) and phishing. A 17-year old hacker and accomplices setup a fake
website resembling Twitter's internal VPN provider used by employees working from home.
Individuals posing as helpdesk staff called multiple Twitter employees, directing them to
submit their credentials to the fake VPN website. [121] Using the details supplied by the
unknowing employees, they were then able to seize control of several high profile user
accounts, including Barack Obama, Elon Musk, Joe Biden and Apple Inc.'s company
account. The hackers sent messages to Twitter followers soliciting Bitcoin promising double
the transaction value in return, collecting some $117,000 in the first 3 hours of the ruse. [122]
Total number of unique phishing reports (campaigns) received, according to APWG[76]
Y J D
Fe Ma Ap Ma Ju Ju Au Se Oc No Tot
ea a e
b r r y n l g p t v al
r n c
200 12,8 13,4 12,8 14,4 14,9 15,0 14,1 13,7 13,5 15,8 16,8 15,2 173,0
5 45 68 83 11 87 50 35 76 62 20 82 44 63
200 17,8 17,1 18,4 17,4 20,1 28,5 23,6 26,1 22,1 26,8 25,8 23,7 268,1
6 77 63 80 90 09 71 70 50 36 77 16 87 26
200 29,9 23,6 24,8 23,6 23,4 28,8 23,9 25,6 38,5 31,6 28,0 25,6 327,8
7 30 10 53 56 15 88 17 24 14 50 74 83 14
200 29,2 30,7 25,6 24,9 23,7 28,1 24,0 33,9 33,2 34,7 24,3 23,1 335,9
8 84 16 30 24 62 51 07 28 61 58 57 87 65
200 34,5 31,2 30,1 35,2 37,1 35,9 34,6 40,6 40,0 33,2 30,4 28,8 412,3
9 88 98 25 87 65 18 83 21 66 54 90 97 92
201 29,4 26,9 30,5 24,6 26,7 33,6 26,3 25,2 22,1 23,6 23,0 21,0 313,5
0 99 09 77 64 81 17 53 73 88 19 17 20 17
201 23,5 25,0 26,4 20,9 22,1 22,2 24,1 23,3 18,3 19,6 25,6 32,9 284,4
1 35 18 02 08 95 73 29 27 88 06 85 79 45
201 25,4 30,2 29,7 25,8 33,4 24,8 30,9 21,7 21,6 23,3 24,5 28,1 320,0
2 44 37 62 50 64 11 55 51 84 65 63 95 81
201 28,8 25,3 19,8 20,0 18,2 38,1 61,4 61,7 56,7 55,2 53,0 52,4 491,3
3 50 85 92 86 97 00 53 92 67 41 47 89 99
201 53,9 56,8 60,9 57,7 60,8 53,2 55,2 54,3 53,6 68,2 66,2 62,7 704,1
4 84 83 25 33 09 59 82 90 61 70 17 65 78
Total number of unique phishing reports (campaigns) received, according to APWG[76]
Y J D
Fe Ma Ap Ma Ju Ju Au Se Oc No Tot
ea a e
b r r y n l g p t v al
r n c
201 49,6 55,7 115, 142, 149, 125, 142, 146, 106, 194, 105, 80,5 1,413,
5 08 95 808 099 616 757 155 439 421 499 233 48 978
201 99,3 229, 229, 121, 96,4 98,0 93,1 66,1 69,9 51,1 64,3 95,5 1,313,
6 84 315 265 028 90 06 60 66 25 53 24 55 771
201 96,1 100, 121, 87,4 93,2 92,6 99,0 99,1 98,0 61,3 86,5 85,7 1,122,
7 48 932 860 53 85 57 24 72 12 22 47 44 156
201 89,2 89,0 84,4 91,0 82,5 90,8 93,0 89,3 88,1 87,6 64,9 87,3 1,040,
8 50 10 44 54 47 82 78 23 56 19 05 86 654
201 34,6 35,3 42,3 37,0 40,1 34,9 35,5 40,4 42,2 45,0 42,4 45,0 475,3
9 30 64 99 54 77 32 30 57 73 57 24 72 69
Anti-phishing[edit]
This section needs additional citations for verification. Please
help improve this article by adding citations to reliable sources. Unsourced
material may be challenged and removed.
Find sources: "Phishing" – news · newspapers · books · scholar · JSTOR (August
2021) (Learn how and when to remove this template message)
There are anti-phishing websites which publish exact messages that have been recently circulating
the internet, such as FraudWatch International and Millersmiles. Such sites often provide specific
details about the particular messages.[123][124]
As recently as 2007, the adoption of anti-phishing strategies by businesses needing to protect
personal and financial information was low.[125] Now there are several different techniques to combat
phishing, including legislation and technology created specifically to protect against phishing. These
techniques include steps that can be taken by individuals, as well as by organizations. Phone, web
site, and email phishing can now be reported to authorities, as described below.
User training[edit]
Frame of an animation by the U.S. Federal Trade Commission intended to educate citizens about phishing
tactics.
People can be trained to recognize phishing attempts, and to deal with them through a variety of
approaches. Such education can be effective, especially where training emphasizes conceptual
knowledge[126] and provides direct feedback.[127][128] Therefore, an essential part of any organization or
institutions anti-phishing strategy is to actively educate its users so that they can identify phishing
scams without hesitation and act accordingly. [129] Although there is currently a lack of data and
recorded history that shows educational guidance and other information-based interventions
successfully reduce susceptibility to phishing, large amounts of information regarding the phishing
threat are available on the Internet.[45]
Many organizations run regular simulated phishing campaigns targeting their staff to measure the
effectiveness of their training. For example, this often occurs in the healthcare industry due to the
fact that healthcare data has significant value as a potential target for hackers. In a recent study
done by the National Library of Medicine an assessment was performed as part of cybersecurity
activity during a designated test period using multiple credential harvesting approaches through staff
email. During the 1-month testing period, the organization received 858 200 emails: 139 400 (16%)
marketing, 18 871 (2%) identified as potential threats. This is just one example of the many steps
being taken to combat phishing within healthcare. [130]
People can take steps to avoid phishing attempts by slightly modifying their browsing habits.
[131]
When contacted about an account needing to be "verified" (or any other topic used by phishers),
it is a sensible precaution to contact the company from which the email apparently originates to
check that the email is legitimate. Alternatively, the address that the individual knows is the
company's genuine website can be typed into the address bar of the browser, rather than trusting
any hyperlinks in the suspected phishing message. [132]
Nearly all legitimate e-mail messages from companies to their customers contain an item of
information that is not readily available to phishers. Some companies, for example PayPal, always
address their customers by their username in emails, so if an email addresses the recipient in a
generic fashion ("Dear PayPal customer") it is likely to be an attempt at phishing. [133] Furthermore,
PayPal offers various methods to determine spoof emails and advises users to forward suspicious
emails to their [email protected] domain to investigate and warn other customers. However it is
unsafe to assume that the presence of personal information alone guarantees that a message is
legitimate,[134] and some studies have shown that the presence of personal information does not
significantly affect the success rate of phishing attacks;[135] which suggests that most people do not
pay attention to such details.
Emails from banks and credit card companies often include partial account numbers. However,
recent research[136] has shown that the public do not typically distinguish between the first few digits
and the last few digits of an account number—a significant problem since the first few digits are
often the same for all clients of a financial institution.
The Anti-Phishing Working Group, who's one of the largest anti-phishing organizations in the world,
produces regular report on trends in phishing attacks. [137]
Google posted a video demonstrating how to identify and protect yourself from Phishing scams. [138]
Technical approaches[edit]
A wide range of technical approaches are available to prevent phishing attacks reaching users or to
prevent them from successfully capturing sensitive information.
Filtering out phishing mail[edit]
Specialized spam filters can reduce the number of phishing emails that reach their addressees'
inboxes. These filters use a number of techniques including machine learning[139] and natural
language processing approaches to classify phishing emails,[140][141] and reject email with forged
addresses.[142]
Browsers alerting users to fraudulent websites [edit]
Another popular approach to fighting phishing is to maintain a list of known phishing sites and to
check websites against the list. One such service is the Safe Browsing service.[143] Web browsers
such as Google Chrome, Internet Explorer 7, Mozilla Firefox 2.0, Safari 3.2, and Opera all contain
this type of anti-phishing measure. [144][145][146][147][148] Firefox 2 used Google anti-phishing software. Opera
9.1 uses live blacklists from Phishtank, cyscon and GeoTrust, as well as live whitelists from
GeoTrust. Some implementations of this approach send the visited URLs to a central service to be
checked, which has raised concerns about privacy.[149] According to a report by Mozilla in late 2006,
Firefox 2 was found to be more effective than Internet Explorer 7 at detecting fraudulent sites in a
study by an independent software testing company. [150]
An approach introduced in mid-2006 involves switching to a special DNS service that filters out
known phishing domains: this will work with any browser,[151] and is similar in principle to using
a hosts file to block web adverts.
