The term “phishing” emerged in the mid-1990s when hackers began using fraudulent emails to “fish” for information from unsuspecting users. Since these early hackers were often referred to as “phreaks,” the term became known as “phishing” with a “ph.” Phishing emails attract people and entice them to take the bait. And once they`re dependent, users and the organization are struggling. Phishers can use public sources of information to gather general information about the victim`s personal and employment history, interests and activities. Usually via social networks such as LinkedIn, Facebook and Twitter. These sources are typically used to uncover information such as the names, job titles, and email addresses of potential victims. This information can then be used to create a credible email. If you think you`re the target of a phishing campaign, the first step is to report it to the appropriate people. In a corporate network, it`s best to report it to IT staff to review the message and determine if it`s a targeted campaign. Individuals can report fraud and phishing to the FTC. A phishing attack often targets a large number of users. This requires minimal preparation on the part of the attacker, with at least some targets falling victim to it.
Phishing scams come in all shapes and sizes. Users can stay safe, alert and prepared by knowing some of the new methods scammers use to engage in phishing. Some examples of more modern phishing attacks: Voice phishing is a form of phishing that occurs through voice media, including Voice over IP (VoIP) or Simple Legacy Phone Services (POTS). A typical scam of this type uses text-to-speech software to leave voicemails informing the victim of suspicious activity on a bank or credit account. The call asks the victim to answer to verify their identity, thereby compromising the victim`s account credentials. The goal of a phishing attacker is to trick the victim into clicking a link or downloading an attachment, which can result in malware being installed, the system being frozen as part of a ransomware attack, or users being redirected to a malicious website disguised as a legitimate website where the victim enters personal information. Results can include large unauthorized purchases, identity theft and theft of funds. Common actions in a phishing scam include: Spear phishing attacks that target specific individuals or companies. These attacks typically use victim-specific aggregated information to convey the message more successfully than authentically.
Spear phishing emails may include references to employees or executives of the victim`s organization, as well as the use of the victim`s name, location, or other personal information. In addition, phishing is often used to gain a foothold in corporate or government networks as part of a larger attack, such as an Advanced Persistent Threat (APT) event. In the latter scenario, employees are compromised to bypass the security perimeter, spread malware in a closed environment, or gain privileged access to secure data. To prevent phishing messages from reaching end users, experts recommend layering security controls, including: For users, vigilance is key. A fake message often contains subtle errors that reveal its true identity. This may include misspellings or changes to domain names, as shown in the previous example URL. Users should also stop and think about why they receive such an email in the first place. Comments on specific definitions should be sent to the authors of the linked source publication.
For NIST publications, there is usually an email in the document. Anti-phishing software identifies and blocks phishing content in websites, emails, and other forms of online communication that could be used to access data. The software usually warns the user when they come into contact with a malicious email or website. This software is often integrated into the toolbar with web browsers and email clients. Another mobile-focused phishing attack, SMS phishing, uses text messaging to convince victims to reveal account credentials or install malware. While many phishing emails are poorly written and clearly fake, cybercriminal groups are increasingly using the same techniques as professional marketers to identify the most effective types of messages. A technique for obtaining sensitive information, such as bank account numbers, through a fraudulent request by e-mail or on a website where the perpetrator impersonates a legitimate company or person. Source(s): CNSSI 4009-2015 of IETF RFC 4949 Ver 2 NIST SP 800-12 Rev. 1 under Phishing of IETF RFC 4949 Ver 2 Tricking individuals into disclosing sensitive personal information through fraudulent computer means. Source(s): NIST SP 800-150 under Phishing NIST SP 800-88 Rev. 1 NIST SP 800-45 Version 2 under Phishing NIST SP 800-83 Rev. 1 under Phishing A digital form of social engineering that uses genuine – but fake – emails to request information from users or redirect them to a fake website requesting information.
Source(s): NIST SP 800-115 under Phishing The use of social engineering techniques to trick users into accessing a fake website and revealing personal information. Source(s): NIST SP 800-44 version 2 under Phishing Tricking individuals into disclosing sensitive personal information by pretending to be trustworthy in electronic communications (e.g., websites). Source(s): NIST SP 800-82 Rev. 2 under phishing An attack in which the subscriber is tricked (usually via email) into interacting with a fake verifier/PR and revealing information that can be used to impersonate that subscriber to the real verifier/PR. Source(s): NIST SP 1800-21B Phishing NIST SP 800-63-3 NIST SP 800-63-3 Phishing An attack in which the subscriber is tricked (usually via email) into interacting with a fake reviewer or trusted party into revealing information that can be used to impersonate that subscriber to the true reviewer or relying party. Source(s): NIST SP 1800-17b Phishing Typically, these attacks are carried out via email, where a fake version of a trusted payment service asks a user to verify credentials and other credentials. Usually, they claim that this is necessary to solve a problem with the user`s account. Often, these phishing attempts include a link to a fraudulent spoofing page. Voice phishing or vishing[29] is the use of telephony (often Voice over IP telephony) to carry out phishing attacks. Attackers dial a large number of phone numbers and read automated recordings – often using text-to-speech synthesizers – that make false claims about fraudulent activity on the victim`s bank accounts or credit cards. The calling phone number is spoofed to display the actual number of the spoofed bank or institution.
The victim is then prompted to call a number controlled by the attackers, which automatically tricks them into entering sensitive information to “solve” the suspected fraud or links it to a living person trying to use social engineering to obtain information. [29] Voice phishing benefits from the general public`s reduced awareness of techniques such as caller ID spoofing and automated dialing compared to their email phishing counterparts, and thus from the inherent trust that many people have in voice telephony. [30] There are anti-phishing websites that publish specific messages that have recently circulated on the Internet, such as FraudWatch International and Millersmiles. These websites often provide specific details about particular news. [133] [134] Because phishing is effective, attackers use phishing kits to simplify setup.