Get the full scoop on Phishing
What is Phishing?
Phishing utilizes the art of deception. It is where an individual sends e-mails that seem to be from something legitimate, like an order notification or bank deposit, but is actually from someone attempting to gather sensitive information from you, things like passwords, bank account information or medical records. in most instances these are bulk e-mail blasts, targeting a wide variety of individuals in the hope that a few will bite.
What are they looking for?
The end goal for most that are sending phishing e-mails is the collection of information like bank accounts, usernames/passwords and even medical or identity information. For some of this information, its easy to see how a hacker might use the info, like a bank account. Unfortunately, other information can be just as valuable when sold on the dark web: things like social security numbers, medical records, and passwords to various services like Netflix or Spotify.
Common Phishing Techniques
Below is a list of a few of the most common phishing techniques being used today.
A targeted phishing e-mail approach. Instead of sending thousands of e-mails a day, a hacker targets a specific business or individual. They then do research (via public websites, social media and even utilizing the dark web) to tailor the e-mails to their targets.
Your basic e-mail phishing is where an attacker sends out thousands of e-mails, hoping for a few clicks. These e-mails can take many forms, but usually contain a malicious link, or attachment.
Smishing is Phishing via text message. These texts attempt to get a user to reveal information via a response (i.e. please verify your sms authorization code) or through a link that leads to a phishing website.
An attack that takes place over the phone. For consumer vishing, this is normally an automated process, but for businesses a hacker will call and pretend to be a client, normally after gathering some info via research, and attempts to use that info to gather information like bank accounts, login credentials, or medical information.
Hiding the link in an e-mail by using various techniques. These can be as simple as linking via plain text, or utilizing a slight misspelling (Ex: Tracesecuriity.com). They can also be more sophisticated, utilizing URL redirects hidden in long links, or even buying domains that substitute very similar characters (like lowercase l and capital I).
Content spoofing, also called 'content injection', is where an attacker supplies content to a web application that is then sent to a user via a link. The domain looks legitimate, but the page is modified. The page's login form may now send your information directly to the attacker.
Examples of Phishing Emails
See below for examples of different Phishing e-mails and techniques. Can you identify the issues?
Tips on Avoiding a Phishing Fail
We've put together our S.T.E.P. program so that you can take the first step in preventing phishing attacks for you and your organization.
STOP Before You Click
Don't interact with the e-mail before verifying that it is harmless.
THINK About the Sender
Check for misspellings or character substitutions in sender's e-mail address, such as ! replacing i or the number 0 replacing the letter O. Don't respond to or follow instructions fro me-mail addresses you don't recognize.
These are e-mail addresses that are okay. email@example.com
These are e-mail addresses that have issues firstname.lastname@example.org
EXAMINE the Message
Check the message for misspellings and hover over clickable links and check the URL of the linked website. Also determine the urgency of the message, are they asking you to do something right now or open an attachment ASAP?
PROVIDE a Report
Show the e-mail to your IT department, if it looks "phishy" it probably is.