"Phishing" refers to any sort of online scam aimed at tricking people into giving up personal information or critical data such as their usernames/passwords. It's a 21st Century variation on classic con jobs, and it works. Phishing is one of the most dangerous and successful forms of online fraud out there. And just about anyone can be targeted: major political parties, large corporations, open source projects, and more.
In this series of articles, we'll be taking a look at different types of phishing, and how to protect yourself - and your workforce - from them.
The most typical phishing attack runs something like this: The attacker starts by impersonating a website, downloading all its content and creating a mirror, but on a domain they control. That domain will necessarily be misspelled or false in some way, like someone impersonating us might try to set up a site at "www.humingbirdnetworks.com". Then they send official-looking emails from that site, talking about some vague security concerns, and telling users to log into their accounts - with links to the fake site.
If anyone falls for it, the attackers have now learned their usernames and passwords. Plus, given how often people reuse login credentials, one login becoming compromised can often compromise many more accounts.
Fortunately, these types of attacks tend to be pretty easy to spot. Their warnings are vague, and the URL will always contain some "giveaway" that it's not legitimate. When in doubt, visit the website in question via an independent web search, and contact them directly from there to inquire about the veracity of the email.
The basic phishing attack is usually broad spectrum, targeting thousands or millions of email addresses in hopes of finding a few suckers. Spear phishing, on the other hand, is precisely targeted at individuals.
The overall goal is the same: trick people into giving up critical info. However, spear phishers will attempt to boost the plausibility of their scam by incorporating information about the target that's been gathered via other sources. This can be very easy for attackers, given how often people over-share sensitive information on social media. They pretend to be a friend, coworker, someone who "met you at a conference", etc. and work the con job from there.
The best way to protect against spear phishing is to be vigilant about not putting personal information on social media. Also, always be wary whenever someone ever wants you to log into a website.
This is a two-stage attack. Stage one is gaining access to the email of a CEO or other C-level executive, usually via spear phishing or some form of keylogging. Stage two then involves sending an email "from" the exec to other departments with false instructions. For example, the Austrian company FACC lost over $40 million Euros to a CEO impersonator issuing payment orders to their accounting dept.
The best defense here is procedure. Whenever dealing with large payments, requests for high-level passwords, and similar risky requests, ALWAYS have procedures in place for lower-level staff to independently verify the authenticity of the request. And encourage them to do so! A company whose boss has a tendency to issue last-minute orders and punishes workers who question him is begging to be defrauded.
That's it for now. Tune in for part 2 as we continue discussing different types of phishing attempts!