Which of the following is described as an attacker who pretends to be from a legitimate research firm who ask for personal information?

Phishing is a method of identity theft that relies on individuals unwittingly volunteering personal details or information that can be then be used for nefarious purposes. It is often carried out through the creation of a fraudulent website, email, or text appearing to represent a legitimate firm.

A scammer may use a fraudulent website that appears on the surface to look the same as the legitimate website. Visitors to the site, thinking they are interacting with a real business, may submit their personal information, such as social security numbers, account numbers, login IDs, and passwords, to this site. The scammers then use the information submitted to steal visitors' money, identity, or both; or to sell the information to other criminal parties.

Phishing may also occur in the form of emails or texts from scammers that are made to appear as if they are sent from a legitimate business. These fake emails or texts may install programs like ransomware that can allow scammers to access a victim's computer or network.

• Phishing is a type of data theft that involves people unknowingly volunteering their personal information to a bad actor.
• A phishing attempt may utilize an official-looking website, email, or other forms of communication to trick users into handing over details like credit card numbers, social security numbers, or passwords.
• Phishing websites can appear identical to official websites, prompting users to input their real credentials on the malicious website.

Phishing scammers create a false sense of security for their targets by spoofing or replicating the familiar, trusted logos of well-known, legitimate companies, or they pretend to be a friend or family member of their victims. Often, the scammers attempt to persuade victims they need personal information urgently, or the victim will experience a severe consequence, such as frozen accounts or personal injury.

A classic example of phishing is an identity thief setting up a website that looks like it belongs to a major bank. Then, that thief sends out many emails that claim to be from the major bank and request the email recipients to input their personal banking information (such as their PIN) into the website so the bank may update their records. Once the scammer gets a hold of the needed personal information, they attempt to access the victim's bank account.

Phishing scams are some of the most common attacks on consumers. According to the FBI, more than 323,972 people fell victim to phishing scams in 2021. Collectively, they lost $44.2 million.

The following highlights signs of phishing, and how to protect yourself.

1. Exceptionally good deals or offers. If an email touts offers that are too good to be true, they probably are. For example, an email claiming you've won the lottery or some other lavish prize may be luring you in to get you to click a link or relay sensitive personal information.
2. Unknown or unusual senders. Though phishing emails may look like they originate from someone you know, if anything seems out of the ordinary, be cautious. When in doubt, hover over the email address of the sender to ensure the email address matches the email address you expect. Place a phone call to the company if you are unsure of an email or website. Don't respond to emails with any personal information. (See the image below for an example of an unusual sender's email address).
3. Hyperlinks and attachments. These are particularly concerning if received from an unknown sender. Never open links or attachments unless you are confident they are from a safe sender. Type in the link address rather than clicking the link.
4. Incorrect spelling in the web address. Phishing sites often use web addresses that look similar to the correct site, but contain a simple misspelling, like replacing a "1" for an "l".
5. Immediate pop-ups. Be wary of websites that immediately display pop-up windows, especially those asking for your username and password. Use two-factor authentication, a browser with anti-phishing detection, and keep security on your systems up-to-date.

According to the Federal Trade Commission (FTC), phishing emails and text messages frequently tell stories to trick people into clicking on a link or opening an attachment. For example, phishing attempts may:

• Say they've noticed suspicious activity or log-in attempts on your account
• Claim there's a problem with your account or payment information
• Say you need to confirm or update personal information
• Include a fake invoice
• Ask you to click on a link to make a payment
• Claim you're eligible to sign up for a government refund
• Offer a coupon for free goods or services

Phishing is a form of fraud in which an attacker masquerades as a reputable entity or person in email or other forms of communication. Attackers will commonly use phishing emails to distribute malicious links or attachments that can perform a variety of functions. Some will extract login credentials or account information from victims.

Deceptive phishing is popular with cybercriminals, as it is far easier to trick someone into clicking a malicious link in a seemingly legitimate phishing email than it is to break through a computer's defenses. Learning more about phishing is important to learn how to detect and prevent it.

