Phishing is an online scam in which criminals pretend to be legitimate organizations through emails, text messages, advertisements, or other means to steal sensitive information. This can usually be done by adding a link that seems to take you to the company’s website to fill in your information. But, the website is the counterfeit product. Therefore, the scammer can directly retrieve the information you keyed in.
The term “phishing” is a spin on the word fishing. This is because the criminals are dangling a fake “lure”. For example, legitimate emails, websites, or advertisements, hoping the users can provide what they requested. Most of the valuable information which attracts criminals are credit card numbers, account numbers, passwords, and usernames.
You probably think that you can identify a phishing attack before falling for one. Here’s why you may be mistaken:
Most phishing emails are delivered via email and are not personalized or targeted at specific individuals or companies. This is called “bulk” phishing. The content of phishing emails varies greatly depending on the target of the attacker-common targets for impersonation. This includes banking and financial services, email and cloud productivity providers, and streaming services. Attackers may use the obtained credentials to steal money directly from the victim, although the compromised account is usually used as a starting point for other attacks, such as stealing proprietary information, installing malware, or conducting spear phishing within the targeted organization. Damaged streaming media service accounts are usually sold directly to consumers on the dark web market.
Spear phishing involves attackers using tailored phishing emails to directly target specific organizations or individuals. In contrast to bulk phishing, spear phishing attackers usually collect and use personal information about the target to increase the probability success of an attack. Spear phishing usually targets people who work in financial department that has access to organization’s sensitive financial data and services. In the year of 2019, a study showed that because employees of accounting and auditing companies have access to information that may be valuable to criminals, they are often targets of spear phishing.
One of the best examples is Threat Group-4127 (Fancy Bear). Spear phishing tactics are used to target email accounts linked to Hilary Clinton’s 2016 presidential campaign. They attacked more than 1800 Google accounts and implemented the accounts-google.com domain to threaten targeted users.
Whaling and CEO fraud
Whaling is a spear phishing attack that specifically targets senior managers and other well-known targets. The content is likely to be designed to attract the target audience or role, such as subpoenas or customer complaints. CEO fraud is actually the opposite of whaling. It involves forging deceptive emails from senior managers, with the purpose of allowing other employees in the organization to perform specific actions, usually by transferring money to offshore accounts. Although the success rate of CEO fraud is quite low, criminals can get a lot of money from several successful attempts. The organization has repeatedly lost tens of millions of dollars in this type of attack.