Introduction to Phishing

By Greenjam94

In this post, we will review the basics of phishing as a part of cybersecurity month. Many organizations, goverments, and infosec companies prepare ways to inform the general public on how to prevent falling victim to these kinds of attacks. Hopefully by the end of this, you will know what phishing is and have a few things to review falling victim to criminals that may be targeting you.

What is Phishing?

Phishing is a cryber crime where criminals trick users to provide information or access to an attacker. It is an evolution of spam messages and has a wide variety of implementations. Victims are social engineered, or tricked, into clicking malicious links or downloading fake attachments from emails. The intent of phishing is to usually to gain initial information or access to a larger target.

Types of attacks

Phishing is developing so quickly that the industry is coming up with multiple names to specify sub-categories relating to target audiences or means of distributing a phishing attack

  • Email Phishing: A malicious email asking for personal information or to complete a malicious action
  • Vishing: An attacker calling over the telephone to extract personal information
  • Smishing: Similiar to Vishing, this is when attackes extract information through texting
  • Angler Phishing: Duplicating popular social media accounts to target fans of the original account
  • Whaling: Likely a Moby Dick reference, whaling campaigns target important individuals or decision makers of a targetted group
  • Spear Phishing: Specifically customizing phishing details to a few targets to be more convincing with personalized details
  • Impersonation / Fraud: Acting as a known leader in a target group to trick employees into quickly taking action

What is at risk

Phishing is usually customized to collect a certain kind of information. Financial information such as credit cards, banking information, social security numbers, or PINs are a common target. Personal information that is used for security questions is another set of data commonly attacked, things like family history, anniversary dates, and birthdays.

When attacker are not going after data, they target access. By getting you to click malicious links or opening attachments, they are able to execute code on your computer or get you to follow additional steps to create an initial foothold for their attacks into your network.

How to defend

The best way to defend a company against phishing attempts is user awareness. Misspellings and special characters are common as attackers attempt to have realistic domains and usernames that are easily mistaken for the real link. There are a few easy things to remember when using email or other company communications.

  1. Always think twice before clicking
  2. Hover over a link to confirm a target URL matches the linked text
  3. Don’t click a suspicious link when the trusted site can be easily visited directly
  4. Remain in usual conversation paths, validate out of band communications before taking action with your management or security team
  5. Attempt to validate links or files before using them. Companies should have phishing recommendations for where to report suspicious communications. Otherwise there’s public tools like virustotal.com that can check for malicious actors
  6. Use multifactor authentication as an additional layer of defense to avoid attackers gaining access to your accounts through password theft

Companies can implement a few additional techniques that make this easier. Email links can be replaced with redirects that check every link included in an email. External email addresses can be highlighted to make it easier to identify. Password policies and verification processes can be automated to reduce what everyone needs to watch for.

One example I can include in this post is how linking text can differ over the actual linked webpage. Hover over suspicious links like “Follow my facebook page!”.

Learn more

As a part of cybersecurity awareness month, the national cybersecurity alliance has provided a few links to further user awareness. Bank of Americas has a video on social engineering and how to prevent getting attacked. KnowBe4 offers a training module on social engineering tactics as well that explains attacks and how to protect yourself. They also have a PDF file that explains the red flags to look for in an email.