Phishing 101

An introduction to phishing

Phishing is a term used to describe a nefarious actor who is attempting to gain access to sensitive information by impersonating a legitimate business, company, or individual. They will send out emails, SMS texts, chat messages using Whatsapp, Facebook Messenger, or WeChat and may even call you directly by phone or knock on your door. They will use any method possible to try and extract sensitive information such as passwords, social security numbers, credit card information, etc., which they will either sell on the dark web or use directly to steal from you or your company.

There are many forms of phishing including:

• Email phishing Email phishing normally just targets common businesses, which will resonate with a significant number of email recipients. As it costs very little to send out these bulk email “campaigns”, hackers only need a small number of successful attacks to justify their efforts.
• Smishing Smishing (SMS + Phishing) is similar to email phishing except it is delivered via an SMS text message. Attacks typically invite the user to click a link, call a phone number, or contact an email address where the victim is then invited to provide their private data.
• Vishing Vishing (Voice + Phishing) uses a large range of telephone numbers and plays automated recordings, impersonating real companies. Attackers aim to get you to engage with whatever story they are telling, where a real person will come on the phone seeking to extract bank details, credit cards, passwords, etc.
• Spear phishing Spear phishing involves an attacker directly targeting a specific organization or person with tailored phishing communications. This typically results in emails or SMS messages to a particular person to make the person think the communication is legitimate so they can request a password, bank transfer etc.
• Angler Angler phishing is a new type of phishing attack that targets social media users. People disguise themselves as customer service agents on social media in order to reach disgruntled customers and obtain their personal information or account credentials.

Phishing has now become a very successful, if illegal business, where criminal organizations buy phishing-as-a-service (PhaaS). They get phishing kits that include email templates and SMS examples along with all the hosted tools to launch the phishing campaign. These turnkey platforms often reside in jurisdictions where regulations are lacking or not enforced.

Both the PhaaS providers and the criminals exist because they have made a successful business out of phishing and they continue to evolve and improve their “product offering”.

Why should I care

In this world of big data, both legitimate and illegitimate companies collect information on individuals from many sources. It is the combination of this collected data that allows criminals to know enough to hold you to ransom or just simply steal from your bank accounts. We, as individuals need to be 100% correct whereas the fraudsters only need us to make one mistake. Using social engineering techniques, they will play on our lack of computer literacy, human emotions, or just plain luck, which can result in us clicking that link and handing over personal data or money.

How can I protect myself?

Many people will tell you not to trust unsolicited emails, SMS, or phone calls, but that will mean closing yourself off from many of the good things in life. Legitimate businesses need to reach out to you, to inform you of new products or services along with special offers and discounts, which may be available. It is better to be aware of the risks by using trusted tools like Trust Alice, which not only educate on the current risks but also ensure trusted businesses have a way to communicate with you.