What isPhishing?
Phishing isaprevalenttype ofsocial engineeringthat aims to stealdatafrom the message receiver. Typically, this data includes personal information, usernamesand passwords, and/orfinancial information.Phishing is consistently named as one of the top 5 types of cybersecurity attacks.So just how does phishing typically work?
When executing a phishing attempt,attackers send a message where the authenticity ofthatmessage isspoofed.The message (whether via email, phone,SMS, etc.) is successful when it is trusted by the user to bea valid request from a trustworthy sender.The attacker’sobjectiveis to get theirtarget to click on a linkthatredirects the user to a fake websiteorforces a malicious file to be downloaded.Anillegitimatelinkwill try to trick usersinto handingover personal information such as account credentials for social media or online banking.
The majority of phishing attempts are not targeted but rather sent out to millions of potential victims in hopes that some will fall for the generic attack. Targeted phishing attempts are a bit more complex and require that the bad actor plan the attack and strategically deploy the phishing attempts. Below we look at a few types of phishing attacks and the differences between them.
Types of Phishing Attacks
SpearPhishing
ASpearPhishingattack occurswhen aphishing attemptis crafted to trick a specific personrather thana group of people.The attackers either already know some information about the target,or they aim to gather that information to advance theirobjectives. Once personal details are obtained,such as a birthday, the phishing attempt is tailored to incorporate that personal detail(s)in order toappear more legitimate. These attacks are typically more successful becausetheyare more believable.In other words, this type of attack has much more context(as outlined by theNISTPhish Scale)that is relevant to thetarget.
Whaling
Whalingis a sub-type ofSpear Phishingandis typically evenmore targeted. The difference is that Whaling is targetedtospecificindividualssuch asbusiness executives, celebrities, and high-net-worth individuals.The account credentials of these high-value targets typicallyprovidea gateway to more information and potentially money.
Smishing
Smishing is a type of phishing attackdeployed via SMS message. This type of phishing attack gets more visibility because of the notificationthe individual receivesandbecause morepeople arelikelyto read a text message thananemail.With the rising popularity of SMS messagingbetween consumers and businesses, Smishing has been increasinglypopular. There was also an increase in this type ofphishing during the2020 presidential election.
Vishing
Vishing is a type of attack carriedout via phone call. The attackerscallthe victim, usuallywith a pre-recorded message or ascript.In a recent Twitter breach, agroup of hackerspretending to be “IT Staff”were able to convince Twitter employees to hand over credentials all through phone conversations.
How to avoid attacks on your organization
Organizations cannot assume users are knowledgeable and capable of detecting these malicious phishing attempts— especially as phishing attacks continue to get more sophisticated.Usersshould be regularly trainedonthe types of attacks they could be susceptible to and taught how to detect,avoidand report the attacks. The following aretwosimple methods of educating employees and training them to be more vigilant.
- RegularSecurity Awareness& PhishingTraining
- Internal Phishing Campaignsand Phishing Simulations
MindPointGroup has extensive experience in both training areas.Our team ofexperts canhelp your organization fully understand what types of attacks they are most vulnerable to, who in the organization might needadditionalphishing training, andadditionalbest practices you can implement to improve your overall cybersecurity posture. We focus onhelping you understand the vulnerabilities your organization faces andidentifyareas forimprovement BEFORE they become an issue.Contact MindPoint Groupto learn more.
Sources:
What is phishing? How this cyber attack works and how to prevent it
Data Breach Investigation Report - 2022 (PDF)
8 types of phishing attacks and how to identify them
The Attack That Broke Twitter Is Hitting Dozens of Companies
