AP®︎/College Computer Science Principles
The Internet is a network of computers filled with valuable data, so there are many security mechanisms in place to protect that data.
But there's a weakest link: the human. If the user freely gives away their personal data or access to their computer, it's much harder for security mechanisms to protect their data and devices.
A phishing attack is an attempt to trick a user into divulging their private information.
Illustration of a phishing attack. An attacker has a fishing line with a hook through a web browser. The web browser has a password field with "UsersR3alP@ssword" filled in.
An example attack
A phishing attack typically starts with an email that claims to be from a legitimate website, like a banking website or online store:
Screenshot of a phishing email. Subject line says "Your PayPal Access Blocked !". Email is from "PayPal firstname.lastname@example.org". Email body has heading "Your PayPal Account is Limited, Solve in 24 Hours!" and body "Dear PayPal Customer, We're sorry to say you cannot access all the paypal account features like payment and money transfer. Click here to fix your account now. Why is it blocked? Because we think your account is in danger of theft and unauthorized uses. How can I fix the problem? Confirm all your details on our server. Just click below and follow all of the steps. Confirm Account Details Now." There are two hyperlinked parts of the text.
The goal of the email is to obtain private data from the user, so it either asks the recipient to reply with personal information or it links to a website that looks remarkably like the original site:
Screenshot of a phishing website. Web browser shows web page title "Log in to your PayPal account". Address bar shows "paypal--accounts.com". Main area of screen contains login box with PayPal logo: an input field for email or mobile number, a password input field, and a "Log in" button.
If the user is convinced and enters private details on the site, that data is now in the hands of the attacker! If the user filled in login details, they can then use those credentials to log in to the real website, or if the user provided credit card details, they can use the credit card to make purchases anywhere.
Signs of a phishing attack
Fortunately, there are some tell-tale signs of phishing scams.
Suspicious email address
Phishing emails will often come from addresses at domains that don't belong to the legitimate company.
Screenshot of phishing email, cropped to show just the from line. Email is from "PayPal email@example.com". The email address is highlighted with a circle.
Conversely, a legitimate email address is not a guarantee that an email is 100% safe. Attackers might have figured out a way to spoof the legitimate email address or hacked their way into control over the actual email.
Phishing emails will often link to a website with a URL that looks legitimate but is actually a website controlled by the attacker.
Screenshot of a phishing website, cropped to show just the address bar. Web browser shows web page title "Log in to your PayPal account". Address bar shows "paypal--accounts.com". The address is highlighted with a circle.
Attackers use a variety of strategies to make tempting URLs:
- Misspellings of the original URL or company name. For example, "goggle.com" instead of "google.com".
- A spelling that uses similar looking characters from other alphabets. For example, "wikipediа.org" versus "wikipedia.org". The "e" and the "a" are actually different characters in those two domains.
- Subdomains that look like the domain name. For example, "paypal.accounts.com" instead of "accounts.paypal.com". PayPal owns the second domain, but they have no control over the first.
- A different top level domain (TLD). For example, "paypal.io" versus "paypal.com". Popular companies try to buy their domain with the most common TLDs, such as ".net", ".com", and ".org", but there are hundreds of TLDs out there.
Even if an attacker hasn't found a similar looking URL to host their malicious webpage, they can still try to disguise the URL in the HTML.
Consider this very legitimate looking text:
Visit www.paypal.com to change your password.
Now try clicking the link. You didn't land on PayPal, did you? That's because the text of a link isn't the same as the destination of the link.
Here's what the HTML looks like:
Visit <a href="http://malicious-link.com">www.paypal.com</a> to change your password.
An attacker might disguise links in that way in an email message or a webpage. Whenever you click a dubious link, it's important to check the URL in the browser bar to see where your browser actually landed.
Non-secured HTTP connections
Any website that is asking you for sensitive information should be using HTTPS to encrypt the data sent over the Internet.
Phishing websites don't always go through the extra effort to use HTTPS.
Screenshot of a phishing website, cropped to show just the address bar. Web browser shows web page title "Log in to your PayPal account". Address bar shows "Not Secure" and URL "paypal--accounts.com". The "Not Secure" warning is highlighted with a circle.
However, according to a report, more than two-thirds of all phishing websites used HTTPS in 2019, so a secured URL does not necessarily equate to a legitimate URL.
Requests for sensitive information
Phishing emails will often ask you to either reply with personal information or fill out a form on a website. Most legitimate companies do not need you to verify personal information after the original account creation.
