This originally appeared over at http://easycyber.net and I thought it would be worth providing this beginner’s guide here. I’m guessing that you’ve heard of phishing, and I thought I’d provide some words around related topics. Let’s start at the beginning though.
Most people with email will have received a phishing email at some point. Essentially, it’s a mass mail sent to a lot of people indiscriminately, in the hope that one or more of the recipients will reply or click on a link in the message. The bad guys have either provided a link to a compromised website, or which will download and install malware, or something like that, or they note the replies they receive and build a list of people to target with the sort of fake IT support calls you’ve probably read about. These types of attack are relatively simple and unsophisticated. They don’t target individuals and are effectively a random attempt, a bit like fishermen on a trawler using a net: their catch is indiscriminate.
This type of attack is a bit more sophisticated. It follows the same sort of approach as above, but focuses on specific individuals. These emails typically include your name and may also include a little bit of information about you, and will likely be more targeted around some of your likes and interests. Because they are specifically directed at you, and you are they prey, you become the fish that the bad guys try to get without looking at others around you: hence “spear phishing”.
This is really just a version of Spear Fishing, but targeted at the biggest fish (OK, so I know that whales are mammals, not fish, but that’s beside the point). As these are the big fish, you can imagine that these are the biggest prize. Typically the bad guys try to get their hands on large sums of money, and may involve more skillful techniques like phoning an employee (a technique sometimes called voice phishing, or vishing) in finance and pretending to be one of the big fish, saying that they’ll be emailing shortly to request immediate payment of a bill. Who queries the boss, right? This type of attack is definitely on the increase.
So how do you protect yourself from these sorts of attack? The following tips may help:
- If it seems too good to be true, it probably is
- Don’t click on unknown links in email
- Don’t reply to messages from people you don’t know
- If at work and you get an email from senior management which eg doesn’t follow normal processes, ask for confirmation / clarification – but not by replying to the mail
- Be vigilant – phishing and related attacks are on the increase