Phishing threats are a criminal tactic designed to reel people in to reveal sensitive information or take some kind of action. It often takes the form of an email that's asking for too much... like, 'click this link I swear it's safe!' or 'download this attachment and run the executable!' or 'I'm a nigerian prince and I have too much money, I have to give you some!'
Phishing is always tugging the heartstrings or creating a false sense of urgency. But it doesn’t always take the same shape. Let’s look at a few different variations of phishing:
Spear-phishing is like phishing, but slightly more targeted. It’s an attempt to catch someone specific in order to gather information and access from that specific user or organization. The main caveat with spear-phishing is that it is not commonly aimed at leadership, known as whaling, but rather certain individuals within an organization that have privileged access.
Whaling is another form of phishing that seeks to take down the biggest fish in the sea. This is because the biggest fish – senior leaders – often have the most authority and influence, creating a large, valuable prize for hackers to try and catch.
- PUZZLE 1 (Easy-Intermediate): Want to see if you can spot red flags in phishing emails? Check out this game from Living Security Engineering, called FLAGS.
- PUZZLE 2 (Advanced): If you’re more advanced, see if you can spot an email just by looking at the raw header information. This is what cybersecurity analysts typically do to verify a phish. This puzzle is called RAW PHISH
PLAY RAW PHISH
Ever heard of SMiShing? Smishing is short for SMS-text message phishing, and is a way in which criminal's compromise a mobile device.
Equally as scary is phishing’s cousin, Third-party phishing…also known as vendor email compromise - or VEC. Instead of a cybercriminal going after you, the cybercriminal catches your vendor hook, line and sinker, and then uses them as bait to lure YOU in. For example, a criminal might compromise your vendor, then use your vendor’s real billing emails to craft a very realistic invoice with different payment information. The people you trust can be tricked to trick YOU!
How to Prevent Phishing Threats
- Ask why. Interesting emails and phone calls deserve even higher scrutiny than usual... so if you're paying attention, there's a reason. What's that reason? Why do you want me to donate my money right this minute? Why is the sender address different than the display name? Why Is this link going to an unsecure website instead of the one I know to be correct? If you are not satisfied or still suspicious, scrap the theme and move on.
- On a computer, NEVER click links or download attachments unless you're absolutely sure they are legit.Themed phishing emails like to send exciting updates, donate buttons and articles. You know better. If you must check it out, browse to the legitimate website yourself.
- On a mobile phone, don't tap links or text back. As themed phishing transitions from computer to mobile phones, you may receive some interesting messages. But it's not any safer. Just more interesting spam.