Phishing attacks are one of the most common cybersecurity attacks. The attack is meant to steal information by deceiving users. It is carried out by sending emails with links for the target to click on them. The links will take the target to a webpage where it will be asked for personal information. It can be categorized under social engineering attacks.
Below you can find some phishing variants.
An attack vector is the pathway or method used by an attacker to gain illegal access to a network or computer. Source.
Spear phishing
This type of phishing attack occurs when the attacker targets a specific employee.
For instance, the attacker uses an email phishing attack targeting someone from the accounting department, the sales department, or a specific department within the company.
Usually, the attacker tries to find extra information (i.e. in social networks) to make the email more trustful and uses email as the attack vector.
Whale phishing
In this case, the target is “high-level” employees or employees with high-security access to the network.
For instance, an attacker can target the CEO of the company or the CFO. Even someone from the board of directors.
Do you get why this one is called whale phishing?
The attack vector is usually email.
Vishing
This type of attack will use cell phones or VOIP systems as the vector to target the users.
It works the same way as the previous ones, but only the attack vector changes.
In this case, the victim can receive a phone call from the attacker, which is impersonating a lawyer, or an employee from a company that has business with the victim’s company. The goal is to get access to private information that can be used later to gain unauthorized access to the network.
This type of attack might be very difficult to detect. Some attackers are cloning voices with machine-learning tools. This technique uses the voice of someone the target knows, to create a specific message. In this way, the attack becomes more effective and very difficult to identify.
Smishing
This is the same as the other phishing attacks, except for the attack vector, which in this case is SMSs.
The victim or target will receive an SMS that will lead the victim to enter private information that can be used later to gain unauthorized access.
How to identify a phishing attack?
There are common patterns in a phishing attack.
Some ways you can identify a phishing attack are:
- Generic/vague greetings. For instance: Dear Customer, Valued Customer, Dear Employee, etc. Sometimes, an attacker can use your name to create a false sense of trust.
- Email address. Verify that you know the email address. You can find misspellings or even easier, email addresses from free email providers (@gmail.com). Imagine you receive an email “from your bank” asking you for certain information, but the sender is your_bank@gmail.com. There is no way a bank or a reputable company will send you an email using a free service like Google Mail (sender address ending @gmail.com, among others).
- Emails that claim you won a price and ask you for your banking details to make the payment.
- Email signatures without clear contact details.
- Emails that ask for your personal details. Most of the companies that you have a relation with, will ask for this type of details in person.
- Does the email have an attachment? Does it make sense for that email to have an attachment?
- Look out for misspellings in the links. For instance, a link to enter login data or ask for your personal data: microsof.com. See the spelling error?
- Sense of urgency in the email. You need to reply before this time, or this is an urgent email, etc.