Getting “Hacked” Series: Part 2 - Phishing

Security
Written By Steven Kroiss

In part 1, we talked about different versions of Social Engineering. In part 2, we’re going to be reviewing Phishing

Recap:

The word “Hacked” is thrown around a lot these days but unfortunately, it’s in a similar pool with the phrase “life hack” where more of a generalization than anything specific.

When you look up the meaning of “Hack”, in this context, it is an act or instance of gaining or attempting to gain illegal access to a computer or computer system.

There are other additions to this meaning as well, such as gaining information, not just access which often times can be even more valuable to someone.

There are many different methods to hacking. With each post in this series, we’ll be doing a deep dive into the method as well as ways to spot and avoid getting caught up in them. In this post, we’ll be focusing on Phishing.

What is Phishing?

Phishing is a well known form of social engineering and grabbing information from an unwitting victim. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.

Phishing attacks may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as:

  • Natural disasters (e.x., Hurricane, Tsunamis)

  • Epidemics and health scares (e.x., H1N1, COVID-19)

  • Economic concerns (e.x., IRS scams)

  • Major political elections

  • Holidays

How it typically works: A cybercriminal, or phisher, sends a message to a target that’s an ask for some type of information or action that might help with a more significant crime. The ask can be as simple as encouraging you to download an attachment or verifying your mailing address.

Worth noting is there are many forms of phishing that social engineers choose from, all with different means of targeting. Spam phishing often takes the form of one big email sweep, not necessarily targeting a single user. There are also other terms for targeting individuals: Spear phishing targets individual users, perhaps by impersonating a trusted contact, and Whaling targets celebrities or high-level executives.

Phishing also comes in a few different delivery forms:

  • Vishing, meaning voice phishing, is when your phone call might be recorded, including information you input on PIN pads.

  • Smishing, meaning SMS phishing, are texts containing malicious links.

  • Email phishing is among the most traditional phishing method, meaning phishing by email oftentimes by delivering a malicious link or a download.

  • Angler phishing is when a cybercriminal impersonates a customer service person to intercept your communications and private messages.

  • URL phishing is a falsified link you receive that contains malware.

  • In-session phishing occurs when you’re already on a platform or account and are asked, for instance, to log in again.

  • Fax-based phishing often occurs as a fake email from a trusted institution requested you print off the message and fax back your sensitive information.

Phishing example

A social engineer might pose as a banking institution, for instance, asking email recipients to click on a link to log in to their accounts. Those who click on the link, though, are taken to a fake website that, like the email, appears to be legitimate. If they log in at that fake site, they’re essentially handing over their login credentials and giving the cybercriminal access to their bank accounts.

Steven Kroiss
Previous

Getting “Hacked” Series: Part 3 - Types of Hackers
Next

Getting “Hacked” Series: Part 1 - Social Engineering