Phishing
Home > 
Phishing
< back

Phishing

Phishing is a form of social engineering attack where a phisher masquerades as a legitimate entity to solicit personal and sensitive information or infect a user’s machine with malware. Phishing attacks are usually initiated in the form of bogus websites, emails, instant messaging or short message service (SMS), etc. which contain infected attachments or malicious links for the purpose of eliciting sensitive data (e.g. credentials, bank account or credit card details) and/or infiltrating users’ computers. Phishers may also impersonate known connections (e.g. friends, legitimate organisations) on social media platforms to deliver phishing attacks so as to extract users’ sensitive data and credentials.

According to a number of cyber security threat trend reports, phishing attacks continue to be the most common form of cyber attacks in recent years. A successful phishing attack may have serious consequences for the victims. For individuals, the attack can lead to account takeover, unauthorised financial transactions, credit card fraud, infection by malware or ransomware, etc. For organisations, the attack enables cybercriminals to perform malicious activities such as raiding privileged accounts, stealing sensitive information or disrupting business services, etc. To avoid falling victim to phishing attacks, it is important to understand how to identify and mitigate phishing attacks through raising security awareness of individuals, establishment of proper security policies and deployment of anti-phishing solutions.

Common Types of Phishing
1.
Deceptive Phishing is the most prevalent type of phishing attack. Phishers craft messages that look almost identical to those of legitimate companies or reputable sources and conduct mass mailings to lure individuals into providing sensitive data such as personally identifiable information (PII), banking and credit card details, login credentials, etc.
2.
Spear Phishing is a more sophisticated form of deceptive phishing attack for specific individuals or companies. Phishers make use of personal information obtained from different sources, such as public information disclosed in social media, to craft customised content to impersonate trusted parties and send it to a specific group of individuals or companies to request the recipients to perform illicit actions such as initiate unauthorised financial transactions, divulge sensitive personal or business information, etc.
3.
Watering Hole Phishing (also known as Water-holing) seeks to compromise some websites, say by injecting malicious code, which are mostly visited by a specific group of users. Once users visit the compromised websites and are deceived into loading infected files, malware can be installed onto user’s computer to perform malicious actions without users’ knowledge.
4.
Vishing involves verbal scams by phishers to trick an individual or organisation into performing actions that are in the best interests of the phishers. The verbal scams can be carried out in various ways such as making a phone call with a falsified caller ID to obfuscate the users, or using an interactive voice response system to redirect users to chat with the phishers directly in order to lure the users into disclosing personal information, etc.
5.
Smishing involves phishers sending unsolicited mobile phone SMS text messages mimicking trusted third party to trick users into clicking a malicious link that may redirect the users to a malicious website to lure individuals into providing sensitive data, or providing personal information by replying to the SMS messages, etc.
6.
Pharming is an attack that redirects a user’s web access from a legitimate website to a fraudulent website for the purpose of stealing user’s login credentials or sensitive data. The attack can be conducted through the following ways:
Malware-based pharming – Install malware on users’ computers to modify the computers’ local host files and redirect users to malicious websites.
Domain Name System (DNS) server poisoning – Exploit vulnerabilities in DNS servers to alter DNS records and redirect users to malicious websites.
7.
Wi-Fi Phishing attempts to steal sensitive data by convincing wireless network users to connect their mobile devices to the malicious Wi-Fi access point (AP) in the following ways:
Malicious rogue AP – Phishers install a malicious wireless AP to provide wireless network connection to trick users into entering login credentials, or the phishers perform man-in-the-middle (MITM) attack through the malicious AP.
Evil Twin – Phishers create malicious Wi-Fi AP pretending to be a legitimate Wi-Fi hotspot with same Wi-Fi service set identifier (SSID), basic service set identifier (BSSID), captive portals, etc. to trick users into disclosing login credentials or sensitive data.
8.
Quick Response (QR) Code Phishing is a type of scam where phishers hide the malicious links in QR codes and take advantages of the implicit trust of users to perform thoughtless action in scanning the QR codes so as to carry out malicious actions on mobile devices. For instance, the actions can be redirecting user to a malicious website to capture user’s sensitive data, connecting the device to a compromised Wi-Fi network or making a payment automatically, etc.
9.
Pop-up Phishing involves “pop-up” windows with fraudulent messages for users when they are surfing the web. A fake “pop-up” are designed to entice users into clicking on the “pop-up” windows that redirect them to malicious websites to steal sensitive data.
10.
Social Media Phishing encompass online scams based on implied trust of social media channels like Facebook, Twitter, etc. to trick users into providing login credentials or sensitive data by impersonation, romance scams, fake event invitations, etc.
Common Signs of Phishing Scams

