Phishing is a technique that relies on psychology to deceive a person into giving up information or taking an action with an unintended result. This attack is usually done through written correspondence such as e-mail, instant messaging and social media posts. Originally, cyber criminals used e-mail attacks to steal a person's username and password to a website, but over the years these attacks have evolved and presently to go beyond stealing login information. Presently, cyber criminals are sending messages pretending to be a friend, the bank or an acclaimed store, with the purpose of profiting from their intended target, that is YOU.
These messages are intended to deceive you into taking an action that leaves you vulnerable to more attacks, which include:
- Opening an attachment infected with malware;
- Clicking on a malicious link that enables the download of malware;
- Giving the cyber criminal your login credentials to one of your online website profiles;
- Giving the cyber criminal money with the hope of self-profiting from a proposed venture (e.g. online lottery, gambling)
- Giving the cyber criminal personal identifiable information (e.g. name, address, bank name, credit card information).
Cyber criminals carefully craft these authentic-looking e-mails and send them to millions of people around the world because they know that the more e-mails they send, the more opportunities they will have to hack a victim of these attacks. However, there is another concept of phishing called spear phishing, where cyber criminals will target select individuals who they have done careful research.
Spear Phishing involves a carefully crafted e-mail sent to an intended victim based on the cyber criminal reading their Facebook or LinkedIn accounts and/or any messages they posted on public blogs or forums. The spear phishing e-mail sent to the intended victim is usually highly customized and always appears relevant to them. This greatly increases the cyber criminal's chance to dupe or hack the victim.
You may not think about it, but you are a potential target at work, home or while going about your daily routine. Cyber criminals and other criminals will do anything to obtain information from you, including hacking or deceptively gaining access to your devices. The most effective way of detecting and stopping phishing and social engineering is YOU. Educating yourself and being mindful when reading your e-mails are best practices for avoiding phishing. While, awareness of your actions and educating yourself on companies you are either employed or do business, are best practices for avoiding social engineering scams. If you have fallen victim to these activities, contact your Helpdesk, security team or the police authorities immediately.