What is Phishing?

All types of phishing explained.

Phishing is technique where email is used to trick people into performing an action, such as downloading a file, supplying information, or conducting a transaction. Phishing is a common threat vector used in today’s technology environment. When phishing is used as part of malicious attack on a company, it is referred to as a Phishing attack. Phishing and other attacks that involve manipulating employees are referred to as social engineering attacks.

Types of phishing

Although phishing can be used as a generic term, some like to further classify phishing into different types. Spear Phishing is a term used to describe a phishing attack that is targeted to a specific individual or organizational position. With a spear phishing email, the attacker would tailor the phishing email to include relevant information that would lend credibility to the email in the eyes of the recipient. Where a generic phishing email may reference “Dear Sir” a spear-phishing email would address the specific recipient, such as Dear Steve Smith. As such, a spear-phishing email is likely to be more successful in achieving the attackers desired results. Spear phishing is a common method in data breaches. Click here to learn about current phishing facts or statistics on the phishing threat.

Why is phishing so prevalent?

Phishing is used because it works and there is little risk to the attacker. Phishing attacks prey on the human element. The human element is very difficult to control. Humans can be tricked into performing an action, such as downloading a virus or conducting a transaction. These actions often bypass other technical controls. The attackers will use this fact to help archive their objective, which is often financial gain through either direct theft or some sort of ransom.

In addition to achieving the desired results, the initiator of a phishing attack has little risk of being apprehended or punished. The attack can be conducted remotely from anywhere in the world through various computer networks. As such, it is very difficult for authorities to trace phishing attacks to specific individuals. Some countries even sponsor such attacks, so they do not cooperate with authorities’ efforts to stop or punish groups or individuals for conducting cyber-attacks, such as through phishing.

What can be done to prevent phishing?

There are several things a company can do to prevent and/or minimize the threat from phishing. However, it will difficult to fully eliminate the risk from phishing altogether. Some phishing attacks may be highly sophisticated and take place of a long period of time. The complexity of the phishing attack is only reliant on the resources and motivation of the attacker. In any case, the following controls reduce the threat from phishing and other social engineering attacks:

Educate employees on the threat from phishing through phishing awareness training.
Test employees on their susceptibility from phishing through simulated phishing campaigns.
Configure the technology environment to minimize likelihood of receiving a phishing email. Click here for a guide on specific technology configurations to employ to minimize the phishing threat.
Establish reporting mechanisms to notify security personnel of phishing attacks or suspicious activity.

Summary

Phishing is a social engineering method used to attack organizations through email and other electronic channels. The threat from phishing is real and should not be ignored. Through security awareness training and technology configurations, organizations can significantly reduce their sociability to the threat from phishing.