What is phishing?
In my last blog post, I answered the question “What is social engineering?“. In this post, I will look at some of the different types of phishing attacks.
Phishing is the most popular form of social engineering attack. In 2018 phishing accounted for 36% of all social engineering attacks and it’s estimated that it cost UK businesses over £11 billion. Ransomware attacks are often linked with phishing and it’s estimated that these raised the cost to over £18.5 billion.
In a phishing attack, a mal-actor sends fraudulent email under the disguise of a legitimate email to trick the victim into a bad action. This action may involve downloading and installing malware onto the victim’s machine, extracting the victim’s login credentials for a website where further actions could be taken (e.g. bank, PayPal account, etc.) or disclosing personal or financial information about the victim. The website phishing.org has more examples. One of the most common is an email claiming that the recipient needs to reset his password, and then directing him to a visually accurate but fake web page where he enters his username and password. There’s more information at the following websites: TechTarget’s SearchSecurity, the OWASP wiki and KnowBe4.
What is spear phishing?
Spear phishing is the fraudulent practice of sending emails ostensibly from a known or trusted sender to induce targeted individuals to reveal confidential information. It is like phishing but tailored to a specific individual or organisation and often sent at a time when checking the legitimacy of the request is difficult to do. This requires prior research by the mal-actor which includes identifying the correct person to send the email to, identifying the best time to send it and identifying a known and trusted sender (perhaps a manager, client, supplier, etc.). There’s more information at TechTarget’s SearchSecurity and KnowBe4.
What is whaling (or whale phishing)?
Whaling is a spear phishing attack specifically designed to target high-profile employees in a company (for example CEOs, financial directors, etc.) or people of high net worth to steal sensitive information. The usual goal is to manipulate the victim into transferring money to the mal-actor’s bank account, where it is swiftly moved elsewhere and often lost forever. Again, there’s more information at TechTarget’s SearchSecurity.
What is CEO Fraud?
CEO fraud (also known as business email compromise) is a very specialised form of spear phishing. A mal-actor hacks or spoofs a company email account and impersonates an executive in an attempt to fool an employee into transferring funds to the mal-actor’s bank account or to divulge private information about an employee, which is then likely to be used in a later social engineering attack. There’s more information at KnowBe4.
Can you spot a phishing email?
Google has created a little quiz to see if you can tell which emails are genuine and which are fake. Why not take the quiz and tell us how well you did in the comments below?
Do you want to learn more?
Network Midlands runs seminars to help people detect and defeat social engineering attacks. Find out more at “The Art of Deception“.