- Spear Phishing.
- Email Phishing.
Phishing attacks can have a great range of targets depending on the attacker. They could be generic phishing emails looking for anyone who has a PayPal account. These are usually recognizable as phishing.
Phishing can go to the other extreme when an email is targeted to one person. The attacker takes great care to craft the email, usually because of the access they have. If the email is at this end of the spectrum, it is very difficult for even the most cautious not to fall prey to it. Statistics show that 91% of information security breaches begin with a phishing scheme of some kind.
Spear phishing targets a specific group or type of individual such as a company’s system administrators. If you are going fishing with a pole, you could pull in an old boot, a tuna, or a flounder – any kind of fish. If you are going fishing with a spear, you are picking a specific fish to go after. Hence the name.
Whaling is an even more targeted type of phishing as it goes after the whales, the really BIG fish. These attacks target the CEO, CFO, or any Cxx within an industry or a specific business. A whaling email might state that the company is getting sued and you need to click on the link to get more information.
The link takes you to a page where you are asked to enter critical data about the company such as tax ID and bank account numbers. Whaling is an inaccurate name since whales are not actually fish.
Smishing is an attack that uses text messaging or short message service (SMS) to get your attention. A message that comes into your cell phone through SMS that contains a link to click or a phone number to call could result in a smishing attack.
A scenario that has played out many times is an SMS that looks like it is coming from your bank. It tells you your account has been compromised and you need to respond immediately. The attacker asks you to verify your bank account number, SSN, etc. Just like that the attacker has control of your bank account.
Vishing carries the same theme as all the other phishing attacks. The attackers are still after your personal information or sensitive corporate information. This attack is accomplished through a voice call. Hence the “v” rather than the “ph” in the name.
A classic vishing attack is the caller who claims to be from Microsoft and says you have a virus on your computer. You turn over credit card details to get a better version of anti-virus software installed on your computer. The attacker now has your credit card information and you have likely installed malware on your computer.
The malware could contain anything from a banking trojan to a bot (short for robot). The banking trojan watches your online activity to steal more details from you – this time your bank account information, including your password.
A bot is a piece of software that will do whatever the hacker wants it to do. It is controlled by command and control (CnC) to mine for bitcoins, send spam, or launch an attack as part of a distributed denial of service (DDoS) attack
Email phishing is the most common type of phishing, and it has been in use since the 1990s. Hackers send these emails to any and all email addresses they can obtain. The email usually tells you there has been a compromise to your account and that you need to respond immediately by clicking on a provided link. These attacks are usually easy to spot as the English is not clear. It can seem that someone used a translation program and went through 5 different languages before arriving at English.
Some emails are much harder to recognize as phishing. When the language and grammar are more carefully crafted, the English may not give it away as a phishing email. Checking the email source and the link that you’re being directed to can give you clues as to whether the source is suspicious.
Another phishing scam, referred to as sextortion, occurs when a hacker sends you an email that appears to have come from you. The hacker claims to have access to your email account and your computer. They claim to have your password and a recorded video of you.
The recorded video is where the sextortion part comes in. The hackers claim that you have been watching adult videos from your computer while the camera was on and recording. The demand is that you pay them, usually in bitcoin, or they will release the video to family or colleagues.
Search engine phishing, also known as SEO poisoning or SEO trojans, is where hackers work to become the top hit on a search using google or other engines. If they can get you to click on their link, it takes you to the hacker’s website. When you interact with it and enter sensitive data, they have your information. Hacker sites can pose as any type of website, but the prime candidates are banks, PayPal, social media and shopping sites.