To mitigate the problem of phishing sites impersonating a victim site by embedding its images (such
as logos), several site owners have altered the images to send a message to the visitor that a site
may be fraudulent. The image may be moved to a new filename and the original permanently
replaced, or a server can detect that the image was not requested as part of normal browsing, and
instead send a warning image. [152][153]
Augmenting password logins[edit]
The Bank of America website[154][155] is one of several that asks users to select a personal image
(marketed as SiteKey) and displays this user-selected image with any forms that request a
password. Users of the bank's online services are instructed to enter a password only when they see
the image they selected. However, several studies suggest that few users refrain from entering their
passwords when images are absent. [156][157] In addition, this feature (like other forms of two-factor
authentication) is susceptible to other attacks, such as those suffered by Scandinavian
bank Nordea in late 2005,[158] and Citibank in 2006.[159]
A similar system, in which an automatically generated "Identity Cue" consisting of a colored word
within a colored box is displayed to each website user, is in use at other financial institutions. [160]
Security skins[161][162] are a related technique that involves overlaying a user-selected image onto the
login form as a visual cue that the form is legitimate. Unlike the website-based image schemes,
however, the image itself is shared only between the user and the browser, and not between the
user and the website. The scheme also relies on a mutual authentication protocol, which makes it
less vulnerable to attacks that affect user-only authentication schemes.
Still another technique relies on a dynamic grid of images that is different for each login attempt. The
user must identify the pictures that fit their pre-chosen categories (such as dogs, cars and flowers).
Only after they have correctly identified the pictures that fit their categories are they allowed to enter
their alphanumeric password to complete the login. Unlike the static images used on the Bank of
America website, a dynamic image-based authentication method creates a one-time passcode for
the login, requires active participation from the user, and is very difficult for a phishing website to
correctly replicate because it would need to display a different grid of randomly generated images
that includes the user's secret categories.[163]
Monitoring and takedown[edit]
Several companies offer banks and other organizations likely to suffer from phishing scams round-
the-clock services to monitor, analyze and assist in shutting down phishing websites. [164] Automated
detection of phishing content is still below accepted levels for direct action, with content-based
analysis reaching between 80 and 90% of success[165] so most of the tools include manual steps to
certify the detection and authorize the response. [166] Individuals can contribute by reporting phishing
to both volunteer and industry groups, [167] such as cyscon or PhishTank.[168] Phishing web pages and
emails can be reported to Google.[169][170]
Transaction verification and signing[edit]
Solutions have also emerged using the mobile phone[171] (smartphone) as a second channel for
verification and authorization of banking transactions.
Multi-factor authentication[edit]
Organizations can implement two factor or multi-factor authentication (MFA), which requires a user
to use at least 2 factors when logging in. (For example, a user must both present a smart card and
a password). This mitigates some risk, in the event of a successful phishing attack, the stolen
password on its own cannot be reused to further breach the protected system. However, there are
several attack methods which can defeat many of the typical systems. [172] MFA schemes such
as WebAuthn address this issue by design.
Email content redaction[edit]
Organizations that prioritize security over convenience can require users of its computers to use an
email client that redacts URLs from email messages, thus making it impossible for the reader of the
email to click on a link, or even copy a URL. While this may result in an inconvenience, it does
almost completely eliminate email phishing attacks.
Limitations of technical responses[edit]
An article in Forbes in August 2014 argues that the reason phishing problems persist even after a
decade of anti-phishing technologies being sold is that phishing is "a technological medium to exploit
human weaknesses" and that technology cannot fully compensate for human weaknesses. [173]
Legal responses[edit]
On January 26, 2004, the U.S. Federal Trade Commission filed the first lawsuit against a suspected
phisher. The defendant, a Californian teenager, allegedly created a webpage designed to look like
the America Online website, and used it to steal credit card information. [174] Other countries have
followed this lead by tracing and arresting phishers. A phishing kingpin, Valdir Paulo de Almeida,
was arrested in Brazil for leading one of the largest phishing crime rings, which in two years stole
between US$18 million and US$37 million.[175] UK authorities jailed two men in June 2005 for their
role in a phishing scam,[176] in a case connected to the U.S. Secret Service Operation Firewall, which
targeted notorious "carder" websites.[177] In 2006 eight people were arrested by Japanese police on
suspicion of phishing fraud by creating bogus Yahoo Japan Web sites, netting themselves ¥100
million (US$870,000).[178] The arrests continued in 2006 with the FBI Operation Cardkeeper detaining
a gang of sixteen in the U.S. and Europe.[179]
In the United States, Senator Patrick Leahy introduced the Anti-Phishing Act of 2005 in Congress on
March 1, 2005. This bill, if it had been enacted into law, would have subjected criminals who created
fake web sites and sent bogus emails in order to defraud consumers to fines of up
to US$250,000 and prison terms of up to five years.[180] The UK strengthened its legal arsenal against
phishing with the Fraud Act 2006,[181] which introduces a general offence of fraud that can carry up to
a ten-year prison sentence, and prohibits the development or possession of phishing kits with intent
to commit fraud.[182]
Companies have also joined the effort to crack down on phishing. On March 31, 2005, Microsoft filed
117 federal lawsuits in the U.S. District Court for the Western District of Washington. The lawsuits
accuse "John Doe" defendants of obtaining passwords and confidential information. March 2005
also saw a partnership between Microsoft and the Australian government teaching law enforcement
officials how to combat various cyber crimes, including phishing. [183] Microsoft announced a planned
further 100 lawsuits outside the U.S. in March 2006, [184] followed by the commencement, as of
November 2006, of 129 lawsuits mixing criminal and civil actions. [185] AOL reinforced its efforts
against phishing[186] in early 2006 with three lawsuits[187] seeking a total of US$18 million under the
2005 amendments to the Virginia Computer Crimes Act, [188][189] and Earthlink has joined in by helping
to identify six men subsequently charged with phishing fraud in Connecticut.[190]
In January 2007, Jeffrey Brett Goodin of California became the first defendant convicted by a jury
under the provisions of the CAN-SPAM Act of 2003. He was found guilty of sending thousands of
emails to America Online users, while posing as AOL's billing department, which prompted
customers to submit personal and credit card information. Facing a possible 101 years in prison for
the CAN-SPAM violation and ten other counts including wire fraud, the unauthorized use of credit
cards, and the misuse of AOL's trademark, he was sentenced to serve 70 months. Goodin had been
in custody since failing to appear for an earlier court hearing and began serving his prison term
immediately.[191][192][193][194]
See also[edit]
Law portal
Anti-phishing software
Brandjacking
In-session phishing – type of phishing attack
Internet fraud – Type of fraud or deception which makes use of the Internet to defraud
victims
Penetration test – Method of evaluating computer and network security by simulating a cyber
attack
SiteKey – web-based authentication service
SMS phishing
Typosquatting – Form of cybersquatting which relies on mistakes when inputting a website
address
List of cognitive biases – Systematic patterns of deviation from norm or rationality in
judgment, many abusable by phishing
Link farm
Mousetrapping
TrustRank
Clickjacking
References[edit]
1. ^ Ramzan, Zulfikar (2010). "Phishing attacks and countermeasures". In Stamp, Mark;
Stavroulakis, Peter (eds.). Handbook of Information and Communication Security.
Springer. ISBN 978-3-642-04117-4.
2. ^ "Internet Crime Report 2020" (PDF). FBI Internet Crime Complaint Centre. U.S. Federal
Bureau of Investigation. Retrieved 21 March 2021.
3. ^ Ollmann, Gunter. "The Phishing Guide: Understanding and Preventing Phishing
Attacks". Technical Info. Archived from the original on 2011-01-31. Retrieved 2006-07-10.
4. ^ Jump up to:a b c Wright, A; Aaron, S; Bates, DW (October 2016). "The Big Phish: Cyberattacks
Against U.S. Healthcare Systems". Journal of General Internal Medicine. 31 (10): 1115–
8. doi:10.1007/s11606-016-3741-z. PMC 5023604. PMID 27177913.
5. ^ Mitchell, Anthony (July 12, 2005). "A Leet Primer". TechNewsWorld. Archived from the
original on April 17, 2019. Retrieved 2021-03-21.
6. ^ "Phishing". Language Log, September 22, 2004. Archived from the original on 2006-08-30.
Retrieved 2021-03-21.
7. ^ Jøsang, Audun; et al. (2007). "Security Usability Principles for Vulnerability Analysis and
Risk Assessment". Proceedings of the Annual Computer Security Applications Conference 2007
(ACSAC'07). Archived from the original on 2021-03-21. Retrieved 2020-11-11.
8. ^ Lin, Tian; Capecci, Daniel E.; Ellis, Donovan M.; Rocha, Harold A.; Dommaraju, Sandeep;
Oliveira, Daniela S.; Ebner, Natalie C. (September 2019). "Susceptibility to Spear-Phishing Emails:
Effects of Internet User Demographics and Email Content". ACM Transactions on Computer-Human
Interaction. 26 (5): 32. doi:10.1145/3336141. ISSN 1073-0516. PMC 7274040. PMID 32508486.
