Phishing is a type of social engineering that is usually achieved through the sending of deceptive emails or text messages.  From “Nigerian princes” to the Apple or Windows help center, these messages can appear to come from anywhere, especially from companies or organizations that a typical internet user would implicitly trust.

The common goal of phishing is to elicit a response from the target, whether that be clicking a link, downloading a shady executable, or giving out personal information over email.  One common example is an email sent from what may look like the bank you do business with, asking you to reset your password.  They may provide a link for you to click that will take you to a pretty good replica of what your bank’s website actually looks like, where you enter your old credentials and then a new password.  There may not be an obvious or immediate consequence to resetting your password this way–the attacker may even forward the new password to your real bank and reset it for you–but now an unknown entity has your password details and access to your bank account, which is clearly a problem.

This sort of ruse can happen with any account you have, so it’s very important that you double-check the sender of all emails and be wary of any links or file attachments you receive online.  The best defense against this sort of attack is to be cautious with all the messages you receive.  It’s better to be overly suspicious of everything and keep yourself safe than to trust the vast anonymous cyber-scape and wind up getting burned.

Classic vs. Spear Phishing

Classic Phishing

Spear Phishing

Casting a wide by sending out a mass email or text. A malicious email, text, or phone call that imitates a source of trust (friend, company) to gain information or monetary value.

Targeting a specific person and tailoring a phishing message to what they might respond to. This is phishing that is designed to target one individual or a small group.

Sample Presentation