Phishing is a cyber attack in which an attacker conceals their true identity in order to deceive the victim into completing a desired action usually to access sensitive information such as usernames and passwords, financial information, and other important personal data. It is done by pretending to be a reputable source with an enticing request, an attacker lures in the victim in order to trick them, similarly to how a fisherman uses bait to catch a fish.
Phishing comes in many formats:
- Advanced Fee Scam. Popularised by the “Nigerian prince” where is victim is offered a large sum of money for a small up front investment. Of course the large sum never arrives. This attack and others with similar offerings should not be responded to, even as a prank. You’ll find you will be receiving more as you have confirmed your email.
- Account deactivation scam. This email uses urgency to get a response. By tricking the user into believing their account is about to be deactivated, (either email, bank account or streaming account), and sends the user to a fake website to obtain their login credentials. This type of attack can be countered by going directly to the website of the service in question and seeing if the legitimate provider notifies the user of the same urgent account status. It’s also good to check the URL bar and make sure that the website is secure. Any website requesting a login and password that is not secure should be seriously questioned, and nearly without exception should not be used.
- Spearfishing is the type of phishing that is directed at specific individuals or companies, hence the term spear phishing. By gathering details or buying information about a particular target, an attacker is able to mount a personalized scam. This is currently the most effective type of phishing, and accounts for the majority of attacks.
- Whaling is specifically targeted to imitate senior executives or privileged users within businesses. There are many forms of whaling, the most common is the urgent demand for a transfer of funds. Lower-level employees are sometimes fooled into thinking the importance of the request and the person it’s coming from supersede any need to double check the request’s authenticity, resulting in the employee transferring large sums of money to an attacker.