9. ^ "2019 Data Breach Investigations Report" (PDF). PhishingBox. Verizon Communications.
Retrieved 21 March 2021.
10. ^ Furnell, Steven; Millet, Kieran; Papadaki, Maria (July 2019). "Fifteen years of phishing: can
technology save us?". Computer Fraud & Security. 2019 (7): 11–16. doi:10.1016/S1361-
3723(19)30074-0. S2CID 199578115. Retrieved 21 March 2021.
11. ^ Waddell, Kaveh (11 February 2016). "The Black Market for Netflix Accounts". The Atlantic.
Retrieved 21 March 2021.
12. ^ "Spear phishing". Windows IT Pro Center. Retrieved March 4,2019.
13. ^ Stephenson, Debbie (2013-05-30). "Spear Phishing: Who's Getting Caught?".
Firmex. Archived from the original on 2014-08-11. Retrieved July 27, 2014.
14. ^ "NSA/GCHQ Hacking Gets Personal: Belgian Cryptographer Targeted". Info Security
magazine. 3 February 2018. Retrieved 10 September 2018.
15. ^ Leyden, John (4 April 2011). "RSA explains how attackers breached its systems". The
Register. Retrieved 10 September 2018.
16. ^ Winterford, Brett (7 April 2011). "Epsilon breach used four-month-old attack".
itnews.com.au. Retrieved 10 September 2018.
17. ^ O'Leary, Daniel E. (2019). "What Phishing E-mails Reveal: An Exploratory Analysis of
Phishing Attempts Using Text Analyzes". SSRN Electronic
Journal. doi:10.2139/ssrn.3427436. ISSN 1556-5068. Archived from the original on 2021-03-21.
Retrieved 2020-11-02.
18. ^ "Threat Group-4127 Targets Google Accounts". secureworks.com. Archived from the
original on 2019-08-11. Retrieved 2017-10-12.
19. ^ Nakashima, Ellen; Harris, Shane (July 13, 2018). "How the Russians hacked the DNC and
passed its emails to WikiLeaks". The Washington Post. Archived from the original on March 21,
2021. Retrieved February 22, 2019.
20. ^ Alkhalil, Z (2021). "Phishing attacks: A recent comprehensive study and a new
anatomy". Frontiers in Computer Science. 3. doi:10.3389/fcomp.2021.563060.
21. ^ "Fake subpoenas harpoon 2,100 corporate fat cats". The Register. Archived from the
original on January 31, 2011. Retrieved April 17, 2008.
22. ^ "What Is 'Whaling'? Is Whaling Like 'Spear Phishing'?". About Tech. Archived from the
original on October 18, 2011. Retrieved March 28, 2015.
23. ^ Junger, Marianne; Wang, Victoria; Schlömer, Marleen (December 2020). "Fraud against
businesses both online and offline: crime scripts, business characteristics, efforts, and
benefits". Crime Science. 9 (1): 13. doi:10.1186/s40163-020-00119-4.
24. ^ "Action Fraud warning after serious rise in CEO fraud". Action Fraud. Retrieved 21
March 2021.
25. ^ "Invoice scams affecting New Zealand businesses". NZCERT. Retrieved 1 July 2019.
26. ^ Parker, Tamsyn (18 August 2018). "House invoice scam leaves couple $53k out of
pocket". The New Zealand Herald. Archivedfrom the original on 21 March 2021. Retrieved 1
July 2019.
27. ^ Jump up to:a b Griffin, Slade E.; Rackley, Casey C. (2008). "Vishing". Proceedings of the 5th
Annual Conference on Information Security Curriculum Development - InfoSecCD '08:
33. doi:10.1145/1456625.1456635. ISBN 9781605583334.
28. ^ Wang, Xinyuan; Zhang, Ruishan; Yang, Xiaohui; Jiang, Xuxian; Wijesekera, Duminda
(2008). "Voice pharming attack and the trust of VoIP". Proceedings of the 4th International
Conference on Security and Privacy in Communication Netowrks - SecureComm '08:
1. doi:10.1145/1460877.1460908. ISBN 9781605582412. S2CID 7874236.
29. ^ "Phishing, Smishing, and Vishing: What's the Difference?" (PDF). belvoircreditunion.org.
August 1, 2008. Archived from the original(PDF) on 2015-04-01.
30. ^ Vishing and smishing: The rise of social engineering fraud Archived 2021-03-21 at
the Wayback Machine, BBC, Marie Keyworth, 2016-01-01
31. ^ "SMS phishing article at ConsumerAffairs.com". 8 November 2006. Archived from the
original on 2021-03-21. Retrieved 2020-07-29.
32. ^ Mishra, Sandhya; Soni, Devpriya (August 2019). "SMS Phishing and Mitigation
Approaches". 2019 Twelfth International Conference on Contemporary Computing (IC3). IEEE: 1–
5. doi:10.1109/ic3.2019.8844920. ISBN 978-1-7281-3591-5. S2CID 202700726.
33. ^ "What is Smishing?". Symantec Corporation. Retrieved 18 October 2018.
34. ^ "Get smart on Phishing! Learn to read links!". Archived from the original on December 11,
2016. Retrieved December 11, 2016.
35. ^ Cimpanu, Catalin (June 15, 2016). "Hidden JavaScript Redirect Makes Phishing Pages
Harder to Detect". Softpedia News Center. Softpedia. Archived from the original on March 21, 2021.
Retrieved May 21, 2017. Hovering links to see their true location may be a useless security tip in the
near future if phishers get smart about their mode of operation and follow the example of a crook who
recently managed to bypass this browser built-in security feature.
36. ^ Johanson, Eric. "The State of Homograph Attacks Rev1.1". The Shmoo Group. Archived
from the original on August 23, 2005. Retrieved August 11, 2005.
37. ^ Evgeniy Gabrilovich & Alex Gontmakher (February 2002). "The Homograph
Attack" (PDF). Communications of the ACM. 45 (2):
128. doi:10.1145/503124.503156. S2CID 73840.
38. ^ Leyden, John (August 15, 2006). "Barclays scripting SNAFU exploited by phishers". The
Register. Archived from the original on June 13, 2019. Retrieved August 10, 2017.
39. ^ Levine, Jason. "Goin' phishing with eBay". Q Daily News. Archived from the original on
March 26, 2019. Retrieved December 14, 2006.
40. ^ Leyden, John (December 12, 2007). "Cybercrooks lurk in shadows of big-name
websites". The Register. Archived from the original on June 23, 2019. Retrieved August 10, 2017.
41. ^ "Black Hat DC 2009". May 15, 2011. Archived from the original on January 3, 2015.
Retrieved July 26, 2014.
42. ^ Mutton, Paul. "Fraudsters seek to make phishing sites undetectable by content
filters". Netcraft. Archived from the original on January 31, 2011.
43. ^ "The use of Optical Character Recognition OCR software in spam
filtering". PowerShow. Archived from the original on 2021-03-21. Retrieved 2019-09-13.
44. ^ Cui, Xinyue; Ge, Yan; Qu, Weina; Zhang, Kan (2020). "Effects of Recipient Information and
Urgency Cues on Phishing Detection". HCI International 2020 - Posters. Communications in
Computer and Information Science. 1226: 520–525. doi:10.1007/978-3-030-50732-9_67. ISBN 978-
3-030-50731-2. S2CID 220523895.
45. ^ Jump up to:a b Williams, Emma J; Joinson, Adam N (2020-01-01). "Developing a measure of
information seeking about phishing". Journal of
Cybersecurity. 6 (1). doi:10.1093/cybsec/tyaa001. ISSN 2057-2085.
46. ^ Lin, Tian; Capecci, Daniel E.; Ellis, Donovan M.; Rocha, Harold A.; Dommaraju, Sandeep;
Oliveira, Daniela S.; Ebner, Natalie C. (September 2019). "Susceptibility to Spear-Phishing Emails:
Effects of Internet User Demographics and Email Content". ACM Transactions on Computer-Human
Interaction. 26 (5). doi:10.1145/3336141. ISSN 1073-0516. PMC 7274040. PMID 32508486.
47. ^ Tomlinson, Kerry (27 January 2017). "Fake news can poison your computer as well as your
mind". archersecuritygroup.com. Archived from the original on 2 February 2017. Retrieved 28
January 2017.
48. ^ Felix, Jerry & Hauck, Chris (September 1987). "System Security: A Hacker's
Perspective". 1987 Interex Proceedings. 8: 6.
49. ^ "EarthLink wins $25 million lawsuit against junk e-mailer". Archived from the original on
2019-03-22. Retrieved 2014-04-11.
50. ^ Langberg, Mike (September 8, 1995). "AOL Acts to Thwart Hackers". San Jose Mercury
News. Archived from the original on April 29, 2016. Retrieved March 14, 2012.
51. ^ Rekouche, Koceilah (2011). "Early Phishing". arXiv:1106.4692[cs.CR].
