• CSNP

Phishing: Don't Get Hooked

Author Elaine Harrison-Neukirch


Blue and purple pixels with white text

Social engineering is used to trick people into divulging confidential information such as username & passwords, PII (personally identifiable information), financial information,and business secrets. Tricking people into sending money or gift cards is high on the list. Lastly, Phishing can be used as an entry way to enable the attacker to launch a ransomware or other type of malware attack. One of the most prevalent and successful social engineering tactics is Phishing. Phishing can be conducted through email, phone calls, texts and instant messaging. Email and instant messaging through Social Media are the most popular methods. The attacker is able to pretend to be someone else by creating fake personas on Social Media or masking their real name in an email. These vectors (methods) enable the attacker to cast their net wide and reach a large number of people with minimal effort. There are several types of phishing, each with a different purpose or attack vector. Barrel Phishing, Spear Phishing, Whaling, BEC Compromise, Vishing, and Smishing.


Barrel Phishing


This tactic is used to send hundreds of phishing emails out to random people. The attacker has no specific target, just hopes that many recipients will fall for the phish.


Spear Phishing


An attacker targets a specific organization. The attacker may have an email address list or just the names or people who work there. If the attacker only has names, emails with variations of the names may be sent in a reconnaissance email, to determine which addresses are good email addresses. Reconnaissance emails typical only have a few words in the body or nothing at all. Most are sent from Gmail or other free webmail accounts. The goal of a spear phishing attack may be to acquire user credentials for their Active Directory or Office 365 accounts. The attacker could also launch a Business Email Compromise attack (BEC). This type of phishing attack attempts to get targeted people on specific departments to either divulge confidential information (Employee Tax Information, Social security numbers, etc.) or it may be to convince someone to wire money. The spear phishing emails usually mask themselves as being from someone with authority within the company (CEO, CIO, HR Director). They may also seem to come from a trusted vendor, with an invoice for immediate payment attached to the email.


Whaling


Whaling emails target the CEO or other high level executives. These emails aim to gain logon credentials or hope to trick the recipient into directing another person to provide sensitive information or wire money under false pretenses.


Vishing


Vishing is phishing done through phone calls. The caller may spoof the phone number so it looks like it is from a known person or company. The caller will pretend to be a person of authority or an employee of a known company. They may try to get social security numbers, credit card information,or other sensitive information that can then be used to steal money or hack online accounts.


Smishing


Phishing texts or instant messages are known as Smishing. Examples of a text message include texts that instruct the recipient to change their password by clicking a link or asking the recipient to call a phone number immediately to avoid an account shut down. Malicious actors will setup fake social media accounts and attempt to get information through instant messenger. The most popular Smishing method is to copy someone’s social media profile (using their picture and information)and then message the person’s connections, pretending to be them.


Hacked Email or Social Media Account


These are more difficult to identify because they are traditionally sent from a known person. If an email or message from someone you know looks off or requests unusual information, do not respond to it. Call that person and ask if they sent the communication.


How to Identify a Phis