What Is Phishing? Types of Phishing Attacks
Cybersecurity Manager & Partner
NET Xperts LLC
Salutations, Cybersecurity Super Heroes In Training!
I hope you’re coming closer and closer to getting that Cybersecurity score to Super Hero Status! So far, we’ve talked about things that you can do to better protect yourself. However, one of the most important things you can do is know your enemy. Let’s talk about the bad guy for a minute…
Picture an average day in the office. It’s 11:45am, and you’re just wrapping up a few last-minute things to round out the morning. You brought your favorite sandwich for lunch today, and it’s calling your name. Right before you give into your daydream of that delectable delight to curb that appetite, you get an E-mail from your boss. They want to reward the great work that some of your colleagues have been doing, and they ask you to purchase Amazon gift cards for the team. You think to yourself, “OK, no problem, I can complete this task real quick before lunch.” You pull up Amazon’s website and buy 20 gift cards at $20 each. You proceed to send the gift card codes in reply to your boss’ E-mail to comply with their request. You then lock your workstation (because every Cybersecurity Super Hero in training certainly locks their computer when they walk away) and proceed to the meal you’ve been thinking about all morning.
But did you check that E-mail closely? Is this something that your boss would typically tell you to do? Do you know what E-mail address that E-mail actually came from? Did you think twice about buying those gift cards and complying with that action to send your boss the codes? Guess what – that E-mail was spoofed. You just lost $400 to a scammer, who has drained the gift cards faster than ice melts in the desert. Just like that – gone.
Phishing attacks happen all the time. For those of you that aren’t familiar, “phishing” is when a bad actor uses E-mail to coerce a victim to perform an action under false pretenses to benefit the bad actor. This can be done in multiple ways, including:
- Convincing a user to click on a link that appears to be a legitimate website and directing them to enter their credentials for that website.
- Convincing a user to purchase gift cards for payment or reward and then requesting the information in order to steal the money from them.
- Convincing a user to click on a link or download a file that infects their computer with a virus or ransomware.
- Convincing a user to perform an unauthorized financial transaction (such as a wire transfer or a payroll change) that benefits them.
So now that we’ve talked about some of the different ways that attackers will try to extort information, let’s discuss some of the terminology that goes with this and you can see how these attacks are forged. I mentioned a few different terms in the quiz. Do you remember them? Let’s talk about them:
Phishing – This is a generic term for a general attack that harvests information. The most popular types of attacks are typically link or document based. They try to convince the user to open a malicious file that will infect their computer or they harvest your credentials for a popular service, such as Gmail or Microsoft 365 through a bogus (yet convincing) login page. The attacker will then use those credentials to do “credential stuffing,” trying those same credentials in multiple popular systems to see where they work (I talked a little about this in my Password Management blog).
These generic attacks are generally untargeted, meaning they’re not directed at any specific individual – they’re sent to a group of people to see who responds or takes action.
Spearphishing – This is a phishing attack targeted at a specific group of people (accounting or payroll managers, for example). The attackers do their research and focus on a company and sometimes a specific individual. A popular example of this is an E-mail sent to a payroll manager posing as an employee at the company, requesting that their direct deposit information be changed.
Whaling – This is a fun term. Imagine going on a fishing trip (yes, actual fishing) and catching “the big one,” so to speak. That’s exactly what this is – a spearphishing attack that targets C-Level executives. The attackers are out to catch “the big one” by compromising their credentials to gain access to E-mail and do more damage to the organization.
Now, you may be thinking, “I can spot those… they’re super obvious!” or “My employees wouldn’t do something like that!”. Well, you might be surprised by what I’m about to say. At the average company, 10-20% of employees either don’t know how to spot a phishing scam or fail a phishing simulation. That’s between 1-2 people for every 10 employees. Think about that for a moment…
So now that I’ve sufficiently startled you on this topic, in the next blog I’m going to talk about what you can do to protect yourself and your business. If you don’t want to wait, give us a call at 412.244.NETX (6389) for more information.