52. ^ Stutz, Michael (January 29, 1998). "AOL: A Cracker's Momma!". Wired News. Archived
from the original on December 14, 2005.
53. ^ "Phishing | History of Phishing". phishing.org. Archived from the original on 2018-09-09.
Retrieved 2019-09-13.
54. ^ "Phishing". Word Spy. Archived from the original on October 15, 2014.
Retrieved September 28, 2006.
55. ^ "History of AOL Warez". Archived from the original on January 31, 2011.
Retrieved September 28, 2006.
56. ^ "GP4.3 – Growth and Fraud — Case #3 – Phishing". Financial Cryptography. December
30, 2005. Archived from the original on January 22, 2019. Retrieved February 23, 2007.
57. ^ Sangani, Kris (September 2003). "The Battle Against Identity Theft". The Banker. 70 (9):
53–54.
58. ^ Kerstein, Paul (July 19, 2005). "How Can We Stop Phishing and Pharming Scams?". CSO.
Archived from the original on March 24, 2008.
59. ^ "In 2005, Organized Crime Will Back Phishers". IT Management. December 23, 2004.
Archived from the original on January 31, 2011.
60. ^ Abad, Christopher (September 2005). "The economy of phishing: A survey of the
operations of the phishing market". First Monday. Archived from the original on 2011-11-21.
Retrieved 2010-10-08.
61. ^ "UK phishing fraud losses double". Finextra. March 7, 2006. Archived from the original on
January 19, 2009. Retrieved May 20,2006.
62. ^ Richardson, Tim (May 3, 2005). "Brits fall prey to phishing". The Register. Archived from
the original on June 10, 2019. Retrieved August 10, 2017.
63. ^ Krebs, Brian (October 13, 2007). "Shadowy Russian Firm Seen as Conduit for
Cybercrime". The Washington Post. Archived from the original on June 11, 2019.
Retrieved September 8, 2017.
64. ^ Miller, Rich. "Bank, Customers Spar Over Phishing Losses". Netcraft. Retrieved December
14, 2006.
65. ^ "Latest News". Archived from the original on October 7, 2008.
66. ^ "Bank of Ireland agrees to phishing refunds". vnunet.com. Archived from the original on
October 28, 2008.
67. ^ "Suspicious e-Mails and Identity Theft". Internal Revenue Service. Archived from the
original on January 31, 2011. Retrieved July 5,2006.
68. ^ "Phishing for Clues". Indiana University Bloomington. September 15, 2005. Archived
from the original on July 31, 2009. Retrieved September 15, 2005.
69. ^ Kirk, Jeremy (June 2, 2006). "Phishing Scam Takes Aim at MySpace.com". IDG Network.
Archived from the original on June 16, 2006.
70. ^ "Malicious Website / Malicious Code: MySpace XSS QuickTime Worm". Websense Security
Labs. Archived from the original on December 5, 2006. Retrieved December 5, 2006.
71. ^ McCall, Tom (December 17, 2007). "Gartner Survey Shows Phishing Attacks Escalated in
2007; More than $3 Billion Lost to These Attacks". Gartner. Archived from the original on November
18, 2012. Retrieved December 20, 2007.
72. ^ "A Profitless Endeavor: Phishing as Tragedy of the Commons" (PDF). Microsoft.
Retrieved November 15, 2008.
73. ^ "Torrent of spam likely to hit 6.3 million TD Ameritrade hack victims". Archived from the
original on May 5, 2009.
74. ^ "1-Click Hosting at RapidTec — Warning of Phishing!". Archived from the original on April
30, 2008. Retrieved December 21, 2008.
75. ^ APWG. "Phishing Activity Trends Report" (PDF). Archived from the original (PDF) on
October 3, 2012. Retrieved November 4,2013.
76. ^ Jump up to:a b "APWG Phishing Attack Trends Reports". Archived from the original on March 21,
2021. Retrieved October 20, 2018.
77. ^ "Anatomy of an RSA attack". RSA.com. RSA FraudAction Research Labs. Archived
from the original on October 6, 2014. Retrieved September 15, 2014.
78. ^ Drew, Christopher; Markoff, John (May 27, 2011). "Data Breach at Security Firm Linked to
Attack on Lockheed". The New York Times. Archived from the original on July 9, 2019.
Retrieved September 15,2014.
79. ^ Keizer, Greg (2011-08-13). "Suspected Chinese spear-phishing attacks continue to hit
Gmail users". Computerworld. Archivedfrom the original on 2021-03-21. Retrieved December
4, 2011.
80. ^ Ewing, Philip (2011-08-22). "Report: Chinese TV doc reveals cyber-mischief". Dod Buzz.
Archived from the original on January 26, 2017. Retrieved December 4, 2011.
81. ^ "Syrian hackers Use Outbrain to Target The Washington Post, Time, and
CNN" Archived 2013-10-19 at the Wayback Machine, Philip Bump, The Atlantic Wire, 15 August 2013.
Retrieved 15 August 2013.
82. ^ Paul, Andrew. "Phishing Emails: The Unacceptable Failures of American Express". Email
Answers. Archived from the original on October 9, 2013. Retrieved October 9, 2013.
83. ^ O'Connell, Liz. "Report: Email phishing scam led to Target
breach". BringMeTheNews.com. Archived from the original on September 15, 2014.
Retrieved September 15, 2014.
84. ^ Ausick, Paul. "Target CEO Sack". Archived from the original on September 15, 2014.
Retrieved September 15, 2014.
85. ^ Kelion, Leo (December 24, 2013). "Cryptolocker ransomware has 'infected about 250,000
PCs'". BBC. Archived from the original on March 22, 2019. Retrieved December 24, 2013.
86. ^ "Israeli defence computer hacked via tainted email -cyber firm". Reuters. 2014-01-
26. Archived from the original on 2015-09-24. Retrieved 2017-07-01.
87. ^ רויטרס ואליאור,( לוי27 January 2014). " האקרים השתלטו על מחשבים
"ביטחוניים. Ynet. Archived from the original on 21 March 2021. Retrieved 29 November 2016.
88. ^ "Hackers break into Israeli defence computers, says security company". The Guardian.
Archived from the original on 2014-02-09.
89. ^ "Israel defence computers hit by hack attack". BBC News. 2014-01-27. Archived from the
original on 2019-03-22. Retrieved 2018-06-22.
90. ^ "Israeli Defense Computer Hit in Cyber Attack: Data Expert |
SecurityWeek.Com". securityweek.com. Archived from the original on 2019-03-22. Retrieved 2019-
09-13.
91. ^ "Israel to Ease Cyber-Security Export Curbs, Premier Says". Bloomberg. Archived from the
original on 2014-03-04. Retrieved 2017-03-11.
92. ^ Halpern, Micah D. "Cyber Break-in @ IDF". HuffPost. Archivedfrom the original on 2021-
03-21. Retrieved 2020-02-20.
93. ^ Prosecutors find that ‘Fappening’ celebrity nudes leak was not Apple’s fault Archived 2017-
08-18 at the Wayback MachineMarch 15, 2016, Techcrunch
94. ^ "ICANN Targeted in Spear Phishing Attack | Enhanced Security Measures
Implemented". icann.org. Archived from the original on 2019-08-07. Retrieved December 18, 2014.
95. ^ "Eccleston Indictment". November 1, 2013. Archived from the original on January 26, 2017.
Retrieved November 22, 2020.
96. ^ "Former U.S. Nuclear Regulatory Commission Employee Pleads Guilty to Attempted Spear-
Phishing Cyber-Attack on Department of Energy Computers". 2016-02-02. Archived from the original
on 2019-08-08. Retrieved 2020-11-22.
97. ^ Nakashima, Ellen (28 September 2016). "Russian hackers harassed journalists who were
investigating Malaysia Airlines plane crash". The Washington Post. Archived from the original on 23
April 2019. Retrieved 26 October 2016.
98. ^ ThreatConnect (2016-09-28). "ThreatConnect reviews activity targeting Bellingcat, a key
contributor in the MH17 investigation". ThreatConnect. Retrieved 26 October 2016.
99. ^ Kube, Courtney (7 August 2015). "Russia hacks Pentagon computers: NBC, citing
sources". Archived from the original on 8 August 2019. Retrieved 7 August 2015.
100. ^ Starr, Barbara (7 August 2015). "Official: Russia suspected in Joint Chiefs email server
intrusion". Archived from the original on 8 August 2019. Retrieved 7 August 2015.
101. ^ Doctorow, Cory (August 28, 2015). "Spear phishers with suspected ties to Russian
government spoof fake EFF domain, attack White House". Boing Boing. Archived from the original on
March 22, 2019. Retrieved November 29, 2016.
102. ^ Quintin, Cooper (August 27, 2015). "New Spear Phishing Campaign Pretends to be EFF".
EFF. Archived from the original on August 7, 2019. Retrieved November 29, 2016.
103. ^ "Austria's FACC, hit by cyber fraud, fires CEO". Reuters. 26 May 2016. Archived from the
original on 21 March 2021. Retrieved 20 December 2018.
