Phishing is a prevalent type of social engineering that aims to steal data from the message receiver. Typically, this data includes personal information, usernames, and passwords, and/or financial information.
So just how does phishing typically work?
How does phishing work?
When executing a phishing attempt, attackers send a message where the authenticity of that message is spoofed. The message (whether via email, phone, SMS, etc.) is successful when it is trusted by the user to be a valid request from a trustworthy sender. The attacker’s objective is to get their target to click on a link that redirects the user to a fake website or forces a malicious file to be downloaded. An illegitimate link will try to trick users into handing over personal information such as account credentials for social media or online banking.
Most phishing attempts are not targeted but rather sent out to millions of potential victims. Targeted phishing attempts are a bit more complex and require the bad actor to plan the attack and strategically deploy the phishing attempts.
Let us explore a few types of phishing attacks and the differences between them.
Types of phishing attacks
A spear-phishing attack occurs when a phishing attempt is crafted to trick a specific person rather than a group of people. The attackers either already know some information about the target, or they aim to gather that information to advance their objectives. Once personal details are obtained, such as a birthday, the phishing attempt is tailored to incorporate that personal detail(s) to appear more legitimate. These attacks are typically more successful because they are more believable. In other words, this type of attack has much more context that is relevant to the target.
Whaling is a sub-type of spear phishing and is typically even more targeted. The difference is that Whaling is targeted at specific individuals such as business executives, celebrities, and high-net-worth individuals. The account credentials of these high-value targets typically provide a gateway to more information and potentially money.
Smishing is a type of phishing attack deployed via SMS message. This type of phishing attack gets more visibility because of the notification the individual receives and because more people are likely to read a text message than an email.
Vishing is a type of attack carried out via phone call. The attackers call the victim, usually with a pre-recorded message or a script. In a recent Twitter breach, a group of hackers pretending to be “IT Staff” were able to convince Twitter employees to hand over credentials all through phone conversations.
How to avoid attacks on your organization
Organizations cannot assume users are knowledgeable and capable of detecting these malicious phishing attempts — especially as phishing attacks continue to get more sophisticated. Users should be regularly trained on the types of attacks they could be acceptable to and taught how to detect, avoid, and report the attacks. It is important to understand the vulnerabilities your organization faces and identify areas for improvement before they become an issue.