Screenshot of a phishing website, cropped to show just the login form. Login form has PayPal logo: an input field for email or mobile number, a password input field, and a "Log in" button. The email and password fields are highlighted with circles.
Urgency and scare tactics
Phishing emails use psychological manipulation to lower our guard and get us to respond quickly without thinking through the consequences.
Screenshot of phishing email, cropped to show part of the body. Email body has heading "Your PayPal Account is Limited, Solve in 24 Hours!" and body "Dear PayPal Customer, We're sorry to say you cannot access all the paypal account features like payment and money transfer. Click here to fix your account now. Why is it blocked? Because we think your account is in danger of theft and unauthorized uses." The heading and final line are highlighted with circles.
Handling a phishing attack
Every phishing scam will vary in its sophistication, so some emails may be very obviously fake while other emails can be incredibly convincing.
If you ever suspect an email is a phishing attack, do not click on any links or download any attached files.
Find another way to contact the supposed sender to see if the email is legit. If the email's from a company, you can search online for their phone number. If it's from a friend or colleague, you can message them or give them a call.
There's a new type of phishing that's even more popular and dangerous: spear-phishing. Instead of sending a similar email to many users, a spear phisher will research a user and send an email specifically targeting them.
Spear phishing attacks often target people within a organization, with the goal of gaining access to the organization's data.
One of my colleagues received this spear phishing email that claimed to be from Sal Khan himself:
Screenshot of an email with subject line "Request" and sender "Sal Khan firstname.lastname@example.org" with body text "When you get a minute, could you please drop me an email. Best regards, Sal Khan, CEO"
Fortunately, it was obviously a spear phishing email from the sender's email address.
But not all spear phishing attempts are so obvious and not all targets are so vigilant. If just one person in an organization accidentally reveals their credentials or downloads malware onto their work computer, an attacker can potentially breach their entire company database. That's not just one person's data, that's thousands or millions of people's data. 😬
🙋🏽🙋🏻♀️🙋🏿♂️Do you have any questions about this topic? We'd love to answer—just ask in the questions area below!
Want to join the conversation?
- At the bottom of the article it says
"🔍 Can you spot a phishing scam? Test your skills with this Phishing Quiz from Google."
the link takes me to
Is this a trick question? Does google actually own "withgoogle.com"?(16 votes)
- You can trust the link. One way to check is to visit the site, click the "lock" icon and check the certificate before proceeding. It's from Google and verified.(9 votes)
- Btw on the part that compares the two wikipedia domains, the urls look the same.(3 votes)
- That is exactly why such an attack could be effective. If you happen to use a Unicode character identifier on both of the URLs though, you would notice that they are actually different.(6 votes)
- I must be blind because I cannot see a difference. Pls help
(A spelling that uses similar looking characters from other alphabets. For example, "wikipediа.org" versus "wikipedia.org". The "e" and the "a" are actually different characters in those two domains.)(2 votes)
- In the first "wikipedia.org", all the letters, except the "a" are Latin small letters. The "a" is a Cyrillic small letter. You can't really tell this just by looking at the characters (which is why it is so hard to catch).(4 votes)
- Btw on the part that compares the two wikipedia domains, the urls look the same(2 votes)
- Yes, phishing attacks can be hard to detect. However, if you were to copy and paste the two Wikipedia links into a Unicode character identifier, you would notice that the "a" is actually a different character in the first link.(3 votes)
- Do some websites/companies take measures against phishing attacks?
There used to be a scam call claiming to be from the IRS, but people knew it was fake because the IRS doesn't make calls. What are some other ways to prevent phishing?(2 votes)
- There is almost nothing a website/company can do to prevent a phishing attack. A professional attacker will design their own login pages that look similar to those of the actual website. When you enter your information that information will be sent to two places, the actual website and the man in the middle (the attacker). You will then be redirected to the actual website and you wont be able to know if you were phished until the hacker has gained access into your account.
To prevent a phishing attack I recommend that if you receive an email from Instagram, FaceBook, or any other website go to the actual website and check. Do not click on any link or enter your information directly from the email unless you are 100% sure that the email sent is not a phishing attack.(1 vote)
- why does pay pal give chances to win money just for signing up(3 votes)
- How do Phishing scams happen?(2 votes)
- Why do phishing attacks start with emails and not texts? Is it easier to get emails than phone numbers?(1 vote)
- Technically, went it is done over a phone call or voice message, it is referred to as "vishing" (voice phishing). When it is done over a text message, it is called "smishing" (sms phishing).(1 vote)
- How did u make the fake link? It says it is PayPal but it didn’t bring me there. 🤔(1 vote)