104. ^ Sanger, David E.; Corasaniti, Nick (14 June 2016). "D.N.C. Says Russian Hackers
Penetrated Its Files, Including Dossier on Donald Trump". The New York Times. Archived from the
original on 25 July 2019. Retrieved 26 October 2016.
105. ^ Economist, Staff of (24 September 2016). "Bear on bear". Economist. Archived from the
original on 20 May 2017. Retrieved 25 October 2016.
106. ^ "KU employees fall victim to phishing scam, lose paychecks". Archived from the original on
2019-03-22. Retrieved 2016-10-06.
107. ^ "Hackers lurking, parliamentarians told". Deutsche Welle. Retrieved 21 September 2016.
108. ^ Pinkert, Georg Heil; Berlin, Nicolas Richter (2016-09-20). "Hackerangriff auf deutsche
Parteien". Süddeutsche Zeitung. Retrieved 21 September 2016.
109. ^ Holland, Martin. "Angeblich versuchter Hackerangriff auf Bundestag und Parteien".
Heise. Archived from the original on 1 April 2019. Retrieved 21 September 2016.
110. ^ Hemicker, Lorenz; Alto, Palo. "Wir haben Fingerabdrücke". Frankfurter Allgemeine Zeitung.
Frankfurter Allgemeine. Archivedfrom the original on 22 March 2019. Retrieved 21 September 2016.
111. ^ Hyacinth Mascarenhas (August 23, 2016). "Russian hackers 'Fancy Bear' likely breached
Olympic drug-testing agency and DNC, experts say". International Business Times.
Retrieved September 13, 2016.
112. ^ "What we know about Fancy Bears hack team". BBC News. 2016-09-15. Archived from the
original on 2019-03-22. Retrieved 17 September 2016.
113. ^ Gallagher, Sean (6 October 2016). "Researchers find fake data in Olympic anti-doping,
Guccifer 2.0 Clinton dumps". Ars Technica. Archived from the original on 14 July 2017. Retrieved 26
October2016.
114. ^ "Russian Hackers Launch Targeted Cyberattacks Hours After Trump's Win". 2016-11-
10. Archived from the original on 2017-01-27. Retrieved 2016-11-28.
115. ^ European Parliament Committee on Foreign Affairs (23 November 2016), "MEPs sound
alarm on anti-EU propaganda from Russia and Islamist terrorist groups" (PDF), European
Parliament, archived(PDF) from the original on 8 August 2019, retrieved 26 November2016
116. ^ Lewis Sanders IV (11 October 2016), 'Divide Europe': European lawmakers warn of
Russian propaganda, Deutsche Welle, archived from the original on 25 March 2019, retrieved 24
November 2016
117. ^ "Qatar faced 93,570 phishing attacks in first quarter of 2017". Gulf Times (in Arabic). 2017-
05-12. Archived from the original on 2018-08-04. Retrieved 2018-01-28.
118. ^ "Facebook and Google Were Victims of $100M Payment Scam". Fortune. Archived from
the original on 2019-08-08. Retrieved 2018-01-28.
119. ^ "Amazon Prime Day phishing scam spreading now!". The Kim Komando
Show. Archived from the original on 2019-05-27. Retrieved 2018-01-28.
120. ^ "Cryptocurrency Hackers Are Stealing from EOS's $4 Billion ICO Using This Sneaky
Scam". Jen Wieczner. Archived from the original on 2021-03-21. Retrieved 2018-05-31.
121. ^ "Twitter Investigation Report - Department of Financial Services". www.dfs.ny.gov. 2020-10-
14. Retrieved 2020-10-11.
122. ^ "17-year-old alleged Twitter hacker pleads 'not guilty' - CoinGeek". www.coingeek.com.
2020-08-06. Retrieved 2020-10-11.
123. ^ "Millersmiles Home Page". Oxford Information Services. Archived from the original on July
21, 2007. Retrieved January 3, 2010.
124. ^ "FraudWatch International Home Page". FraudWatch International. Archived from the
original on June 16, 2019. Retrieved January 3, 2010.
125. ^ Baker, Emiley; Wade Baker; John Tedesco (2007). "Organizations Respond to Phishing:
Exploring the Public Relations Tackle Box". Communication Research Reports. 24 (4):
327. doi:10.1080/08824090701624239. S2CID 144245673.
126. ^ Arachchilage, Nalin; Love, Steve; Scott, Michael (June 1, 2012). "Designing a Mobile Game
to Teach Conceptual Knowledge of Avoiding 'Phishing Attacks '". International Journal for E-Learning
Security. 2 (1): 127–132. doi:10.20533/ijels.2046.4568.2012.0016.
127. ^ Ponnurangam Kumaraguru; Yong Woo Rhee; Alessandro Acquisti; Lorrie Cranor; Jason
Hong; Elizabeth Nunge (November 2006). "Protecting People from Phishing: The Design and
Evaluation of an Embedded Training Email System" (PDF). Technical Report CMU-CyLab-06-017,
CyLab, Carnegie Mellon University. Archived from the original (PDF) on January 30, 2007.
Retrieved November 14, 2006.
128. ^ Perrault, Evan K. (2017-03-23). "Using an Interactive Online Quiz to Recalibrate College
Students' Attitudes and Behavioral Intentions About Phishing". Journal of Educational Computing
Research. 55 (8): 1154–1167. doi:10.1177/0735633117699232. S2CID 64269078.
129. ^ Jampen, Daniel; Gür, Gürkan; Sutter, Thomas; Tellenbach, Bernhard (December
2020). "Don't click: towards an effective anti-phishing training. A comparative literature
review". Human-centric Computing and Information Sciences. 10 (1): 33. doi:10.1186/s13673-020-
00237-7. ISSN 2192-1962. S2CID 221084452.
130. ^ Priestman, Ward; Anstis, Tony; Sebire, Isabel G; Sridharan, Shankar; Sebire, Neil J (2019-
09-04). "Phishing in healthcare organisations: threats, mitigation and approaches". BMJ Health &
Care Informatics. 26 (1): e100031. doi:10.1136/bmjhci-2019-100031. ISSN 2632-
1009. PMC 7062337. PMID 31488498.
131. ^ Hendric, William. "Steps to avoid phishing". Archived from the original on March 21, 2021.
Retrieved March 3, 2015.
132. ^ "Anti-Phishing Tips You Should Not Follow". HexView. Archived from the original on March
20, 2008. Retrieved June 19, 2006.
133. ^ "Protect Yourself from Fraudulent Emails". PayPal. Archived from the original on April 6,
2011. Retrieved July 7, 2006.
134. ^ Zeltser, Lenny (March 17, 2006). "Phishing Messages May Include Highly-Personalized
Information". The SANS Institute. Archivedfrom the original on December 2, 2006. Retrieved May
20, 2006.
135. ^ Markus Jakobsson & Jacob Ratkiewicz. "Designing Ethical Phishing Experiments". WWW
'06. Archived from the original on January 31, 2011. Retrieved August 20, 2007.
136. ^ Markus Jakobsson; Alex Tsow; Ankur Shah; Eli Blevis; Youn-kyung Lim. "What Instills
Trust? A Qualitative Study of Phishing" (PDF). informatics.indiana.edu. Archived from the
original (PDF) on March 6, 2007.
137. ^ "APWG Phishing Attack Trends Reports". APWG. Archivedfrom the original on 21 March
2021. Retrieved 12 September 2018.
138. ^ Google (June 25, 2017). "Stay Safe from Phishing and Scams". Archived from the original
on 21 March 2021. Retrieved 12 April 2020 – via YouTube.
139. ^ Olivo, Cleber K.; Santin, Altair O.; Oliveira, Luiz S. (July 2011). "Obtaining the Threat Model
for E-mail Phishing". Applied Soft Computing. 13 (12): 4841–4848. doi:10.1016/j.asoc.2011.06.016.
140. ^ Madhusudhanan Chandrasekaran; Krishnan Narayanan; Shambhu Upadhyaya (March
2006). "Phishing E-mail Detection Based on Structural Properties" (PDF). NYS Cyber Security
Symposium. Archived from the original (PDF) on February 16, 2008.
141. ^ Ian Fette; Norman Sadeh; Anthony Tomasic (June 2006). "Learning to Detect Phishing
Emails" (PDF). Carnegie Mellon University Technical Report CMU-ISRI-06-112. Archived (PDF) from
the original on 2018-06-19. Retrieved 2006-11-30.
142. ^ "Landing another blow against email phishing (Google Online Security
Blog)". Archived from the original on June 6, 2012. Retrieved June 21, 2012.
143. ^ "Google Safe Browsing". Archived from the original on 2017-09-01. Retrieved 2017-11-30.
144. ^ "Safe Browsing (Google Online Security Blog)". Archived from the original on March 5,
2016. Retrieved June 21, 2012.
145. ^ Franco, Rob. "Better Website Identification and Extended Validation Certificates in IE7 and
Other Browsers". IEBlog. Archived from the original on January 17, 2010. Retrieved Feb 10, 2020.
