Phishing is a social engineering technique through which an attacker spoofs (i.e., imitates) a known source in an attempt to fool a victim into providing information or performing an action, like clicking on a link or opening an attachment. The purpose of phishing is to gain personal or sensitive information that can be used to spread malware, steal login credentials, access credit card details, learn more information about the user’s network (technological or social), or generally cause harm to the victim and/or a secondary target.
Phishing attacks are very popular and effective because it is relatively easy and inexpensive to create authentic-looking emails or Web pages, and success rates remain high despite security awareness campaigns. A good social engineer against a valuable target/intended victim may also spend time gleaning information from publicly available information about the target. Even with the strictest of settings, social networks provide valuable information that can be used to craft convincing messages to targets.
OpenDNS created a quiz to test security professionals’ ability to identify a phish. Trained users (security or otherwise) are less likely to be duped by phishing scams, but genuine-looking emails and websites are hard to spot, even with the keenest eye (organized criminals and nation-state actors, in particular, have marketing teams, much like our own, legitimate business’ marketing teams).
According to the latest Verizon Data Breach investigation Report (DBIR), perpetrators of phishing attacks are most likely to steal credentials from victims.
Source, Verizon 2016 Data Breach Investigations report
Also, according to the report, “the majority of phishing cases…feature phishing as a means to install persistent malware,” rather than leading the victim phony sites where the user is prompted to input additional information. This information could be skewed by the prominence of Dridex, the financial banking Trojan, in 2015.
Get the DeMISTIfying InfoSec newsletter sign-up every Tuesday!