You would have to be living under a rock or hiding in a cave to not be cyber aware of the simple and brutal hacking attack known as phishing that plagues companies across the planet.
Anyone with an inbox in the digital age has received emails that have all the hallmarks of a malicious phishing attack and you’d be surprised at how often people fall for them. Smart people fall for phishing. Fortune 500 executives operating at the top of their game fall for phishing. Phishing is one of the most effective cyber attacks because of its simplicity. The barrier for entry for anyone who wants to launch a malicious phishing campaign is low because of automated tools that do the job for you and even offer template emails. Phishing can now be launched on an industrial scale by casting a wide net with email automators to hundreds of thousands of email addresses. Meanwhile, algorithms that sort legitimate email from spam are becoming much more sophisticated, but phishing attacks have also evolve to beat the algorithms by posing as legitimate email.
From Nigerian Princes to Spoofed Emails and SEToolkit
Unlike other cyber-attacks that are technical in nature and designed to subvert security tools such as Web Application Firewalls or Intruder Detection Systems, phishing attacks come under the cybersecurity umbrella of “social engineering” because its a human victim that is duped into handing over sensitive information or downloading a malicious payload like Ransomware.
Gone are the days of the Nigerian Prince caricature offering pots of gold that were prevalent in the early days of the Internet. Nowadays, sophisticated phishing campaigns utilise social engineering hacking tools such as SE Toolkit on Kali linux which scrape and replicate login pages for your company’s website or a local bank to harvest a victims credentials. Emails that have a veneer of authenticity by replicating or “spoofing” falsified banners and company logos are classic phishing attacks. The most sophisticated phishing attacks attempt to replicate company lingo or industry vocabulary to lower the defences of an unsuspecting mark.
Phishing cyber attacks are designed to make the recipient lower their guard, trust the sender, before being duped into clicking a link with executable code that launches a Ransomware attack or handing over your login credentials, credit card details, and other sensitive information. The way to tell a phishing attack from a legitimate email if they both use a company logo is to hover the mouse over the link: the link may redirect to a suspicious website rather than the official.com
Spear Phishing, Whaling, and Vishing or Video Phishing
Most phishing attacks cast a wide net, kind of like ocean trawlers fishing for tuna there’s bound to be a couple of dolphins caught up in the catch, but be aware of what’s known as “spear phishing” in which a message or email is custom designed for a single mark like Jerry from Finance whose holds the keys to the kingdom: the login details of the company bank account.
Meanwhile, “whaling” is a type of phishing attack that goes after the big fish in a company like the CEO or his executive team with a harpoon instead of a spear or widely cast net. Scarier still are the hyper-realistic tools and machine learning platforms that can create people out of pixels in a new deep fake phishing phenomena known as “vishing” or video phishing.