Security Tips Weekly

- [Instructor] Phishing is the act of sending out emails or other communications to try to trick people into sharing information with an attacker. Frequently, this kind of activity gets caught by email filters and many people are starting to catch on and recognize these attempts when they see them. But there are two special kinds of phishing that I want to talk about in this episode which are often more successful because they're much more targeted. These are spear phishing and catphishing. Spear phishing is very targeted fishing, often intended to get one individual or a member of a small group of people to accidentally share information that ought to be protected.

More specifically, the term whaling is used for targeting high value individuals or accounts and spear phishing targets specific though not necessarily extremely high value targets. But to keep things general, I'll call both spear phishing here. And catphishing is when someone pretends to be someone else in order to get information. Spear phishing as a I mentioned, targets one person or a few people. The goal is to get specific information or to access their information, rather than the information of just anyone who's caught up in a phishing scam whoever they may be.

Spear phishing is often used against notable people like politicians and business leaders or against those around them with access to their information like secretaries, assistants, advisors, and other staff. But the target isn't always someone famous or well-known. The goal is usually to gain access to a keystone account like an email account and then use that to gain access to other accounts that are linked to that email account. From there, an attacker might steal information, change information, or impersonate the victim in order to continue a particular agenda. It's not uncommon to see business leaders or managers being targeted by less than ethical competitors or by people who recognize the value that one individual person's information might have.

Over and above, the run of the mill harvesting of information through a regular phishing campaign. Though the goal of the spear phishing attack is generally different than just plain phishing, the methods that attackers use are often similar. Like regular phishing campaigns, attackers might create a false password reset email that appears to come from an email provider, an urgent transaction alert message allegedly from a bank, or some other way of trying to get information. By unlike a regular phishing campaign, a spear phishing campaign might have more effort put into it.

To be somewhat more customized and even more polished. It might involve research into the target's family, their history, or their professional accomplishments. And it might be supported by other angles of attack like a fake call center playing the role of a bank or business customer service line, or even postal mail designed to further the attack. Because it's targeted more specifically, spear phishing can be more difficult to detect and defend against, though many of the same strategies for combating phishing and other scams still apply. Don't click on links in emails, instead, open up a web browser and visit the site that claims to be sending a message.

Check out the URLs and phone numbers that appear in mail and messages and compare them to authoritative sources. If you're prompted to login to a site through an email, open a web browser and type in the address that you know is that site's official address instead. One of the most effective ways to help combat spear phishing is to make sure your accounts use two-factor authentication. That way if an attacker does get credentials for a site, they would still need the two-factor information in order to access accounts. It's also important to keep in mind that there is no such thing as perfect security, and that humans simply make mistakes sometimes.

Being wary of any email you get and using two-factor everywhere can help you limit the likelihood that your account will be compromised by mistake. To learn more, check out the LinkedIn learning course called Cybersecurity Awareness: Phishing and Whaling. Catfishing on the other hand is a little bit different. It's still an attempt to get information, but more of the focus is on the attacker presenting themselves as someone they're not. Catfishing is more prevalent on social sites, like social media and dating websites. Often an attacker will present themselves as someone you know or someone you'd like to know.

They may misrepresent themselves through fake profiles, photos, and they may use information publicly available about you to make them seem more credible. A useful test to think about here is whether something seems too good to be true. A good strategy to help combat catfishing is to not give out too much information about yourself publicly and to not volunteer any kind of sensitive information like your age, location, interests, or occupation if you find yourself conversing with a stranger. That can seem a little rude in conversation, but your safety is more important. Sometimes it's okay to speak in general terms to get a sense of where the conversation's going.

Is the other person pressing for specifics for some reason and can you verify the information they share? Both of these tactics and some others are considered social engineering. You can learn more about that in the LinkedIn learning course called Ethical Hacking: Social Engineering. My intention here isn't to be cynical and say you should question everything and trust nothing, but it's always a good idea to give a second thought to anything that might be suspicious, stay safe out there.