How phishing works

Phishing attacks typically rely on social networking techniques applied to email or other electronic communication methods. Some methods include direct messages sent over social networks and SMS text messages.

Phishers can use public sources of information to gather background information about the victim's personal and work history, interests and activities. Typically through social networks like LinkedIn, Facebook and Twitter. These sources are normally used to uncover information such as names, job titles and email addresses of potential victims. This information can then be used to craft a believable email.

Typically, a victim receives a message that appears to have been sent by a known contact or organization. The attack is then carried out either through a malicious file attachment, or through links connecting to malicious websites. In either case, the objective is to install malware on the user's device or direct the victim to a fake website. Fake websites are set up to trick victims into divulging personal and financial information, such as passwords, account IDs or credit card details.

Although many phishing emails are poorly written and clearly fake, cybercriminal groups increasingly use the same techniques professional marketers use to identify the most effective types of messages.

How to recognize a phishing email

Successful phishing messages are difficult to distinguish from real messages. Usually, they are represented as being from a well-known company, even including corporate logos and other collected identifying data.

However, there are several clues that can indicate a message is a phishing attempt. These include:

• The message uses subdomains, misspelled URLs (typosquatting) or otherwise suspicious URLs.
• The recipient uses a Gmail or other public email address rather than a corporate email address.
• The message is written to invoke fear or a sense of urgency.
• The message includes a request to verify personal information, such as financial details or a password.
• The message is poorly written and has spelling and grammatical errors.

Cybercriminals continue to hone their skills in making existing phishing attacks and creating new types of phishing scams. Some common types of phishing attacks include:

Spear phishing attacks, which are directed at specific individuals or companies. These attacks usually employ gathered information specific to the victim to more successfully represent the message as being authentic. Spear phishing emails might include references to co-workers or executives at the victim's organization, as well as the use of the victim's name, location or other personal information.

Whaling attacks are a type of spear phishing attack that specifically targets senior executives within an organization. This attack often carries the objective of stealing large sums. Those preparing a spear phishing campaign research their victims in detail to create a more genuine message. Using information relevant or specific to a target increases the chances of the attack being successful.

Because, a typical whaling attack targets an employee with the ability to authorize payments, the phishing message often appears to be a command from an executive to authorize a large payment to a vendor when, in fact, the payment would be made to the attackers.

Pharming is a type of phishing attack that uses DNS cache poisoning to redirect users from a legitimate site to a fraudulent one. This is done in an attempt to trick users into attempting to log in to the fake site with personal credentials.

Clone phishing attacks use previously delivered but legitimate emails that contain either a link or an attachment. Attackers make a copy -- or clone -- of the legitimate email, and replace any number of links or attached files with malicious ones. Victims can often be tricked into clicking the malicious link or opening the malicious attachment.

This technique is often used by attackers who have taken control of another victim's system. In this case, the attackers use their control of one system within an organization to email messages from a trusted sender, known to the victims.

Phishers sometimes use the evil twin Wi-Fi attack by starting up a Wi-Fi access point and advertising it with a deceptive name. Normally something similar to a real-sounding access point. When victims connect to the evil twin network, the attackers gain access to all transmissions to or from victim devices. This includes access to user IDs and passwords. Attackers can also use this vector to target victim devices with their own fraudulent prompts.

Voice phishing is a form of phishing that occurs over voice-based media, including voice over IP (VoIP) or plain old telephone service (POTS). A typical scam of this type uses speech synthesis software to leave voicemails notifying the victim of suspicious activity in a bank or credit account. The call will solicit the victim to respond to verify their identity -- thus compromising the victim's account credentials.

Another mobile device-oriented phishing attack, SMS phishing uses text messaging to convince victims to disclose account credentials or install malware.

