What is Phishing?
Phishing is a prevalent type of social engineering that aims to steal data from the message receiver. Typically, this data includes personal information, usernames and passwords, and/or financial information. According to a recent report, 22% of all breaches in the past year involved some form of phishing (Verizon 2020). So just how does phishing typically work?
When executing a phishing attempt, attackers send a message where the authenticity of that message is spoofed. The message (whether via email, phone, SMS, etc.) is successful when it is trusted by the user to be a valid request from a trustworthy sender. The attacker’s objective is to get their target to click on a link that redirects the user to a fake website or forces a malicious file to download. An illegitimate link will try to trick users into handing over personal information such as account credentials for social media or online banking.
The majority of phishing attempts are not targeted but rather sent out to millions of potential victims in hopes that some will fall for the generic attack. Targeted phishing attempts are a bit more complex and require that the bad actor plan the attack and strategically deploy the phishing attempts. Below we look at a few types of phishing attacks and the differences between them.
Types of Phishing Attacks
A Spear Phishing attack occurs when a phishing attempt is crafted to trick a specific person rather than a group of people. The attackers either already know some information about the target, or they aim to gather that information to advance their objectives. Once personal details are obtained, such as a birthday, the phishing attempt is tailored to incorporate that personal detail(s) in order to appear more legitimate. These attacks are typically more successful because they are more believable. In other words, this type of attack has much more context (as outlined by the NIST Phish Scale) that is relevant to the target.
Whaling is a sub-type of Spear Phishing and is typically even more targeted. The difference is that Whaling is targeted to specific individuals such as business executives, celebrities, and high-net-worth individuals. The account credentials of these high-value targets typically provide a gateway to more information and potentially money.
Smishing is a type of phishing attack deployed via SMS message. This type of phishing attack gets more visibility because of the notification the individual receives and because more people are likely to read a text message than an email. With the rising popularity of SMS messaging between consumers and businesses, Smishing has been increasingly popular. There was also an increase in this type of phishing during the 2020 presidential election.
Vishing is a type of attack carried out via phone call. The attackers call the victim, usually with a pre-recorded message or a script. In a recent Twitter breach, a group of hackers pretending to be “IT Staff” were able to convince Twitter employees to hand over credentials all through phone conversations.
How to avoid attacks on your organization
Organizations cannot assume users are knowledgeable and capable of detecting these malicious phishing attempts — especially as phishing attacks continue to get more sophisticated. Users should be regularly trained on the types of attacks they could be acceptable to and taught how to detect, avoid and report the attacks. The following are two simple methods of educating employees and training them to be more vigilant.
- Regular Security Awareness & Phishing Training
- Internal Phishing Campaigns and Phishing Simulations
MindPoint Group has extensive experience in both training areas. Our team of experts can help your organization fully understand what types of attacks they are most vulnerable to, who in the organization might need additional phishing training, and additional best practices you can implement to improve your overall cybersecurity posture. We focus on helping you understand the vulnerabilities your organization faces and identify areas for improvement BEFORE they become an issue. Contact us to learn more.