Phishing, Fishing, and Vishing
Phishing is a type of Social Engineering attack in which the attacker pretends to offer something, or be someone else in an attempt to get the target to click on a link or download a file.
An example form of phishing attack is the browser-in-the-browser attack, where an attacker mimics the authentication page for another service to try and get the unsuspecting user to supply them with login credentials.
There are multiple terms for variations of the typical email phishing, such as vishing (voice phishing) and smishing (SMS phishing) that all describe different avenues in which an attacker targets their victim.
Where does it come from?
Phone “freaks” and fishing for information.
Back when telephone hacking was a big(ger) thing and the Captain Crunch whistle could give you a free phone call, a term was created to group the people who found “hacks” or ways to trick different technology - “phone freakers” or “phreaks”.
From here, “phreaks” were associated with those fishing for information or scamming others, hence the term “phishing”. We really do enjoy combining words.
Although phishing was originally born from an association with phone hacking, it’s more commonly found in email campaigns nowadays, with email being a more common means of communication.
What is Spear phishing?
Spear phishing is a targeted form of phishing. While phishing attacks are generally there to “pick the low-hanging fruit”, spear phishing attackers typically have more information about their target and adjust their message for that specific person. This could mean impersonating someone from inside their company, advertising a specific niche of hobbies that they might be into or attempting to exploit them when an aspect of their personal life is in jeopardy (i.e., financial pressures).
Phishing attacks are more typically a “spray” type of attack; where a large number of people are sent the same email to catch out the few who bite. Spear phishing attacks would typically be sent to a single person.
How do I protect myself?
The most common advice is to simply never click on links sent to you from someone you don’t know. If it leads to a page that you need to access, however, it’s much better to type the link into the URL bar yourself. Better yet, if you could find the same page by a quick search, locate it that way rather than clicking on the link.
Anyone can very easily pretend a link is going to one page when it’s in fact leading to another. Read more about how this works here: https://lukewarmsecurityinfo.com/posts/phishing-links
Typically, if you hover over the link on your computer, the true link location will be shown in the bottom left of the browser window. This can be used as a method to verify that a link does indeed lead to where it’s saying it does.
Browser-in-the-browser attacks are an exception to this, which is explained more in-depth here.
What can we do better to protect others from phishing?
In my opinion, there’s no need to depend on links for access to (most) things anymore. The common uses of links in emails (that I can think of) are:
- Email Verification
- Filling in a questionnaire
- Viewing a specific page
- Verifying a new device
- Shared online files (Dropbox, Google Docs)
With all of these, there are simple workarounds to solve the requirement of a link existing. Almost all of these can be supplemented with providing the user some sort of one-time or persistent access key to view/locate the document, image or questionnaire.
For example, to access a dropbox file that’s available for public viewing, share the unique identifier of the file (that’s in the URL anyways) with a generic find your file search section for the user to supply the unique identifier. This eliminates the requirement for links in emails and still provides the user with access to the document. There are no extra security measures that providing a link will do that cannot be implemented another way.