Phishing techniques

Phishing attacks depend on more than simply sending an email to victims and hoping that they click on a malicious link or open a malicious attachment. Attackers use several techniques to entrap their victims:

• JavaScript can be used to place a picture of a legitimate URL over a browser's address bar. The URL is revealed by hovering over an embedded link and can also be changed by using JavaScript.
• Link manipulation, often referred to as URL hiding, is present in many common types of phishing, and used in different ways. The simplest approach is to create a malicious URL that is displayed as if it were linking to a legitimate site or webpage, but to have the actual link point to a malicious web resource.
• Link shortening services like Bitly may be used to hide the link destination. Victims have no way of knowing whether the shortened URLs point to legitimate web resources or to malicious resources.
• Homograph spoofing depends on URLs that were created using different characters to read exactly like a trusted domain. For example, attackers may register domains that use slightly different character sets that are close enough to established, well-known domains.
• Rendering all or part of a message as a graphical image sometimes enables attackers to bypass phishing defenses. Some security software will scan for emails for particular phrases or terms common in phishing emails. Rendering the message as an image will bypass this.
• Another phishing tactic relies on a covert redirect, which is where an open redirect vulnerability fails to check if a redirected URL is pointing to a trusted source. In that case, the redirected URL is an intermediate, malicious page that solicits authentication information from the victim. This happens before forwarding the victim's browser to the legitimate site.

How to prevent phishing

To help prevent phishing messages from reaching end users, experts recommend layering security controls, including:

• antivirus software;
• both desktop and network firewalls;
• antispyware software;
• antiphishing toolbar (installed in web browsers);
• gateway email filter;
• web security gateway;
• a spam filter; and
• phishing filters from vendors such as Microsoft.

Enterprise mail servers should make use of at least one email authentication standard in order to confirm inbound emails are verifiable. This can, include the DomainKeys Identified Mail (DKIM) protocol, which enables users to block all messages except for those that have been cryptographically signed. The Domain-based Message Authentication Reporting and Conformance (DMARC) protocol, is another example. DMARC provides a framework for using protocols to block unsolicited emails more effectively.

There are several resources on the internet that provide help to combat phishing. The Anti-Phishing Working Group Inc. and the federal government's OnGuardOnline.gov website both provide advice on how to spot, avoid and report phishing attacks. Interactive security awareness training aids, such as Wombat Security Technologies' PhishMe, can help teach employees how to avoid phishing traps. In addition, sites like FraudWatch International and MillerSmiles publish the latest phishing email subject lines that are circulating the internet.

Phishing examples

Phishing scams come in all shapes and sizes. Users can stay safe, alert and prepared by knowing about some of the more recent ways that scammers have been phishing. A few examples of more modern phishing attacks include:

Digital payment-based scams

These happen when major payment applications and websites are used as a ruse to gain sensitive information from phishing victims. In this scam, a phisher masquerades as an online payment service (such as PayPal, Venmo or TransferWise).

Generally, these attacks are performed through email, where a fake version of a trusted payment service asks a user to verify log in details and other identifying information. Usually, they claim that this is necessary in order to resolve an issue with the user's account. Often, these phishing attempts include a link to a fraudulent "spoof" page.

PayPal is aware of these threats and has released informational materials for their customers to reference in order to stay prepared against phishing attacks. They recommend that anyone who receives a suspicious email from an account claiming to be PayPal should not click any links, but instead, use the hovering technique outlined above to see if the link address matches PayPal's actual domain. PayPal also advised to then separately log in to their account to make sure everything looks like it should.

If a user is unsure of how to spot a fraudulent online-payment phishing email, there are a few details to look out for. Generally, a phishing email from PayPal has been known to include:

• Dodgy greetings that do not include the victim's name. Official emails from PayPal will always address users by their actual name or business title. Phishing attempts in this sector tend to begin with "Dear user," or use an email address instead.
• In the case of PayPal and other online payment services, some of these scams "alert" their potential victims to the fact that their account will soon be suspended. Others claim that users were accidentally "overpaid" and now need to send money back to a fake account.
• Downloadable attachments are not something that PayPal sends to its users. If a person receives an email from PayPal or another similar service that includes an attachment, they should not download it.