146. ^ "Bon Echo Anti-Phishing". Mozilla. Archived from the original on August 23, 2011.
Retrieved June 2, 2006.
147. ^ "Safari 3.2 finally gains phishing protection". Ars Technica. November 13,
2008. Archived from the original on August 23, 2011. Retrieved November 15, 2008.
148. ^ "Gone Phishing: Evaluating Anti-Phishing Tools for Windows". 3Sharp. September 27,
2006. Archived from the original on January 14, 2008. Retrieved October 20, 2006.
149. ^ "Two Things That Bother Me About Google's New Firefox Extension". Nitesh Dhanjani on
O'Reilly ONLamp. Archived from the original on July 22, 2014. Retrieved July 1, 2007.
150. ^ "Firefox 2 Phishing Protection Effectiveness Testing". Archivedfrom the original on January
31, 2011. Retrieved January 23, 2007.
151. ^ Higgins, Kelly Jackson. "DNS Gets Anti-Phishing Hook". Dark Reading. Archived from the
original on August 18, 2011. Retrieved October 8, 2006.
152. ^ Krebs, Brian (August 31, 2006). "Using Images to Fight Phishing". Security Fix. Archived
from the original on November 16, 2006.
153. ^ Seltzer, Larry (August 2, 2004). "Spotting Phish and Phighting Back".
eWeek. Archived from the original on July 5, 2019. Retrieved December 14, 2006.
154. ^ Bank of America. "How Bank of America SiteKey Works For Online Banking
Security". Archived from the original on August 23, 2011. Retrieved January 23, 2007.
155. ^ Brubaker, Bill (July 14, 2005). "Bank of America Personalizes Cyber-Security". The
Washington Post. Archived from the original on June 8, 2019. Retrieved September 8, 2017.
156. ^ Stone, Brad (February 5, 2007). "Study Finds Web Antifraud Measure Ineffective". The
New York Times. Archived from the original on June 11, 2019. Retrieved February 5, 2007.
157. ^ Stuart Schechter; Rachna Dhamija; Andy Ozment; Ian Fischer (May 2007). "The Emperor's
New Security Indicators: An evaluation of website authentication and the effect of role playing on
usability studies" (PDF). IEEE Symposium on Security and Privacy, May 2007. Archived from the
original (PDF) on July 20, 2008. Retrieved February 5, 2007.
158. ^ "Phishers target Nordea's one-time password system". Finextra. October 12,
2005. Archived from the original on December 18, 2005. Retrieved December 20, 2005.
159. ^ Krebs, Brian (July 10, 2006). "Citibank Phish Spoofs 2-Factor Authentication". Security Fix.
Archived from the original on November 10, 2006.
160. ^ Graham Titterington. "More doom on phishing". Ovum Research, April 2006. Archived
from the original on 2008-04-10. Retrieved 2009-04-08.
161. ^ Schneier, Bruce. "Security Skins". Schneier on Security. Retrieved December 3, 2006.
162. ^ Rachna Dhamija; J.D. Tygar (July 2005). "The Battle Against Phishing: Dynamic Security
Skins" (PDF). Symposium On Usable Privacy and Security (SOUPS) 2005. Archived from the
original(PDF) on June 29, 2007. Retrieved February 5, 2007.
163. ^ "Dynamic, Mutual Authentication Technology for Anti-Phishing".
Confidenttechnologies.com. Archived from the original on March 21, 2021. Retrieved September
9, 2012.
164. ^ "Anti-Phishing Working Group: Vendor Solutions". Anti-Phishing Working Group. Archived
from the original on January 31, 2011. Retrieved July 6, 2006.
165. ^ Xiang, Guang; Hong, Jason; Rose, Carolyn P.; Cranor, Lorrie (2011-09-01). "CANTINA+: A
Feature-Rich Machine Learning Framework for Detecting Phishing Web Sites". ACM Transactions on
Information and System Security. 14 (2): 21:1–21:28. doi:10.1145/2019599.2019606. ISSN 1094-
9224. S2CID 6246617. Archived from the original on 2021-03-21. Retrieved 2020-11-25.
166. ^ Leite, Cristoffer; Gondim, Joao J. C.; Barreto, Priscila Solis; Alchieri, Eduardo A.
(2019). "Waste Flooding: A Phishing Retaliation Tool". 2019 IEEE 18th International Symposium on
Network Computing and Applications (NCA). Cambridge, MA, USA: IEEE: 1–
8. doi:10.1109/NCA.2019.8935018. ISBN 978-1-7281-2522-0. S2CID 209457656. Archived from the
original on 2021-03-21. Retrieved 2020-11-25.
167. ^ McMillan, Robert (March 28, 2006). "New sites let users find and report phishing".
LinuxWorld. Archived from the original on January 19, 2009.
168. ^ Schneier, Bruce (October 5, 2006). "PhishTank". Schneier on Security. Archived from the
original on January 31, 2011. Retrieved December 7, 2007.
169. ^ "Report a Phishing Page". Archived from the original on 2016-10-19. Retrieved 2019-09-
13.
170. ^ How to report phishing scams to Google Archived 2013-04-14 at archive.today Consumer
Scams.org
171. ^ Using the smartphone to verify and sign online banking transactions Archived 2017-08-23 at
the Wayback Machine, SafeSigner.
172. ^ Kan, Michael (7 March 2019). "Google: Phishing Attacks That Can Beat Two-Factor Are on
the Rise". PC Magazine. Archived from the original on 8 March 2019. Retrieved 9 September 2019.
173. ^ Joseph Steinberg (August 25, 2014). "Why You Are at Risk of Phishing
Attacks". Forbes. Archived from the original on July 14, 2019. Retrieved November 14, 2014.
174. ^ Legon, Jeordan (January 26, 2004). "Phishing scams reel in your identity".
CNN. Archived from the original on November 6, 2018. Retrieved April 8, 2006.
175. ^ Leyden, John (March 21, 2005). "Brazilian cops net 'phishing kingpin'". The
Register. Archived from the original on April 17, 2016. Retrieved August 19, 2005.
176. ^ Roberts, Paul (June 27, 2005). "UK Phishers Caught, Packed Away".
eWEEK. Archived from the original on July 5, 2019. Retrieved September 3, 2005.
177. ^ "Nineteen Individuals Indicted in Internet 'Carding' Conspiracy". justice.gov. Archived from
the original on March 22, 2019. Retrieved October 13, 2015.
178. ^ "8 held over suspected phishing fraud". Yomiuri Shimbun. May 31, 2006.
179. ^ "Phishing gang arrested in USA and Eastern Europe after FBI investigation". Archived
from the original on January 31, 2011. Retrieved December 14, 2006.
180. ^ "Phishers Would Face 5 Years Under New Bill". InformationWeek. March 2,
2005. Archived from the original on February 19, 2008. Retrieved March 4, 2005.
181. ^ "Fraud Act 2006". Archived from the original on August 23, 2011. Retrieved December
14, 2006.
182. ^ "Prison terms for phishing fraudsters". The Register. November 14, 2006. Archived from
the original on June 21, 2019. Retrieved August 10, 2017.
183. ^ "Microsoft Partners with Australian Law Enforcement Agencies to Combat Cyber Crime".
Archived from the original on November 3, 2005. Retrieved August 24, 2005.
184. ^ Espiner, Tom (March 20, 2006). "Microsoft launches legal assault on phishers". ZDNet.
Archived from the original on August 29, 2008. Retrieved May 20, 2006.
185. ^ Leyden, John (November 23, 2006). "MS reels in a few stray phish". The
Register. Archived from the original on June 10, 2019. Retrieved August 10, 2017.
186. ^ "A History of Leadership – 2006". Archived from the original on May 22, 2007.
187. ^ "AOL Takes Fight Against Identity Theft To Court, Files Lawsuits Against Three Major
Phishing Gangs". Archived from the originalon January 31, 2007. Retrieved March 8, 2006.
188. ^ "HB 2471 Computer Crimes Act; changes in provisions, penalty". Retrieved March 8, 2006.
189. ^ Brulliard, Karin (April 10, 2005). "Va. Lawmakers Aim to Hook Cyberscammers". The
Washington Post. Archived from the original on June 11, 2019. Retrieved September 8, 2017.
190. ^ "Earthlink evidence helps slam the door on phisher site spam ring". Archived from the
original on July 5, 2007. Retrieved December 14, 2006.
191. ^ Prince, Brian (January 18, 2007). "Man Found Guilty of Targeting AOL Customers in
Phishing Scam". PC Magazine. Archived from the original on March 21, 2009. Retrieved September
8, 2017.
192. ^ Leyden, John (January 17, 2007). "AOL phishing fraudster found guilty". The
Register. Archived from the original on March 22, 2019. Retrieved August 10, 2017.
193. ^ Leyden, John (June 13, 2007). "AOL phisher nets six years' imprisonment". The
Register. Archived from the original on June 11, 2019. Retrieved August 10, 2017.
