Phishing Emails and what they do?

By Harrison Cotillard
1. What is Phishing?

Phishing is a type of online scam, where scammers / hackers impersonate legitimate

organizations and people to steal sensitive data from their victims. A phishing email usually includes
a link or file attachment that will ask you to enter some sensitive information. The websites designed
by these scammers / hackers look identical to legitimate websites, which is why they are so
successful.

The term “Phishing” is a spin on the word fishing, because criminals are dangling a fake
“lure” (the legitimate looking emails, websites, and attachments) hoping the intended victims will
bite and provide them with sensitive information. The Sensitive information most scammers are
trying to steal are account credentials (login information), credit card numbers, bank account
numbers and private router information. There are 19 different types of Phishing, if you are
interested you can read more here: https://www.fortinet.com/resources/cyberglossary/types-of-
phishing-attacks

2.What do Phishing emails look like and do?

Phishing emails can be really tricky to spot as they look like legitimate emails. They
sometimes even have a fake company name in their email. For example, “Amazno.com” So the email
at a quick glance looks like it’s coming from Amazon. The method of Phishing I will be demonstrating
here is called Spear Phishing (Phishing where the sole purpose is to receive account login
information.) Below is an example of a basic phishing email I sent to a colleague.

As you can see above the link sent in the body of the email looks fairly legitimate. To anyone
who is sifting through loads of emails a day, they probably wouldn’t take a second look and just click
on the link. What is super clever (and somewhat scary) is if you do click on that link you are greeted
with a home page which looks identical to LinkedIn (See on next page).
3. What Information do Hackers/Scammers gain from Phishing?

To show you what how easy Phishing is to do and the information hackers gain from a
successful Spear Phishing attack. I am going to scam/hack my colleague. I found a program call
PyPhisher on a site called Github. Github is a place for software developers and IT personnel to share
their work for free. I searched up Phishing and the top link was PyPhisher and a download button.
After I had downloaded it, it launched and I was faced with this screen.
 As you can see in a matter of seconds, I was given a screen with a list of 77 different fake
websites I could create. In my example I typed in 22 for LinkedIn. All of a sudden, my screen changed
to what you can see below. The software I was using gave me 4 links to send to targets. But before I
had the opportunity to copy the link, the software asked me if I wanted to make a custom link. This
is how the link changes from the long wordy links to a legitimate looking Linked in link.

Once the custom link appeared I copied it and sent it over to my colleague. Lets see what
happens when he clicks on the link. As soon as he clicked on the link I was given his Public Ip Address
(a unique code given to your router), what systems he is using (Linux, Mozilla Firefox) and his
Locational details (London, United kingdom. Even his geolocation using longitude and latitude)

Covered for Security

Not only does it provide me with the information above but my colleague fell for the fake
website and I now also have his credentials! What a stupid Password!
4. How to prevent a Phishing Attack
As you have seen phishing attacks can be detrimental and extremely destructive. But fear
not! As protecting yourself against fishing attacks is a lot easier than it may seem. DO NOT CLICK on
links in your email or download attachments from people you don’t know. If you see a link for
Linkedin for instance. Launch a browser yourself and login to Linkedin that way. If you have been
sent an attachment that you feel might contain malware or something malicious. Please ask
[email protected] for advice and we may scan your files to make sure they are safe for a small
fee.

I hope this has given you a basic understanding on Phishing attacks and how easy it is for
these scammers to trick you into giving away personal and/or sensitive information. Please be
careful when opening links or attachments from emails that look suspicious or are unknown to you.
If you ever end up getting hacked, please report it to www.cert.je. They will help as much as they
can.