What is Phishing: Don’t Get Hooked

Phishing is an IT risk that is a form of social engineering. This post answers the questions of what is a phishing attack, how are they carried out, and who is at risk?

What is Phishing – The Definitions

The most basic phishing definition is brought to you by Google. They define phishing as,

“the activity of defrauding an online account holder of financial information posing as a legitimate company.”

This is a pretty solid definition. However it is fairly narrow. Phishing attacks can be carried out with intent to obtain more than just financial information. Phishing attacks are fraudulent by nature, but they are more than financial attacks, they are attacks rooted in social engineering. To arrive upon a better understand of what phishing attacks are lets look at a broader definition.

“Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization.”

This definition is provided by the United States Computer Emergency Team and it encompasses the true nature of a phishing attack. These attackers, posing as a trustworth source or organization, can be after more than just financial information. Although, accessing money most likely is the end game for these attacks, attackers may need to take several attempts before hitting the jackpot.

Who is Vulnerable to Phishing?

You may be attacked due to your connection to a large company. A recent graduate and young professional in their first year of work may be a prime target. Less experience and awareness tilts the scale in the attackers’ favor. By posing as a higher level manager or a new co-worker, an attacker can easily obtain passwords and email contacts.

Unlike other black hat hackers in the IT world, phishing attackers can and tend to start their breach with some form face-to-face interaction. If we take that naive, new employee instance for example, the attacker can easily just dress in business casual attire, wait outside an office or building and strike up a conversation similar to this one:

Attacker: “Hey there, I just started here and noticed that you work a few cubicles over from me. It is nice to meet you. My name is Dick.”

Naive Nick: “Hey man. I am sorry I have been so busy lately I must not have noticed that you just started. My bad.”

Attacker: “No worries, I know how it feels. I have been busy too and it is just my luck, it has only been a week and my laptop has been bugging out. I had to give it up to IT and I have to submit a report to my manager, but I cannot remember the password needed to login to our intranet.”

Naive Nick: “I feel you, and I have definitely been there before. I can send you an email with the password though, just give me your address.”

Attacker: “Awe man, that would be great. I appreciate it Nick, my address is youhavenoidea@attack.com. I have to run now though thanks for your help. Lets grab lunch soon!”

Dick just gained access into a company’s intranet where he can now download files, upload viruses and other forms of software that can be used to access financial documents and information.

Other methods that attackers use to gain information from individuals is by impersonating other organizations. They pose as the type of organizations that people usually view as harmless, such as charities.  They also find opportunity in chaos. This is done by launching attacks during natural disasters, epidemics, times of economic dysfunction, holidays and political elections.

How to Prevent Phishing Attacks

To prevent phishing attacks from happening, you can take some fairly simple precautions.

• Do not respond to or entertain suspicions phone calls, emails, or personal encounters. Someone could be contacting you for entry information.
• A simple rule that most people follow already, but is worth mentioning, do not provide personal information or information about your work place with someone you do not know.
• Another fairly obvious precaution; refrain from using email to communicate financial information with other people, such as account numbers and passwords. If your network is hacked, your finances will be too.
• Keep an eye out for insecure URLs. Impostor websites can look similar to authentic ones, but URLs differ.
• You should have some form of anti-virus software on your computer and if you do not, you should look into doing so. There are plenty of cheap and even free services that do a pretty good job of detecting intrusions and viruses.

If you follow these methods for prevention, you should be safe from phishing attacks. However, if you think that you may be a victim of a phishing attack, check oout our After a Phishing Attack checklist. It is a free download that provides you with the steps you should do take after falling victim to a phishing attack.