Phishing is a form of online social engineering and an illegal method of deceiving people into disclosing sensitive information such as passwords, credit card numbers or downloading files that contain malicious code like malware, viruses etc.
To understand phishing and all its deviations, one must first understand that phishing is a form of social engineering, also known as social manipulation or scamming. In its core social engineering is all about manipulating, trying to gain their victims trust to get them to reveal confidential information or perform desired actions using psychological knowledge. The method of Social Engineering is by no means exclusive to the internet. But because of the nature of the internet - with its easily accessible information and possibility to reach many people fast - it has become the main playground for these types of scams and frauds.
Basically phishing can be divided in to two main group, phishing and spear phishing. More about that below.
Phishing is characterized by being impersonal and generic, relying on large quantities of recipients in the hopes that someone will swallow the bait. The typical phishing scam is conducted via spam emails, which is also why phishing has almost become synonymous with phishing emails. Phishing emails can often be a way for criminals to gather information to attempt spear phishing.
Examples of phishing:
The sender masquerades as a large company, e.g. Microsoft, PayPal, a large bank or even your own companies tech support claiming that there has been “unusual log in activity” on your account and urges you to act. The email then usually instructs you to login via a link provided in the email - stealing your login credentials in the process - or to click an attached document which will install malware on your computer.
The email sender masquerades as a bank claiming that you need to update your user information, via a link provided in the email. Once you have submitted your user infromation the criminals will use the information with criminal intent.
The sheer quanitity of emails sent by the cybercriminals guarantee that a large percent of the revicers will be customers of the bank the scammers are masqerading as.
The email sender masquerades as a lottery company claiming that you have won a big prize. The goal of the scam is either to make you give up personal information (like bank account no. etc.) or to make you pay an administrative fee, profit tax or a bank fee.
Primarly spear phishing differs from phishing in the manner that it is personalized. Secondly, the typical spear phishing scam is concentrated on or few selected targets (there are however many examples of exceptions to this charactiristic). In extreme cases, the designated victim is spied on during weeks or months before the criminals initiate first contact. During that period, the criminals learn as much as they can about their victim to increase their chances of succeeding in their manipulation. Just as “normal phishing” spear phishing has traditionally been conducted via email.
Spear phishing often target individuals in their professional role with the aim to steal money from the company were the victim works or get their hands on sensitvie company infromation. Spear phising attempts against private indivduals however also occur on a regular basis.
Examples of spear phishing:
The name "CEO fraud" (also known as "executive whaling") comes from the scams procedure in which the criminal masqurades as a CEO or some other company executive. They then trick the employee in to e.g. transfering money or giving up confidential company information.
Basically it all boils down to peoples general respect of authority. If the employee belive that they are getting contacted by a company executive that is in urgent need of a money transfer or confidential information the employee will act according to instructions without thinking twice. Or at least that is what the criminals hope.
The criminal sends an email with an attached file seemingly containing important company information, e.g. a recruitment plan or a Year end report. In reality the file contains malware that will be installed once the file is opened. Most often the fraudulent sender is masqurading as a employee or a other company they know the targeted company are working with.
Once the malware is installed it could for example give the cybercriminal remote access to the companies network, allowing them to steal sensitive data.
Spear phishing is by no means a problem only for companies. Private individuals are also targeted. Most often this happens when cybercriminals get hold of customer credentials from companies.
A typical example of this is when 100 million emails were sent to targeted Amazon customers who had recently made a purchase. The emails sent looked like legit emails from Amazon but contained an attachment which installed ransomware which encrypted files on the users computer. The ransomware then required the victim to pay a bitcoin ransom in order to remove the encryption.
Since 2015 we have been working relentlessly towards making digital aspects of life simpler and more secure for people, corporations and organizations.
We are specialists and pioneers in the field of proactive ID protection solutions. We use our own proprietary technology and we meet the highest security and compliance standards.