194. ^ Gaudin, Sharon (June 12, 2007). "California Man Gets 6-Year Sentence For
Phishing". InformationWeek. Archived from the original on October 11, 2007. Retrieved July 1, 2007.
External links[edit]
Wikimedia Commons has
media related
to Phishing.
Simulated phishing
From Wikipedia, the free encyclopedia
Jump to navigationJump to search
Simulated phishing or a phishing test is where deceptive emails, similar to malicious
emails, are sent by an organization to their own staff to gauge their response
to phishing and similar email attacks. The emails themselves are often a form of
training, but such testing is normally done in conjunction with prior training; and often
followed up with more training elements. This is especially the case for those who "fail"
by opening email attachments, clicking on included weblinks, or entering credentials.
Contents
1Rationale
2Ethics
3Methods
4Frequency
5See also
6References
Rationale[edit]
There is wide acceptance within the IT security field that technical measures alone
cannot stop all malicious email attacks, and that good training of staff is necessary. [citation
needed][1]
Simulated phishing allows the direct measurement of staff compliance, and when
run regularly, can measure progress in user behavior. Phishing simulation is
recommended by various official agencies, who often provide guidelines for designing
such policies.[2] Phishing simulations are sometime compared to fire drills in giving staff
regular practice in correct behaviour.[3]
Ethics[edit]
Such campaigns need to be authorised at an appropriate level [4] and carried out
professionally.[5] If such a technique is used carelessly, it may breach laws, attract
lawsuits, and antagonise or traumatise staff.
However, if employees are advised of a change to policy such that "the company
reserves the right to send deceptive 'simulated phishing' email to staff from time to time
to gauge staff security awareness and compliance", and training and guidance has been
given in advance, then such problems should not occur. Some organisations may
choose to require users to give their consent by opting in, [6] and others may allow staff
the option to opt out.[7]
The standard advice is that "failing" staff not be shamed in any way, but it is appropriate
and reasonable to provide supportive followup training. [8][9][10]
Some techniques which might be effective and in use by malicious actors are normally
avoided in simulated phishing for ethical or legal reasons. These would include emails
with content likely to cause distress to the recipient or the use of third-party trademarks,
[5][8]
although it is also sometimes argued that this is covered by fair use.[11]
Methods[edit]
Such testing can be done in a number of ways.
Many vendors offer web-hosted platforms to do this, and some provide limited
free "test" campaigns.[12]
A wide range of freely-available open-source tools allow more technical
organisations to host and run their own testing. [13][14][15]
Some email service now have such testing as a built-in option. [16][17]
Because organisations generally have a set of multi-layered defences in place to
prevent actual malicious phishing, simulations often require some whitelisting to be put
in place at email gateways, anti-virus software and web proxies to allow email to reach
user desktops and devices and to be acted upon.
Frequency[edit]
Most advice is that testing should be at done several times per year, to give staff
practice in responding correctly, and to provide management feedback on the progress
in staff identifying and reporting potentially dangerous email.
See also[edit]
Phishing
Fire drill
References[edit]
1. ^ Jampen, Daniel; Gür, Gürkan; Sutter, Thomas; Tellenbach, Bernhard (2020-08-09). "Don't
click: towards an effective anti-phishing training. A comparative literature review". Human-centric
Computing and Information Sciences. 10 (1). doi:10.1186/s13673-020-00237-7. ISSN 2192-1962.
2. ^ "Designing Phishing Simulations" (PDF). Center for the Protection of National Infrastructure.
Retrieved 12 September 2018.
3. ^ Fischbein, Jonathan. "Council Post: 2021 Cyber New Year's Resolutions". Forbes.
Retrieved 2021-10-03.
4. ^ Kovacs, Eduard (23 August 2018). "Attack on DNC Part of Simulated Phishing
Test". Security Week. Retrieved 12 September2018.
5. ^ Jump up to:a b Cheng, Joey (18 March 2014). "Out-of-control Army phishing test results in new
guidelines". DefenseSystems. Retrieved 12 September 2018.
6. ^ "Simulated Phishing". Berkeley Lab. Retrieved 12 September2018.
7. ^ "Simulated Phishing Email Campaign". UC Santa Cruz. Retrieved 12 September 2018.
8. ^ Jump up to:a b Prendergast, Tom. "Is all fair in simulated phishing?". www.csoonline.com.
Retrieved 9 September 2018.
9. ^ Meijdam, Katrien. "Phishing as a Service: Designing an ethical way of mimicking targeted
phishing attacks to train employees". Retrieved 10 September 2018.
10. ^ R, Kate. "The Trouble with Phishing". National Cyber Security Centre. GCHQ. Retrieved 12
September 2018.
11. ^ Calarco, Daniel. "Stop Phishing with Bad Fake Bait". EDUCAUSEreview. Retrieved 12
September 2018.
12. ^ Korolov, Maria. "10 companies that can help you fight phishing". CSO Online. Retrieved 12
September 2018.
13. ^ e.g GoPhish, King Phisher, The SocialEngineer Toolkit
14. ^ Pauli, Darren (4 February 2016). "Go phish your own staff: Dev builds open-source fool-
testing tool". The Register. Retrieved 12 September 2018.
15. ^ "Phishing campaign simulators". Phishing Countermeasures. Retrieved 12
September 2018.
16. ^ Ghosh, Debraj. "GA of Attack Simulator For Office 365 Threat Intelligence". Microsoft Tech
Community. Retrieved 12 September2018.
17. ^ Lardinois, Frederic. "Microsoft launches a phishing attack simulator and other security
tools". TechCrunch. Retrieved 12 September2018.
CONSEQUENCE OF PHISHING: IDENTITY THEFT
Identity theft
From Wikipedia, the free encyclopedia
Jump to navigationJump to search
This article is about the concept of identity theft. For the 2013 film, see Identity Thief.
For the 1953 film, see Stolen Identity.
hideThis article has multiple issues. Please help to improve it or discuss these issues
on the talk page. (Learn how and when to remove these template messages)
Example of an identity theft crime: 1. The fraudster files tax return paperwork in the victim's name, claiming a
refund. 2. The IRS issues a refund to the fraudster. 3. The victim submits their legitimate tax return. 4. The IRS
rejects the return as a duplicate.
both the U.K. and the United States as the theft of personally identifiable
information. Identity theft deliberately uses someone else's identity as a method to
gain financial advantages or obtain credit and other benefits, [2][3] and perhaps to cause
other person's disadvantages or loss. The person whose identity has been stolen may
suffer adverse consequences,[4] especially if they are falsely held responsible for the
perpetrator's actions. Personally identifiable information generally includes a person's
name, date of birth, social security number, driver's license number, bank account or
credit card numbers, PINs, electronic signatures, fingerprints, passwords, or any other
information that can be used to access a person's financial resources. [5]
Determining the link between data breaches and identity theft is challenging, primarily
because identity theft victims often do not know how their personal information was
obtained. According to a report done for the FTC, identity theft is not always detectable
by the individual victims.[6] Identity fraud is often but not necessarily the consequence of
identity theft. Someone can steal or misappropriate personal information without then
committing identity theft using the information about every person, such as when a
major data breach occurs. A US Government Accountability Office study determined
that "most breaches have not resulted in detected incidents of identity theft". [7] The report
also warned that "the full extent is unknown". A later unpublished study by Carnegie
Mellon University noted that "Most often, the causes of identity theft is not known", but
reported that someone else concluded that "the probability of becoming a victim to
identity theft as a result of a data breach is ... around only 2%". [8] For example, in one of
the largest data breaches which affected over four million records, it resulted in only
about 1,800 instances of identity theft, according to the company whose systems were
breached.[citation needed]
An October 2010 article entitled "Cyber Crime Made Easy" explained the level to which
hackers are using malicious software.[9] As Gunter Ollmann, Chief Technology Officer of
security at Microsoft, said, "Interested in credit card theft? There's an app for
that."[10] This statement summed up the ease with which these hackers are accessing all
kinds of information online. The new program for infecting users' computers was
called Zeus, and the program is so hacker-friendly that even an inexperienced hacker
can operate it. Although the hacking program is easy to use, that fact does not diminish
the devastating effects that Zeus (or other software like Zeus) can do on a computer
and the user. For example, programs like Zeus can steal credit card information,
important documents, and even documents necessary for homeland security. If a
hacker were to gain this information, it would mean identity theft or even a possible
terrorist attack. The ITAC says that about 15 million Americans had their identity stolen
in 2012.[11]
Contents
1Types
o 1.1Identity cloning and concealment
o 1.2Criminal identity theft
o 1.3Synthetic identity theft
o 1.4Medical identity theft
o 1.5Child identity theft
o 1.6Financial identity theft
o 1.7Tax identity theft
2Techniques for obtaining and exploiting personal information
3Indicators
4Individual identity protection
5Potential outcomes
6Identity protection by organizations
7Market
8Legal responses
o 8.1International
o 8.2Australia
o 8.3Canada
o 8.4France
o 8.5Hong Kong
o 8.6India
o 8.7Philippines
o 8.8Sweden
o 8.9United Kingdom
o 8.10United States
8.10.1Notification
9Spread and impact
10See also
o 10.1Types of fraud and theft
o 10.2Organizations
o 10.3Laws
o 10.4Notable identity thieves and cases
11References
12External links
Types[edit]
Sources such as the Non-profit Identity Theft Resource Center[12] sub-divide identity theft
into five categories:
Criminal identity theft (posing as another person when apprehended for a crime)
Financial identity theft (using another's identity to obtain credit, goods, and
services)
Identity cloning (using another's information to assume his or her identity in daily
life)
Medical identity theft (using another's identity to obtain medical care or drugs)
Child identity theft.
