April 1, 2019
If you’ve ever peeked in your spam folder, you’ve probably noticed multiple emails from people claiming all sorts of nonsensical and unbelievable things.
It is not recommended that you open these emails, but be aware they most likely contain links that will claim to send you to a particular webpage but in fact will send you elsewhere.
This is an example of “phishing”, and thanks to advanced spam filtering today, you may never have to deal with these kinds of threats directly. But there are other kinds of phishing you should be aware of.
What is phishing?
Phishing is the act of looking for individuals who are willing to hand over their important personal information. One technique is to use a “shotgun approach”, where the phisher attempts to contact as many people as possible. General phishing like this relies on large numbers: Even if the probability that someone would actually give their information to a phisher is something like 0.001%, if the attack vector reaches 100,000 people – which isn’t unusual – there is that chance there will be at least one victim.
Phishing can also be targeted, in which the attacker directs the strike against a particular individual. This type of attack usually involves employees of an organization or high-ranking officials, as these targets are the most valuable. This kind of phishing often requires a degree of social engineering as well, wherein the phisher may appeal to various tactics to gain information. They may pose as coworkers or customers who have lost their passwords, for example, or they may try to subtly encourage the victim through conversation.
An example of conversational phishing may unfold as follows:
Through a seemingly normal conversation with a stranger, the attacker volunteers information about their own (fictitious) children, then asks the victim about their children. To follow social norms and reciprocate, the target may provide information like school holidays, partial names, or even birthdates. This may be inadvertent, like mentioning their child recently had a birthday party. School holidays can be cross-referenced against nearby school districts to potentially find the school the victim’s children attend. Once neighborhoods are determined, this could connect to full names or addresses of the victim. And since names and birthdates are still used by many people as passwords (not recommended), this could be a lead for the phisher. Armed with passwords, addresses, birthdates, and names, a lot of damage can potentially be done.
Phishing and hacking
Since high-value targets are more likely to be educated in internet security and less likely to fall for simple spam email attacks, phishers may use more subtle tactics. These kinds of attacks usually occur against people at work. A lot of IT security relies on trust, since employees need to be able to access the systems to do their work. If someone’s credentials are compromised, though, the person who has those credentials can potentially infiltrate the IT system. This is how a lot of “hacking” is perpetrated. Certainly there are plenty of attacks against software code, but if an insider can be compromised, it may be quicker, easier, and less detectable than finding a hole in the system’s security. So phishing is a prime tool for hackers, simply because humans are more easily hacked emotionally and psychologically than IT systems with established electronic security measures.
Most people should already be aware of shady tactics a phisher might use to gain access to sensitive information – but if these attacks didn’t work, no one would use them. So someone out there must be falling victim. Make sure it isn’t you.