What is “Phishing”?
Phishing is the catch-all term used to describe a number of activities performed by bad actors to obtain sensitive information. This might include usernames and passwords or banking information. With this sensitive information, the attackers are able to log in to systems, change banking information, or other malicious activities. These malicious actions can cost organizations both time and money.
Let’s look at the 3 main types of phishing attacks.
This term describes emails sent to a large number of recipients. Think of it like going fishing. You toss your baited lure into the water and wait for the first hungry fish. Like fishing, you don’t know what that fish looks like until you have them hooked. The email message will often include the recipient’s name, but not always. The message may appear similar to those you would expect to receive from Microsoft, Apple, or Google. It might also look to be from shipping services like FedEx, UPS, or your national postal service.
While phishing emails contain very generic messages, spear phishing is much more targeted. If phishing is like casting a baited hook into the water and waiting, spear phishing is exactly as it sounds – targeting one or a much more limited group of people, also known as the “phish”.
In our fishing example, you would know the type of fish you are going after and invest much more time and effort to land your prize. These email messages are much more personalized. They may use information that is publicly available, such as social media posts, or other information from previous breaches. The message will appear very believable and may even exactly match the signature and language style of whoever they are impersonating. It is common for these attacks to impersonate a C-level executive and target an employee in a financial role with the ability to update banking information, or transfer funds, but they may target anyone in any role.
Let’s begin with a definition – a whale is a big fish (well, technically they’re mammals). Consider the effort that would go into landing a whale, the bigger, the better. In phishing attacks, a whale is someone at the top of an organization, with the sort of access to resources that could net the attacker a big payday. An attacker will spend tremendous amounts of energy to target a whale, gathering information from all sources available, and may be very patient. These messages will be incredibly tailored to the receiving individual and may only be sent to one person in an organization.
What do these 3 types of phishing have in common? Typically, these emails will contain some sort of lure, to get you to click a link, but they may simply ask for a reply with information. Not all phishing emails will contain a link or ask you to reply. Some will have attachments that when opened, may trigger an infection or impersonate a website you know to trick you into entering your information.
How does this affect me?
Passwords are not the only information that is valuable – you may be asked to enter personal information, which an attacker could use to impersonate you, obtain credit under your name, or take over accounts by sufficiently answering the typical security questions that are used to verify your identity. The key with most phishing emails and their related scams is instilling a sense of urgency – you must take action or miss an opportunity; or, on the darker side, you will experience a negative consequence of not taking the action the bad guys desire.
How do you defend against these types of attacks? Email and web filtering solutions may help reduce the volume of these emails that find their way into an inbox, but at the end of the day, a robust security awareness program can give your employees the skills to recognize and appropriately respond to these types of attacks.
Contact us today to get started building your team’s skills!