Identity theft may be used to facilitate or fund other crimes including Illegal
immigration, terrorism, phishing and espionage. There are cases of identity cloning to
attack payment systems, including online credit card processing and medical insurance.
[13]
Privacy researcher Pam Dixon, the founder of the World Privacy Forum, [17] coined the
term medical identity theft and released the first major report about this issue in 2006. In
the report, she defined the crime for the first time and made the plight of victims public.
The report's definition of the crime is that medical identity theft occurs when someone
seeks medical care under the identity of another person. Insurance theft is also very
common, if a thief has your insurance information and or your insurance card, they can
seek medical attention posing as yourself.[18] In addition to risks of financial harm
common to all forms of identity theft, the thief's medical history may be added to the
victim's medical records. Inaccurate information in the victim's records is difficult to
correct and may affect future insurability or cause doctors to rely on misinformation to
deliver inappropriate care. After the publication of the report, which contained a
recommendation that consumers receive notifications of medical data breach incidents,
California passed a law requiring this, and then finally HIPAA was expanded to also
require medical breach notification when breaches affect 500 or more people. [19][20] Data
collected and stored by hospitals and other organizations such as medical aid schemes
is up to 10 times more valuable to cybercriminals than credit card information.
Child identity theft[edit]
Child identity theft occurs when a minor's identity is used by another person for the
impostor's personal gain. The impostor can be a family member, a friend, or even a
stranger who targets children. The Social Security numbers of children are valued
because they do not have any information associated with them. Thieves can establish
lines of credit, obtain driver's licenses, or even buy a house using a child's identity. This
fraud can go undetected for years, as most children do not discover the problem until
years later. Child identity theft is fairly common, and studies have shown that the
problem is growing. The largest study on child identity theft, as reported by Richard
Power of the Carnegie Mellon Cylab with data supplied by AllClear ID, found that of
40,000 children, 10.2% were victims of identity theft. [21]
The Federal Trade Commission (FTC) estimates that about nine million people will be
victims of identity theft in the United States per year. It was also estimated that in 2008
630,000 people under the age of 19 were victims of theft. This then gave them a debt of
about $12,799 which was not theirs.[22]
Not only are children in general big targets of identity theft but children who are in foster
care are even bigger targets. This is because they are most likely moved around quite
frequently and their SSN is being shared with multiple people and agencies. Foster
children are even more victims of identity theft within their own families and other
relatives. Young people in foster care who are victims of this crime are usually left alone
to struggle and figure out how to fix their newly formed bad credit. [22]
Financial identity theft[edit]
The most common type of identity theft is related to finance. Financial identity theft
includes obtaining credit, loans, goods, and services while claiming to be someone else.
[23]
Indicators[edit]
The majority of identity theft victims do not realize that they are a victim until it has
negatively impacted their lives. Many people do not find out that their identities have
been stolen until they are contacted by financial institutions or discover suspicious
activities on their bank accounts.[28] According to an article by Herb Weisbaum, everyone
in the US should assume that their personal information has been compromised at one
point.[28] It is therefore of great importance to watch out for warning signs that your
identity has been compromised. The following are eleven indicators that someone else
might be using your identity.
1. Credit or debit card charges for goods or services you are not aware of, including
unauthorized withdrawals from your account [28]
2. Receiving calls from credit or debit card fraud control department warning of
possible suspicious activity on your credit card account [29]
3. Receiving credit cards that you did not apply for [29]
4. Receiving information that a credit scoring investigation was done. They are
often done when a loan or phone subscription was applied for.
5. Checks bouncing for lack of enough money in your account to cover the amount.
This might be as a result of unauthorized withdrawals from your account [29]
6. Identity theft criminals may commit crimes with your personal information. You
may not realize this until you see the police on your door arresting you for crimes
that you did not commit[29]
7. Sudden changes to your credit score may indicate that someone else is using
your credit cards[30]
8. Bills for services like gas, water, electricity not arriving in time. This can be an
indication that your mail was stolen or redirected [30]
9. Not being approved for loans because your credit report indicates that you are
not credit worthy[30]
10. Receiving notification from your post office informing you that your mails are
being forwarded to another unknown address [31]
11. Your yearly tax returns indicating that you have earned more than you have
actually earned. This might indicate that someone is using your national
identification number e.g. SSN to report their earnings to the tax authorities[31]
Potential outcomes[edit]
Identity theft is a serious problem in the United States. In a 2018 study, it was reported
that 60 million Americans' identities had been wrongfully acquired. [36] In response, under
advisement from the Identity Theft Resource Center, some new bills have been
implemented to improve security such as requiring electronic signatures and social
security verification.[36]
Several types of identity theft are used to gather information, one of the most common
types occurs when consumers make online purchases.[37] A study was conducted with
190 people to determine the relationship between the constructs of fear of financial
losses and reputational damages.[37] The conclusions of this study revealed that identity
theft was a positive correlation with reputable damages. [37] The relationship between
perceived risk and online purchase intention were negative. [37] The significance of this
study reveals that online companies are more aware of the potential harm that can be
done to their consumers, therefore they are searching for ways to reduce the perceived
risk of consumers and not lose out on business.
Victims of identity theft may face years of effort proving to the legal system that they are
the true person,[38] leading to emotional strain and financial losses. Most identity theft is
perpetrated by a family member of the victim, and some may not be able to obtain new
credit cards or open new bank accounts or loans.[38]
Those who could not resist unearthing their secret crush, opened what they thought was a
harmless .txt file, only to unleash a worm that did damage on the local machine. The worm
overwrote image files and sent a copy of itself to all the user´s contacts in their Outlook
address book.
‘LoveBug’ showed how to get spam to send itself and that, with a cleverly designed virus
that preyed on human psychology and technical failings, malware could rack up enormous
numbers of victims. In all about 45 million Windows PCs were thought to have been hit.
The history of phishing shows that, although delivery methods have evolved over two
decades to evade detection by spam filters and other technology, the tactics employed by
phishers have remained fairly consistent. It would seem logical that people should have
learned to avoid the trap of surrendering login credentials, clicking links or even opening
attachments. Yet this is still an effective tactic for hackers. Why?
Phishing Today
While the phishers tactics may not have changed, the stakes have. Now, instead of getting
free Internet access, phishing scams can wreak havoc on the world economy. Why put in
the work to break through a firewall, when a well-crafted phishing email can be just as
effective in giving the hacker access to sensitive information.
One key development has been the rise of social media. As previously mentioned, just 10
years ago there was little to no information available over the Internet about organizations
and the people who worked for them. Today, almost everyone at every organization has a
LinkedIn, Facebook, or Twitter account, some will have all three.
An email coming from a (seemingly) familiar or authoritative source, dealing with a relevant
topic puts the recipient at ease. Personalized details only add to the authenticity and peace
of mind the recipient experiences, making the likelihood of interaction with the links or
attachments quite high.
The stakes, coupled with the minimal resources required to execute an attack, have
made spear phishing the choice for criminals seeking access to the sensitive data stored on
the networks of large organizations and corporations. Target, Home Depot and Anthem are
just three of the latest high profile breaches that are believed to have started with an
employee falling victim to spear phishing.
Activate Your Human Sensors
While it would seem logical that technological defenses will improve, the recent history of
phishing implies it is unlikely technology will ever fully prevent spear phishing emails from
reaching an employee’s inbox. Therefore, it stands to reason that crowdsourcing phishing
detection allows the first line of defense to report attacks as soon as they hit the network.
A good analogy is the fruit vendor who helped prevent a terrorist attack in Times Square
back in 2010. In this instance, a vendor tipped off police after noticing that a car had been
parked for several hours on a street in Times Square – an unusual occurrence in such a
busy area. The car turned out to be loaded with explosives.
Although a crowded area like Times Square was equipped with expensive surveillance
equipment and had a large police presence, the vendor’s knowledge of the streets made him
the best person to identify suspicious activity. On a network, users are often the first to
receive attacks, making their reports of suspicious email vital intelligence in preventing data
breaches.
Ian Fette
Norman Sadeh
Anthony Tomasic
Authors Info & Claims
WWW '07: Proceedings of the 16th international conference on World Wide WebMay
2007 Pages 649–656https://doi.org/10.1145/1242572.1242660