What exactly is Phishing?
Many people claim to know what phishing is and how it can impact an individual and/or business. There are many types of phishing and with each different type, different repercussions exist. In this blog, I want to run through a few types of phishing that we at Finchloom have seen or heard of. As this blog continues to put out more content, this will be the source of phishing definitions to be referred upon once I expand into specific examples of the phishing that we encounter on a usual basis.
Common Phishing Attempts
Many people think of phishing as a type of malicious email, however, Vishing is the same concept, just over a phone call. A great example of this is the infamous ‘We have been trying to reach you about your cars extended warranty’ call; you might have experienced it yourself. There are many types of Vishing, examples include malicious actors asking for donations to your high school or university, imitating the IRS, and even pretending that you have had a significant other in an accident and asking for payment up-front for treating their ‘injuries’.
Many smartphones today have the capability to detect ‘junk’ calls, but some slip through the cracks. Almost all calls that begin with an automated message are immediately suspicious, and if asking for personal information, you must check the authenticity of the call. For example, if you get an automated call from Microsoft about paying a bill, protect yourself by checking your billing info online and/or call Microsoft directly from the phone number listed on their website.
A form of phishing that uses SMS alerts (texts). The most recent one that I have seen says something along the lines of ‘Your package is on its way, track it here: fakewebsite.com’. Now although the text message itself is not dangerous, the second that a user clicks the link, it becomes a threat. The webpage could immediately download malware, phish for personal information, or simply compromise your mobile device by installing spyware. Spyware would potentially be able to see everything on your phone, from your camera roll, to your location data, who you talk to and text, and even your passwords when logging in on websites and apps. Many people have lots of financial information on their phones, and this type of phishing can be extremely dangerous as a common misconception from many individuals is that their phone is safer than a computer.
Search Engine Phishing
This type of phishing involves the creation and use of a fake webpage that is spoofed to look like the real thing. Once the webpage is created, the page is listed for as many keywords as it pertains to. As an example, let us say that there is a malicious site created for Microsoft Support. The creator of the webpage would then optimize the site for all keywords relating to Microsoft Support. Keywords like ‘Microsoft subscription help’ and ‘help with Office 365’ would be targeted.
When a user searches for one of these key phrases, the webpage will pop-up on the search engine, and depending on the strategies used as well as the search engine, could populate near the top of the page. Once the false link is clicked, it mirrors the website format that a user would expect, in this case, Microsoft. From here, several things can happen. The website could ask for updated credit card information, personal account details (like a subscription key), or might have you talk to a fake ‘representative’ to ‘help’ you. If this happens and access is provided to your personal device, the damage could be irreparable. Lost personal files and pictures, malware or spyware installed, or even a complete wipe of your device, only to be recovered by paying a ransom to the perpetrator.
This type differs from traditional phishing because where traditional phishing involves sending mass emails to millions of unknown users, spear phishing is a targeted email at a specific user. These attacks are generally far riskier as they utilize a complete social profile on the users they target, i.e. their company, job title, and sometimes more specific information like who the target reports to, or the HR manager of the target. This is the most used type of phishing attack on organizations and individuals alike.
Like spear phishing, whaling uses personal social information to target users. The difference is that whaling targets high-up positions like C-suite and senior management positions. People in these positions often can send funds to vendors, or orchestrate change within their organization, for example purchasing a new product for the Org to use.
Phishing can be devastating to organizations of any size. Whether a solo entrepreneur is targeted, or a company with immense breadth, knowing the signs to look for is essential when any amount of data or dollars are at stake. I am personally tested on my ability to recognize phishing often, and knowing that these tests are sent out to me only makes me more eager to find the malicious looking emails before my coworkers. Friendly competition drives a security culture within our company.
Although we at Finchloom created PhishPrevent, we also utilize it daily. I am relatively new to Finchloom still, and I can say with the utmost confidence that the impact of a friendly competition with fellow employees to find and report phishing emails has done wonders for my knowledge and recognition of potentially malicious emails. If a simulation is failed by an employee, they receive on the spot training on they type of phishing they encountered, and what to look for next time.
PhishPrevent is an all-encompassing tool to deter and prevent data loss. Whether your business is small or large, data leaks and financial loss can be detrimental. Protect yourself, protect your employees, and protect your business with PhishPrevent; learn more about our managed security service by clicking the link here.