Don’t take the bait—spot phishing fast
If you use email, you most likely heard about Phishing attacks. Although it sounds just like Fishing, it’s not as relaxing. If you’ve been phished, you’re going to have a bad day. If you caught a fish, you’re going to be smiling.
Why call it phishing? The idea is that the hacker sends a baited email to the target user and hopes that the target takes the bait. Just like the bait in fishing is supposed to resemble something that the fish wants, the bait in phishing is masked as something that the user needs or uses normally.
You might have first heard of it when John Podesta gave up his personal Gmail credentials to hackers. He was told that Google stopped someone from trying to log into his account and that he should change it immediately. He clicked on the link and was taken to the hacker’s website, where he entered his credentials.
What is Phishing?
Phishing is a technique that tries to gather personal information from individuals, like their usernames and passwords, usually through emails and websites.
The attacker sends an email that leads the target user to believe that it’s something that they need to do, like update their bank password. They click on the link and are taken to the attacker’s website where they enter their username and password. The attacker might have replicated the bank’s website look. If the target is tricked, and they enter their credentials, the attacker has the user’s credentials for the legitimate website.
What Are the Different Types of Phishing Attacks?
Phishing emails might resemble a message from your boss that says something like, “I’m about to get on an airplane but we need to pay this vendor now. Can you send the payment to this account asap?” Or you might receive an email that looks like it came from the bank you normally access that states, “please log in to your account to receive an important message.”
Email Phishing
This is the one you’ve heard about the most. It’s the most common. Hackers target large groups in hopes that someone will fall for the phishing attack. They usually come with links and/or attachments that attempt to trick the user in giving up their information.
Smishing
Similar to Email Phishing, but through text-messages (SMS).
Spear Phishing
Spear phishing is similar to email phishing, but instead of targeting a large group of people, spear fishing focuses on specific individuals. The hacker has crafted the email for the individual in hopes that the targeted approach makes it more likely to give up their information. Even the sender email looks like it could be trustworthy. It’s tailer-made for the individual so it’s particularly troubling.
Whaling
Take spear phishing and target high-profile accounts, like the CEO of a company, and you have whaling.
Angler Phishing
When the hacker disguises him/herself as a social media platform, this is referred to an Angler Phishing attack. The attacker can also use social media to send you links in attempt to extract information from you. Social Media is so easily exploitable that you should never believe anyone that contacts you in order to assist you through social media. Keep your information secure.
Vishing
This one is pretty scary in my opinion since it’s a lot more personal and done through a phone call. The attacker uses scare tactics to get you to give up your information. You might have received that call from the “IRS” that tries to scare you into giving up your information or submitting a payment. The legitimate IRS service actually states that they’ll never reach out to you by phone.
Best Way to Guard Against Phishing Attacks.
If you worked for an organization that offers Security Awareness Training, you might have found it irrelevant, but realistically the best way to stop Phishing emails is to be educated enough to know what to look out for.
What are some common things to look out for in any email?
- Email address legitimacy. Check to make sure that the email address is coming from a known sender. Sometimes the email address can look similar, but even when there’s one additional character, it’s coming from someone different. example@gmail.com and exampel@gmail.com are not the same emails.
- If there’s a link inside of the email, make sure that it points to the same destination as what’s displayed. Even when the text matches the URL, if you don’t recognize the URL, don’t click it.
- Any sort of personal information requests, such as your DOB or your SSN.
- The email address came to you when it wasn’t expected or for information that wasn’t expected.
- You see multiple random emails in the “to” field. Most of the times, they’ll either be completely random or slight variations of your email.
There are built in software solutions that attempt to minimize the number of phishing emails that make it into your inbox, but SAT is still the best way to prevent phishing exploitation.
Conclusion
It’s unfortunate that phishing has become a normal part of life and that it’s really difficult to constantly monitor. Keep yourself educated and click on the “Report Phishing” button whenever you believe you’re being phished.
Cybersecurity Series
Continue your Cybersecurity Learning.
When traffic turns into a weapon.
Cybersecurity — P3: What is a Denial of Service (DoS) Attack?
Part three of our cybersecurity foundations series explains Denial of Service (DoS) attacks—overwhelming a target with traffic or resource requests to knock services offline. Learn major DoS variants, attacker motives, real-world fallout, and essential mitigation tactics.
Don’t take the bait—spot phishing fast.
Part four of our cybersecurity foundations series dives into phishing—the social-engineering scam that lures users into surrendering credentials, cash, or malware. Explore common bait tactics, real inbox examples, and layered defenses that keep your team off the hook.
Know the enemy within
Part five of our cybersecurity foundations series unpacks malware—viruses, worms, ransomware, and spyware—and how they invade systems. Learn infection vectors, real incidents, and defense layers to block, detect, and recover.