Updated: Feb 11, 2020
Different Phishing Methods
The objectives and methods of phishing attempts may vary. The hook lurking beneath the bait is the form you need to fill out, the reply you must send or the link you need to click. Some of the different types of phishing attack may seem familiar to you, while others might be a bit less obvious. Their goal to to obtain either your personal information, company information (your login and password credentials) or the opportunity to install malicious software.
Organizations using SCADA or ICS now report developing connections between their traditional IT systems and their SCADA/ICS. This access to SCADA/ICS by outside parties is a major part of the problem for introducing the potential of outside hackers to penetrate into these control systems. Loosing control to an ICS/SCADA system is a huge safety and financial concern. [More on this when the topic is Ransomware.]
Understanding the different phishing types for this type of crime is key when it comes to prevention. Here are a few:
The process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity. Emails claiming to be from popular social web sites, banks are commonly used to lure the unsuspecting individual. It’s a form of criminally fraudulent social engineering.
When attackers craft a message to appeal to a specific individual, that's called spear phishing. (The image is of a fisherman aiming for one specific fish, rather than just casting a baited hook in the water to see who bites.) Phishers identify their targets (sometimes using information on sites like LinkedIn) and then use spoofed addresses to send emails that could plausibly look like they're coming from co-workers, upper management, your financial institution. For instance, the spear phisher might target someone in the finance department and pretend to be the victim's manager requesting a large bank transfer on short notice or from the IT department saying you need to re-authenticate / change your password for access.
Whale phishing, or whaling, is a form of spear phishing aimed at the very big fish — CEOs or other high-value targets. Many of these scams target company board members, who are considered particularly vulnerable: they have a great deal of authority within a company who often use personal email addresses for business-related correspondence, which doesn't have the protections offered by corporate email.
Clone / Deceptive Phishing
You receive an email from a well-known online brand – for example, eBay. The email includes the company logo and looks just like one you would normally receive from them. Even the email address is similar enough to pass for the real thing. You are asked to click a link and verify your identity, and it takes you to the eBay site, so you log in. The problem is, it wasn’t the real site – and you just gave your password to a phisher.
Vishing stands for “voice phishing” and it entails the use of the phone. Typically, the victim receives a call with a voice message disguised as a communication from Apple, Microsoft, a financial institution with a “security problem”. The message might ask the recipient to call a number and enter their account information or PIN for security or other official purposes. However, the phone number rings straight to the attacker via a voice-over-IP service. These scams take advantage of user fears of their devices getting hacked.
A Look Inside the Phishing Tackle Shop
Catches of 2019
Top 10 General Phishing Email Subjects
[Do not click on anything in these types of emails. Delete, Delete, DELETE.]
The take away is that hackers are playing on your emotions. Either to scare you or reward you. Their key theme is a need for immediate action by you --- HR has the need for you to update your personal records; the curiosity that you had an attempted package delivery; a refund or that something is about to be changed or lost to get you to react without considering if this is a legit email.
Do not click on anything (links, attachments) in emails without taking pause to see if they are legit.
[More next week]
Editorial note: Our articles provide educational information for you. Our goal is to increase awareness about cyber safety.
Marilyn Sousa, CISA, CISM
Senior Cyber Security Engineer