If a person receives one of these emails, they should open their payment page on a separate browser tab or window and see if their account has any alerts. If a user has been overpaid or is facing suspension, it will say so there. Additionally, PayPal urges users to report any suspicious activity to them, so they can continue to monitor these attempts and prevent their users from getting scammed.

Finance-based phishing attacks

These are common forms of phishing, and it operates on the assumption that victims will panic into giving the scammer personal information. Usually, in these cases, the scammer poses as a bank or other financial institution. In an email or phone call, the scammer informs their potential victim that their security has been compromised. Often, scammers will use the threat of identity theft to successfully do just that.

A few examples of this scam include:

• Suspicious emails about money transfers that will confuse the victim. In these phishing attempts, the potential victim receives an email that contains a receipt or rejection email regarding an AHC transfer. Often, the victim who sees this email will instantly assume fraudulent charges have been made in their account and clicks a bad link in the message. This will leave their personal data vulnerable to being mined.
• Direct deposit scams are often used on new employees of a company or business. In these scams, the victims receive notice that their login information is not working. Anxious about not getting paid, the victims click a "phishy" link in the email. This will lead the victim to a spoof website that installs malware to their system. From there, their banking information is vulnerable to harvesting, leading to fraudulent charges.

Work-related phishing scams

These are especially alarming, as this type of scam can be very personalized and hard to spot. In these cases, an attacker purporting to be the recipient's boss, CEO or CFO contacts the victim, and requests a wire transfer or a fake purchase.

One work-related scam that has been popping up around businesses in the last couple of years is a ploy to harvest passwords. This scam often targets executive-level employees, since they are likely not considering that an email from their boss could be a scam. The fraudulent email often works because, instead of being alarmist, it simply talks about regular workplace subjects. Usually, it informs the victim that a scheduled meeting needs to be changed.

From there, the employee is asked to fill out a poll about when a good time to reschedule would be via a link. That link will then bring the victim to a spoof login page for Office 365 or Microsoft Outlook. Once they have entered your login information, the scammers steal their password.

History of phishing

The history of the term phishing is not entirely clear.

One common explanation for the term is that phishing is a homophone of fishing. And it is named so because phishing scams use lures to catch unsuspecting victims, or fish.

Another explanation for the origin of phishing comes from a string -- <>< -- which is often found in AOL chat logs. Those characters were a common HTML tag found in chat transcripts. Because it occurred so frequently in those logs, AOL admins could not productively search for it as a marker of potentially improper activity. Black hat hackers would then replace any reference to illegal activity -- including credit card or account credentials theft -- with the string. All of which could have eventually given the activity its name, since the characters appear to be a simple rendering of a fish.

In the early 1990s, a group of individuals called the Warez Group created an algorithm that would generate credit card numbers. The numbers were created at random in the attempt to create fake AOL accounts. The faked account would then spam other AOL accounts. Some individuals would try to change their AOL screen names to appear as AOL administrators. Using these screen names, they would then "phish" people via AOL Messenger for their information.

In the early 2000s, phishing saw more changes in implementation. The "love bug of 2000" is an example of this. Potential victims were sent an email with a message saying "ILOVEYOU," pointing to an attachment letter. That attachment held a worm that would overwrite files on the victim's computer and copy itself to the user's contact list.

Also, in the early 2000s, different phishers began to register phishing websites. A phishing website is a domain similar in name and appearance to an official website. They’re made in order to fool someone into believing it is legitimate.

Today, phishing schemes have gotten more varied, and are potentially more dangerous than before. With the integration of social media and log in methods such as "login with Facebook," an attacker could potentially commit several data breaches on an individual using one phished password, making them vulnerable to ransomware attacks in the process. More modern technologies are also being utilized now. As an example, the CEO of an energy firm in the U.K. had thought they were speaking on the phone with their boss. They were being told to send funds to a specific supplier, when it was really a phishing scheme that used an AI to mimic the voice of the CEO's chief executive from their parent company. It is unclear whether the attackers used bots to react to the victim's questions. If the phisher used a bot to automate the attack, it would make it more difficult for law enforcement to investigate.