Think of phishing like a magician. The magician knows how to fool the audience. The magician also knows that mostly no one will know how he tricked the audience and may do what the magician asks. This is phishing– tricking a user to perform an action without them knowing what the action may cause.
What Happens in a Phishing Attack?
Once the attacker has fooled the user into clicking a link in a text message or email:
- User data can be stolen. ie, login information, credit card information]
- Installation of malware
- The system freezing
- Sensitive information exposure
Types of Phishing
Some of the most common types of phishing include but are not limited to:
- Attackers design phishing emails that look exactly like an organization’s. Attackers make sure to use the same logo, text design, and signatures to make the message feel real to the user.
- Typically used to obtain money from a user.
- Phishing emails usually make emails sound like an emergency. i.e., placing a time constraint on an action such as a password reset.
- The links attackers put in the emails are made to closely resemble the host organization’s email. They may do this by misspelling a domain name or adding extra subdomains.
- May be the most dangerous form of phishing.
- Designed to target a specific person or enterprise.
- This kind of attack usually requires the attacker to have more information on the person or enterprise.
Steps that may occur in a phishing attack:
- Getting Information About a Target: This can be done by the attacker acting as an authority figure in a company after they’ve done their research.
- Building a Connection With That Target: This may be done by making the target believe sensitive information has been leaked. This urgency is what allows the attackers a “foot in”.
- Using That Connection To Make The Target Take Action: This is where the actual attack occurs! This is where the attacker sends out their email as bait. If the target falls for this bait, the attacker has succeeded.
- Attackers create an email that looks like an original email from Microsoft
- The attacks typically consist of an email containing a link to log in, reset a password, etc.
- Once the URL in the email is clicked, the attacks have won
- Think about a whale with respect to how the food chain works. The whale is the top predator in the ocean. In the corporate world, CEOs are at the top.
- In whaling, attackers chase the whales, aka CEOs, of the ocean.
- Attackers may spend more time in profiling the “whale” to garner as much information as possible
- In these attacks, attackers tend to steal login credentials. Why? Think about the amount of authority a CEO has. If an attacker got access to a CEO’s account, anything would be possible for them. Imagine if the whale of the ocean lost its fins, it would sink– o-fish-cially! That’s what happens to the CEO here, and they lose all control they had.
- Uses phones as the platform of attack.
- Essentially a replica of phishing but occurs via text.
- The attacker sends a message to the user that demands a reply in which the message targets sensitive user information
- Also known as voice phishing
- Makes use of a phone call to target a user
- The caller (attacker) usually takes up a legal role, so the call seems legitimate. ie, acting as a banker, government official, police officer, etc.
- The attacker typically resorts to making threats that seem like the user may come in harm’s way if ignored. If the call is lest unanswered, attackers may resort to leaving threatening and dangerous voicemails to intimidate a user.
- A phreak, the attacker, is someone who breaks into telephone networks illegally.
- A phreak may use “boxes” to “fool” a network
These boxes consist of the following categories:
- Black Box: allows one to make free calls from a home phone
- Red Box: allows one to make free calls on a payphone
- Blue Box: provides one with full control over a telephone system
- Surfing attacks can lead to a WHIRLpool of problems! Think of someone hovering over your shoulder, and they can see everything you do. That’s what happens in shoulder surfing.
- A shoulder surfing attack allows an attacker to view a user’s screen and their keypad to get the users’ personal information
How Can One Prevent Phishing?
Although the attacker emails and messages usually look identical to emails we may see from authenticated organizations, one may find it easy to spot common mistakes found in phishing attacks such as:
- Spelling Mistakes
- Changes in organization domain name
- Stopping to think why one might be receiving such an email
- Establish 2 Factor Authentication, 2FA [acts as an extra layer of protection]
Create a stricter protocol for password management [changing password frequently, not using the same password, etc]
Humanity Wealth Advisors believes in sharing good knowledge and education. We believe your financial wellness comes from knowing good information– after all, knowledge is power.
- The articles we provide are a free service used simply to educate and pass knowledge; a knowledgeable investor is a great investor!
- Phishing attacks may compromise your information which may lead to a deflection of financial planning; giving readers information on cybersecurity helps us meet our goal to educate the general public
- Contact us if financial planning is crucial to you- we can help you with that.