CYBER SECURITY TERMINOLOGY EXPLAINED

What Is Phishing?

Phishing is a type of cybercrime whereby an attack uses a digital form of social engineering to trick individuals into disclosing sensitive or personal information by replicating an authentic, trustworthy looking email mimicking that of a reputable business or person.

Defining Phishing

These attacks are commonly conducted through fake emails masquerading as a legitimate sources which oftentimes trick users into downloading a file laced with malicious code, clicking a link where they are redirected to a web page that will request them to input data such as bank details, credit card information, usernames, passwords or any other sensitive information. These emails often contain a message of urgency to push individuals into acting quickly without thinking about the action being taken.

Types of Phishing:

Angler Phishing
Angler phishing is phishing attacks conducted through social media platforms, fake URLS, cloned websites and through instant messaging.
Social media is also commonly used for reconnaissance which allow users to conduct more complex attacks.

Clone Phishing
Attackers use a direct replica of a legitimate email where the body of the email looks identical to that of a previous message, but the attachment or link has been altered for a malicious one.

Email Phishing
Attackers register a fake domain that mimics a genuine business or person to send out mass request to various users. The fake domain often involves character substitution. In more sophisticated cases the attacker will create a unique domain that includes the legitimate organisations name in the URL to make the attack look more genuine upon first glance.

Smishing
Smishing is phishing via SMS. These attacks involve the clicking of a malicious link that redirects to a malicious website that captures sensitive information or may trigger the download of a malicious app that remotely controls a user’s device or release ransomware.

Spear Phishing
Spear phishing is a targeted email directed at specific individuals or companies that the attacker has specifically sought out for attack.

Attackers will have the following information:

  • Full Name
  • Contact Information
  • Employment
  • Job Title
  • Job Specification

Attackers often imitate senior staff to play on an employee’s desire to follow instructions. Recipients may be suspicious but depending on the seniority of whom the communication is coming from they may not question the sender for fear of reprisal.

Vishing
Vishing is conducted through phone calls. The attacker sets up a call that mimics another company, designed to steal sensitive data or access funds. The number used to make the call is often disguised to make it look legitimate.

Whaling
Whaling is targeted at high level personnel within an organisation such as senior executives, that are more likely to hold valuable information or financial influence. Attackers may spend months researching their targets, analysing routines, mapping relationships, establishing trust before releasing the attack.

Phishing Simulations
Phishing simulation exercises are a form of staff training. Companies send internal phishing emails to their own staff to test their awareness on the key areas to look for in an email to check authenticity and legitimacy. If an employee falls for the test, they are notified and educated with further training.

Conclusion

As best practice individuals should always check the domain address and hover over links and check attachments before opening anything. If unsure always try to verify the email through other means or send it to your company sandbox. Never forward the email onto other colleagues as this is just increasing the likelihood of the attack impacting other users.

CYBER SECURITY UPDATES

Sign up for the latest advice and information about keeping your business cyber secure.