Phishing attempt can be recognised by users who stay vigilant when they come across the following common characteristics of phishing messages and websites:


Phishing message

It is sent from a questionable email address (such as misspelt or similar to a legitimate email address, e.g. @g0v.hk).
It contains suspicious or unexpected attachments (e.g. files with extension like “.exe”, “.cmd”, “.bat”) which are embedded with malicious code and can be executed to download malware.
It may contain generic greeting such as “Hi” or “Dear Ladies and Gentlemen”, etc.
It is poorly written, with grammatical or spelling mistakes.
It may ask for personal or sensitive information online (e.g. identity card number or user’s billing address).
It may contain important notice which requires immediate actions, conveys messages of threat or gives an offer that is too good to be true (e.g. free overseas trip ticket).
It may contain shortened Uniform Resource Locators (URLs) in order to bypass blacklist-based spam filters.
It may copy contents such as texts, logos, images, styles used on the legitimate website to make it look genuine.

Phishing website

It may use genuine looking content such as images, texts, logos or even clone a legitimate website to entice visitors into entering their sensitive information, such as personal accounts or financial information.
It may contain actual links to web contents of the legitimate website such as Contact Us, Site Map or Disclaimer to trick the visitors.
It may use a similar website address as that of the legitimate website.
It may contain Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) that can redirect visitors to malicious website once they passed the CAPTCHA test.
It may contain input fields asking visitors to input sensitive data like login credentials.
It may be in the form of pop-up window that shows in the foreground together with the genuine web page in the background for the purpose of obfuscating the visitors who think they are visiting a legitimate website.
It may spoof the URL of a legitimate website by using scripts or Hypertext Markup Language (HTML) commands to construct fake address bar in place of the original address.
Users’ Actions Leading to Victims of Phishing

Users may fall victim to phishing attacks if they perform the following actions when receiving phishing messages:

Click on fraudulent links.
Open / Execute infected attachments.
Fill out and Submit forms which ask for sensitive data (e.g. credit card information, PII, etc.) on malicious phishing websites.
Disclose sensitive data to phishers via emails, phones or social media, etc.
Perform actions such as transferring funds upon request by phishers who impersonate a known individual or a senior executive.
Connect to rogue Wi-Fi AP and perform transactions involving sensitive information such as conducting financial transactions, sending personal information without encryption, etc.
Potential Impacts of Phishing
Financial Loss
With sensitive data obtained from victims, phishers can conduct various illegal activities such as transferring victims’ money to their pockets. Significant financial loss may also be resulted from the loss of valuable intellectual property, including trademarks, patents, trade secrets, etc.
Damage to the Brand Reputation
Phishers can further make use of information obtained from users to blackmail, intimidate users’ contacts or even perform illegal activities, e.g. hacking into systems of users’ organisations to steal confidential information, causing users to be blamed or even get into legal and liability problems. As for an organisation being attacked, it may suffer reputational damage to its brand, and its customers may move their business elsewhere due to losing trust in the organisation in safeguarding their data.
Subsequent Targeted Attacks through Stolen Credentials
A successful phishing attack can lead to identity theft. Phishers can impersonate a legitimate entity to trick users into providing sensitive data like PII or financial data through phishing and use the information obtained fraudulently to impersonate users for illicit purposes.
Business Disruption
Phishers can disrupt business operations through phishing attacks. For instance, an organisation’s normal operations can be seriously disrupted if its computer systems are infected by malware caused by phishing attacks. Such type of disruption can even cause disasters to particular business sectors like the healthcare sector if malware-infected medical devices cannot function to provide much-needed care for patients.
Best Practices to Protect Against Phishing

General Recommendations


For Individuals

Stay Vigilant against Suspicious Messages
Phishing messages can be tricky and may not be detected easily. Users should always stay vigilant against suspicious messages by heeding the following recommendations:
Check the message content carefully. Stay vigilant if the message contains too-good-to-be-true offers, creates a sense of urgency for specific actions from users, contains illogical flow of content or has poor grammar, etc.
Verify the identity of the message sender if the sender is asking for sensitive data.
Avoid opening any suspicious or unexpected attachments. Some executable attachments with extension like “.exe”, “.cmd”, “.bat” can be malwares created by phishers. Users should not open any attachments from unknown sources or if in doubt.
Never send personal and/or sensitive information to third parties until their identities have been verified.
Verify URLs carefully before clicking. Check URLs with anti-malware website scanners before clicking on them if the URLs look suspicious.
Identify the full version of the shortened URLs with a shortened URL checker if it is sent from suspicious sources.
Avoid responding to any suspicious payment request. Verify the payment request thoroughly before performing the actual payment.
Make sure the QR code is legitimate. Beware of overlay malicious QR code stickers on any posters / signs.
Avoid Sharing Too Many Personal Details Online
Users should not overshare personal and sensitive information on their social media or other public channels as this would result in identity theft where personal data would be used by hackers to impersonate users for fraudulent purposes.
Avoid Using Public Wi-Fi Networks
Phishers may initiate Wi-Fi phishing through public networks. Users can protect themselves against Wi-Fi phishing if they do not connect to unknown public networks. They can choose to use mobile tethering and hotspot capabilities from their mobile phones instead of an unsecured public Wi-Fi to set up a private and secure data connection.
Do Your Own Typing
Instead of clicking on the link sent via an email, users can type the URL into the web browser themselves to avoid falling victim to phishing attacks as phishers can mask the true destination of the URL that looks like the real one.

