Abstract
This article introduces and defines online phishing, which is an online crime of deceiving users into accessing fraudulent emails, web links, and websites to steal their sensitive private information. Online phishing is the top starting point for cyberattacks and the leading cause for identity theft that brings financial and other losses to individual and organizational victims. Phishing is primarily a social engineering attack that exploits human vulnerabilities due to lack of user awareness and protection. This article classifies phishing into two general groups based on the primary method and technique involved: social engineering and technical subterfuge. The article discusses how various specific types of phishing work and proposes a comprehensive set of solutions.
TopIntroduction
Online phishing is a common form of criminal attempt via fraudulent emails, web links and websites to trick online users to surrender sensitive private information, including user names, passwords, social security numbers, credit card numbers, and bank account numbers. Phishing continues to be a primary weapon used by cybercriminals. Phishing is often used as the lead action followed by malware installation or other malicious actions that lead to a data breach. Statistically, 85% of organizations have reported being the victim of a phishing attack (Wombat Security, 2016). Spear phishing email, one example of phishing, was the starting point that led to 91% of successful cyberattacks and the resulting data breach (PhishMe, 2016). In addition, phishing was involved in 70% of all data breaches associated with nation-state or state-affiliated actors (Verizon, 2018).
Phishing attempts may occur in various formats, including email scams, malicious attachments, and fraudulent links and websites. Phishing in nature is a form of social engineering attack that exploits human vulnerabilities of curiosity and lack of awareness and judgment. Individual curiosity and lack of awareness often lead online users to become victims of spoofed and deceptive emails, fraudulent web links and fake websites (Alexander, 2016; Gupta, Arachchilage, & Psannis, 2018). Research on predicting individual susceptibility to phishing shows that certain behavioral traits are correlated to the ability to identify phishing interfaces; it also shows that individuals with greater behavioral curiosity tend to commit more security errors in identifying phishing attempts (Chen, YeckehZaare, & Zhang, 2018).
Online phishing has various types of significant impact on organizational and individual victims. The average direct financial cost of a phishing attack to an organization is over $3.7 million, which is close to the cost of a typical data breach (Ponemon Institute, 2017; Wombat Security, 2015). The costs may include direct loss of productivity and revenue, business disruptions, and costs to contain malware and credential compromises. Additionally, there may be substantial hidden and indirect costs such as damage to corporate reputation and loss of customer confidence as a result of the data breach caused by a phishing scam (Anderson et al., 2012). Phishing scams are a leading cause for individuals to fall victims of identity theft. Over 17 million individuals in the United States alone were victims of one or more incidents of identity theft in 2014, and the majority (86%) of them experienced fraudulent use of their existing credit or bank account information (US Department of Justice, 2017).
To combat online phishing, a variety of countermeasures have been proposed, including education and training, improvement of administrative and security policies and practices, as well as technical solutions and software products. This chapter proposes a comprehensive solution to prevent and protect against online phishing. The following sections will define and describe various categories and types of online phishing, explain the theoretical principles for phishing and how each type of phishing works, and propose and discuss a comprehensive set of solutions, mechanisms and best practices to defend users and organizations against online phishing.
Key Terms in this Chapter
Identity theft: The crime of stealing sensitive personal information, such as usernames, passwords, date of birth, social security number, and personal and financial information.
DNS Pharming: Providing a fraudulent DNS mapping to direct a victim to visit a fake and malicious website.
Whaling: A special type of spear phishing that targets high-rank individuals such as executives of an organization.
Technical Subterfuge: The act of deceiving victims and stealing their sensitive information by technical means.
Spear Phishing: Phishing for sensitive information by using personalized emails containing malicious attachments or fraudulent web links to target specific members or groups of an organization.
Social engineering: An attack that uses personal and social skills to persuade the target to behave in violation of security principles.
Session Hijacking: Using a spoofed IP address or Man-in-the Middle techniques to impersonate a legitimate host to eavesdrop or redirect network communication.
Online Phishing: An online criminal attempt via fraudulent emails, web links, and websites to trick online users to surrender sensitive private information.
Cross-Site Scripting (XSS): Injecting malicious code to be displayed in the victim’s web browser to steal the victim’s credentials.