Phishing Attacks

(OBJ 2.2)

Different Types of Phishing Attacks

• Phishing

  • Sending fraudulent emails that appear to be from reputable sources with the aim of convincing individuals to reveal personal information, such as passwords and credit card numbers
  • Often lure victims with the sense of urgency or fear
  • For example: Click on a link that seems to see from google but it is actually an attacker

• Spear Phishing

  • More targeted form of phishing that is used by cybercriminals who are more tightly focused on a specific group of individuals or organizations
  • More personalized and convincing experience
  • Has a higher success rate at deceiving recipients into believing emails are authentic
  • Example:
    • Sent an email to a lot of Americans about a Bank of America account, this is normal phishing
    • If a breach happens at a company, an attacker can buy a list of the members/employees of an organization and target an email specifically for them, this is a spear phishing attack
  • Phishing vs. Spear Phishing
    • Phishing: "Spray and pray"
    • Spear Phishing: Target users (hunter studying the pray)

• Whaling

  • Form of spear phishing that targets high-profile individuals, like CEOs or CFOs
  • Attacker isn't trying to catch the little fish in an organization, but instead they want to catch one of the executives, board members, or higher level managers in the company since the rewards are potentially much greater
  • Often used as an initial step to compromise an executive’s account for subsequent attacks within their organization

• Business Email Compromise (BEC)

  • Sophisticated type of phishing attack that usually targets businesses by using one of their internal email accounts to get other employees to perform some kind of malicious actions on behalf of the attacker
  • Taking over a legitimate business email accounts through social engineering or cyber intrusion techniques to conduct unauthorized fund transfers, redirect payments, or steal sensitive information
  • The attacker impersonates a senior executive or trusted partner and sends seemingly legitimate requests for wire transfers or confidential data to employees in finance or human resources.
  • Often leads to significant financial losses or data breaches

• Vishing (Voice Phishing)

  • Attacker tricks their victims into sharing personal or financial information over the phone
  • "In general most people tend to be friendly"

• Smishing (SMS Phishing)

  • Involves the use of text messages to trick individuals into providing their personal information
  • Will often contain a link to a fraudulent website or a phone number to call while attempting to tempt the victim into action by creating a sense of urgency.