For Organisations

Promote User Awareness Training
Enhancing user awareness of phishing is important since the risks and impacts of phishing incidents are escalating in recent years. Companies should conduct trainings like simulated phishing campaigns for employees regularly to strengthen their cyber security vigilance and reduce their chances of falling victim to phishing attacks.
Adopt Technological Solutions
Companies can consider deploying the following technological solutions to defend against phishing attacks:
Multi-factor authentication (MFA) – MFA requires two or more factors when a person attempts to log in a computer system. This can prevent an unauthorised person, who could be a phisher, from gaining access to users’ systems if the only one authentication factor was compromised.
URL-based filter – URL-based filter limits access by comparing web traffic against threat intelligence sources like filtering policies on a database to prevent employees from accessing malicious sites.
Firewalls – Firewalls can filter Internet traffic, detecting and blocking data exfiltration attempts which are performed via unauthorised communications channels.
Anti-malware and anti-spam software – Help blocking the installation and execution of malware, detecting and removing infected files, etc. to mitigate risks when users click on malicious links or files.
Anti-phishing filters – Detect and block phishing emails by comparing Uniform Resource Identifiers (URIs) presented in emails to a database of URIs known to be used in phishing attacks.
Website certificates – Deploy website certificates issued by a trusted certification authority (CA) to provide assurances to users on the validity of the organisation’s websites. The common certificates are Domain Validation (DV), Organisation Validation (OV), Individual Validation (IV) and Extended Validation (EV). Organisations can choose to deploy the respective type of certificates according to their business needs.
Email security measures – Implement email validation measures like DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting & Conformance (DMARC), etc. to protect an organisation’s email domain from being used for cybercrimes like email spoofing, phishing scams, etc. Organisations can also implement additional email security measures to defend against emerging email phishing attacks. (Please refer to Protection against Phishing Attacks for SME and Tips for SME on Handling Spam Emails)
Anti-Phishing Policies
Organisations should develop comprehensive anti-phishing policies for email encryption, social media and web access, access rights settings, etc. to protect organisations’ computer systems against possible phishing attacks. The policies should cover in considerable detail the legal, management, technical and procedural needs of organisations to build up proper anti-phishing practices and enable them to defense against challenges of evolving threats of phishing attacks.
Respond to Phishing Attacks
Delete the phishing message immediately to prevent users from accessing the malicious contents again.
Reset users’ login credentials (e.g. login password) if user accounts are supposedly compromised.
Take the infected devices offline and perform a complete scan of the devices concerned to verify if malware has been downloaded.
Report to appropriate parties (e.g. IT administrators) immediately for investigation and cleansing. Report the case to law enforcement agencies or regulatory bodies such as the Hong Kong Police Force and the Office of the Privacy Commissioner for Personal Data if criminal activities and leakage of personal data are involved respectively. Seek advice from the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) on incident response and recovery, if necessary.
Make proper responses to any public or press enquiries.
Issue alerts to related parties such as affected users in organisations, customers, etc. about the details of phishing attacks and recommend appropriate actions (e.g. change the password immediately, update the system to the latest version, etc.) to the parties concerned.
Investigate the root cause of attacks, whether it is due to human error or security vulnerabilities existing in computer systems, etc. and implement mitigation measures to cope with the attacks.
Conduct an audit to ensure the measures recommended for mitigating phishing risks are properly implemented.
Extended Readings
1.
Department for Digital, Culture, Media and Sport (DCMS) - Cyber Security Breaches Survey 2020
2.
Australian Cyber Security Centre (ACSC) - ACSC Annual Cyber Threat Report July 2019 to June 2020
3.
Cybersecurity & Infrastructure Security Agency (CISA) - Avoiding Social Engineering and Phishing Attacks
4.
Hong Kong Police Force (HKPF) - Latest Scam Alerts - CEO Email Scam(Chinese version only)
5.
Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) - Hong Kong Security Watch Report (Q2 2020)