top of page
Search

Day 19 - May 19 - Phishing (The Basics)

  • Elizabeth Rasnick
  • May 19, 2023
  • 2 min read

Phishing is an email that attempts to trick the user into taking some action that triggers malware like clicking on a link to a malicious site. The goal is to gain personal or sensitive information. Phishing is an easy method to deploy and does not require a high level of technical expertise. This makes it a commonly used attack vector. Phishing is so often used that there are now categories of phishing. Here are a few of them.

In the early days of email, phishing emails were not that

Vishing is using phone calls or voice mail to gain access to accounts or other information. They frequently use the traditional tactics of emotion and urgency to manipulate people into acting without looking into things further.

Smishing is SMS or text messaging to deliver the phishing message. Do not click on links in text messages from unknown senders. Do not click on links in messages from people you know if the link or message looks suspicious.

Shear phishing levels up the content of the phishing email. The message is personalized and reads like it is intended specifically for the receiver. The information the bad actor uses to customize the message often comes from publicly posted corporate directories and websites.

Whaling, as the name suggests, is directed toward high-value targets. These are people who hold access to large or highly-prized data assets. Whaling targets tend to be upper-level management and executives.

Angling takes a small twist on phishing. The bad actor impersonates a legitimate business by creating an account that looks real. From this account they interact with users who believe they are completing a customer feedback form, posting a reviewer, and the like. Users think they will receive a coupon or other perk and so enter their account information on the phony site.

All of these tactics are based on the use of social engineering. Social engineering is the manipulation of people to get them to take action or reveal information that is against their own interest. People exploiting each other is nothing new. Confidence man (con man) plague their fellow humans in endlessly inventive ways. The internet and the web have given them new methods for carrying on the same old cons.


Some rules to avoid taking the bait!

  • If you don’t know the sender, verify their identity on the business website before replying to the message.

  • If an email appears to come from someone you know, but the subject or content looks odd, create a new email (not a reply) to the person and ask them if they sent it.

  • If the email is offering a deal that is too good to be true, it is!

  • Look at the name in the from block. Does it match up with what you are expecting to see?

  • If there are links in the email, hover over them and read what it says.

This only covers the basics. There is too much information on phishing to cover it all here.



 
 
 

Comments

bottom of page