Phishing Demystified
Phishing is commonly defined as a fraudulent practice of sending emails to people using methods and techniques so that the emails appear to come from companies, friends, or acquaintances with the intent of deceiving individuals into revealing personal information such as passwords or even credit card numbers. Attackers use phishing to infect companies with ransomware (as well as other malware) and steal sensitive information.
Some of the ways in which phishing attempts can get personal information is by having recipients send back information in a reply, download a malicious attachment to obtain access to the user’s PC or direct him/her to a malicious site that installs applications that records keystrokes (stealing passwords and other sensitive information). Attackers often entice recipients into providing account credentials by creating a familiar login interface that appears to be the recipient’s bank, a social media service or even Amazon.com.
There are a variety of phishing types that are defined as follows:
Phishing
Phishing emails are simple and commonplace. They typically appear to come from a trusted sender such as a government authority, company, institution, event, or individual, but are sent by an attacker. Phishing emails are sent in bulk. Attackers do not put much effort into fooling recipients as the message is not specifically crafted to a recipient. Generally, a phishing email may contain a recipient’s name, but very little additional recipient-specific information. Because they are sent by the thousands, phishing emails tend to be generic in nature.
Spear Phishing
Spear phishing is a form of phishing that takes the craft to the next level where the sender drafts a message that is tailored using recipient-specific information such as the job specific functions, the person’s place of employment, names of friends or co-workers and other similar information. Spear phishing emails are very realistic easily fooling tech-savvy recipients. Like generic phishing emails, spear phishing emails can appear to come from either government authorities, companies, institutions, events, or individuals, but they will mention the recipient’s name and other recipient-specific information.
Whaling
Whaling is a form of phishing that targets high-level executives with the same recipient-specific information approach used in spear phishing emails. Emails sent to executives can and will contain their name, company name and other specific information such as phone numbers or names of associates. Whaling emails are often used to get executives to release company funds through a wire transfer or to obtain proprietary information.
Now you may be thinking, “Great, how can I protect myself from all these different forms of malicious emails?” Fortunately, there are some practices that can help protect you at work and home from phishing threats.
Look for content that has a tone, style or wording that is generic, foreign or not typical of the sender. Verify that the message was in fact sent by the sender.
Avoid sharing personal or financial information in email. Keep in mind that this also includes entering information in web pages from links found in an unsolicited email.
Even if a web site looks legitimate, check the identity of the website by hovering over the lock icon in the address bar. Note: if you don’t see a lock icon, the website is insecure.
Alternatively, you can seek more secure methods to send sensitive information such as over the phone, encrypted email or fax. Yes, we still use phones and faxes.
Pay attention to the website's URL. Phishing websites often look exactly like the real thing, but the URL may use a variation in spelling or a different domain. In some cases the website address will have misspelled words. Some examples can be: .net versus .com or accounts.googl.com instead of accounts.google.com.
Keep your computer’s operating system, software, browsers and anti-virus apps up to date as patching security flaws is the best defense against viruses, malware and similar threats.
