What is Phishing?
Phishing is an example of Social Engineering, and is defined as the fraudulent attempt to obtain sensitive information, often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.
How does Phishing Work?
These form of attacks rely on a communication, such as a text message or an e-mail. The attacker may use the message to distribute a malicious link that appears trustworthy, in order to take information such as account details from the victim. Another common style of Phishing is using a scam. Often with the promise of a large reward, the scammer aims to convince the victim to give up details such as their credit card information. These messages are often hard to distinguish from safe messages.
What different types of Phishing are there?
This is an attempt that is directed at a specific individual. Attackers may gather personal information about their target to increase their chances of success. This technique accounts for 91% of all Phishing attacks on the Internet. In 2015, Ubiquiti Networks Inc. lost $46.7 million to a Spear Phishing attack. This proves just how successful this Social Engineering technique can be.
This type of phishing attack where a legitimate email containing an attachment or link has had its content taken and changed to create an almost identical email. The attachment or link within the email is replaced with a malicious version, and then sent from a spoofed email address. As this e-mail appears to be a resend or edit of the original, it is difficult to distinguish it from a safe e-mail.
Whaling is a type of attack that is specifically aimed at high-profile targets within businesses. The content of the masquerading web page/email will often take the form of a legal document, customer complaint or executive issue. Whaling Phishers have been known to forge documents from Authorities, and thus these emails are very difficult to distinguish or ignore.
How can you Protect Yourself from Phishing?
There are multiple ways to protect yourself and your business from Phishing scams.
- Anti-Phishing websites, such as FraudWatch International, post exact Phishing e-mails that are currently circulating the internet.
- Familiarise yourself with techniques to spot the conventions of a typical Phishing scam.
- Use a web browser with features to prevent you from accessing malicious webpages.
- Use a spam filter on your inbox.
- Consider Cyber Essentials certification.
Pentest People have a full Phishing Platform that can be used as part of a Social Engineering engagement. Be sure to get in touch with us if this is something of interest.