What Is Phishing?
The internet is a vast sea of information, resources, and people. Unfortunately, this metaphor is apt to describe an important method cybercriminals use to steal valuable information: phishing.
Phishing is a kind of cyberattack that uses disguised email to deceive a user into giving up important information. These emails appear to come from legitimate sources, such as Microsoft, the victim’s bank, and even from vendors or customers. What an attacker does is create a clone of a site or a site that closely matches a popular site such as Microsoft or Amazon.
The attacker may opt to send the same general phishing attack to millions of potential victims. This kind of attack tends not to get as many responses as other methods, but is essentially a numbers game. Just a few responses out of hundreds of emails sent can net the phisher a nice payoff. Soft-targeted emails are aimed at particular roles within an organization. Accountants are common targets for emails that look like wire transfers, W-9s or invoices. Human resource departments can receive fake resumes and cover letters. The common element of these attacks is the attachment or link in the email could logically be something a legitimate sender would need, such as a check number or resume.
Types of Phishing Scams
When attackers try to target a specific user, it’s called spear phishing. This term alludes to an angler who targets a specific fish with a spear instead of casting a wide net or baiting a hook to see what bites. Phishers use social media sites like Facebook and LinkedIn to identify their targets and gather information about them. Then they use spoofed email addresses to make it appear as if the message is coming from a reliable source. Then they pretend to be someone the target knows in an attempt to get them to open an attachment or share sensitive information.
Whale phishing is a form of spear phishing that targets very big fish, most likely directors, board members, or c-level executives—people who have a great deal of authority within a company and would have access to sensitive information. Gathering enough information to build an attack for these targets is time consuming, but, if successful, can have a huge payoff.
What Do They Want to Catch?
Generally, a phishing attack has one of these goals:
Give access to sensitive information – These messages are an attempt to get the user to share sensitive data willingly. This is often a username and password combination that would give the attacker access to a system or account. The victim is presented a link that looks like it goes to a legitimate source, where they are asked to enter their username and password.
Download ransomware – This type of attack uses the same kind of fake email/website combo that appears to come from a safe source, but it includes a file attachment containing malicious embedded code.
People: the Weakest Link and the Strongest Defense
Phishing is a unique variety of cybercrime, as it takes technology and adds an emotional element, influencing recipients to panic when, for example, they see a message titled “De-activation of email” and following whatever link is provided without looking at it more closely. Also, it can be hard to resist an email that looks like it’s from HR with “changes to vacation policy” as the subject.
But the best defense against phishing attacks of any variety is a well-trained workforce. Employees who can scrutinize emails, spot anomalies, and react accordingly are the first line of defense. The key is training them properly.
Bolster Your Phishing Defenses With VTG
Eliminating your vulnerability to phishing attacks is part of a greater cybersecurity package offered by VTG. We examine all weak spots, procedurally and through your technology, and help you come up with ways to shore up your defenses, help them evolve to meet new threats, and give you the peace of mind to conduct your business safely.