What is Phishing?
Phishing is an attack strategy that uses deception to solicit sensitive information or directly breach a system, typically in the form of an email. Although phishing is almost as old as email, it has become increasingly more sophisticated, often evading spam filters and human detection.
What is the Goal of Phishing?
Breaching a System
Some phish is used to get malicious code past the perimeter. Initial scrutiny is vital in this case because all it takes is a click and the malware can begin to download itself to your computer. Often, malware will lurk unsuspected in the system, either quietly collecting data or waiting to strike so the user may never realize that what they clicked was malicious. These emails contain either an attachment, a download, or a link to a website that will deliver a malware payload. This malware could be any number of things – crypto-mining malware, worms, ransomware, or other cyber threats.
Gathering Sensitive Credentials
Phishing is also used as a means for gathering credentials, which can then be used for further attacks. This typically requires users to have to type in their personal information in some way, which is usually achieved by linking the target to a threat actor’s website. Users have more time to determine if the site is legitimate, so more work may go into making it look realistic, perhaps spoofing websites, using covert redirects, or ensuring the email appears as though it comes from a trustworthy source.
What are the different types of Phish?
The most familiar type of phish is also the most basic. These emails cast a wide net, and vary in terms of how realistic they are, but are aimed at a general audience to get clicks from careless or unaware employees. However, other, more specific types of phish are also used, including:
Spear phishing uses targeted attacks against a specific person or organization. A threat actor researches to learn personal information to tailor emails accordingly. For example, a phish could be created to look like an individual’s specific bank, or an organization may be phished with emails that appear to be from those working in human resources. Since spear phish is from familiar names or organizations and often looks more realistic, users are much more likely to open them.
Whaling is an even more precise type of phish aimed at high-level targets, like C-level executives. While threat actors must again carefully research and craft an email that is not only tailor-made, whaling presents an additional challenge. Since such high-profile individuals are typically more selective about the emails they open, malicious actors put more thought into getting their attention in the emails they craft.
Threat actors utilize every communication method, including short message services (SMS). Attackers send text messages or use messaging apps to solicit personal information or spread malicious links. Malicious links opened on a cell phone are particularly dangerous, since there typically isn’t antivirus software to protect these devices.
Not all phish is in email form. People can receive automated or live calls requesting personal information that can be given in person or dialed into the keypad. Now that caller ID is universal, many vishing attacks also incorporate spoofing, in which a phone number from a local area code, or even a recognized company, appears to be calling. The most common vishing attacks include calls from banks, credit card companies, loan offers, car companies, or even charitable requests
Phishing is considered one of the most effective attack vectors being used today. According to the Verizon Data Breach Investigations Report, 94 percent of malware deliveries are completed through a phishing email of some type. It is more critical than ever to learn what phishing is and avoid becoming the next victim.