Learn about the basics of a phishing attack.
- [Instructor] The average 10,000-employee company spends $3.7 million a year dealing with phishing attacks. Phishing is an attempt by attackers to acquire sensitive information such as usernames, passwords, and credit card details for financial gain. These messages often masquerade as a trustworthy entity in an electronic communication to get a conversation started. The phishing term is related to the idea that bait is used to trigger a desired reaction. The goal is to exploit our human nature and get us to click on a malicious link, or cause us to panic and release personal information.
Phishing email subject lines often contain words like warning, violation, alert, and rejected to instill a sense of urgency. One great example of an email message exploiting human nature was the ILOVEYOU worm. An unsuspecting user would receive an email message from someone with the subject line ILOVEYOU. It was hard for people to resist opening the message and looking at it. If the message was opened, exploit code would then send an ILOVEYOU message to everyone in your address book from you with the subject ILOVEYOU.
I was at an organization that had to deal with the cleanup of this worm because many employees could not, understandably, resist opening this email message. A recent study notes that 30% of phishing messages are opened, and 13% of the malicious links in the message are clicked. Identity theft is a common mode of phishing attacks that attempt to cause someone to release personal information like their social security number, their bank account numbers, or simply their date of birth. These attacks will request information within the message or provide a link to a malicious site that will request personal information.
The impact of identity theft is financial loss, damaged credit, medical identity theft, or harm to our social security benefits. Phishing typically is an attack made by sending messages to an email service, but with new technologies phishing can be done with other services. Spam is receiving irrelevant or inappropriate email messages. Instant messaging is another service phishers will use to request information from you or pass along a malicious link for you to follow.
Social media sites are helpful to phishers because people have a natural instinct to trust people we know and might share with on social media. Phishers leverage compromised social media accounts to initiate contact and account connections with others. Phishers use compromised Twitter accounts to send out fake direct messages to subscribers following a person. Usually the message will contain a link to a fake Twitter login page to capture your credentials. Over the past few years, phishing has now moved onto telephone networks.
As we will see, the frequency of telephone scams have been growing over the past year.
Phishing is successful when an email message persuades a person to take an action or reveal information which should not be disclosed. Whaling focuses on high-profile targets such as executives, politicians, and celebrities. Learn about the tactics used in phishing and whaling, and view some examples so that you can identify suspicious emails and network intrusions. Then learn how to reduce your risk and put protections in place to help mitigate these threats.
This course was created and produced by Mentor Source, Inc. We are honored to host this training in our library.
- What is phishing?
- Types of phishing, including cat phishing, spear phishing, and vishing
- Phishing examples
- What is whaling?
- How to reduce phishing and whaling with technology and procedures