Reloading your Tackle Box for the Holiday Season: The Latest on Phishing.by Brian Schaeffer, CISSP, CISA and columnist for NetDiligence® eRisk Hub® portal, www.eriskhub.com
We’ve been battling phishing for the better part of 15 years. It is one of the most effective means of compromising a person’s or company’s accounts. In the early days, due to the use of broken English, it was relatively easy to spot a phishing attempt to steal information. Now, however, phishing techniques have evolved and with the adoption of social media and mobile technologies, these threats have become increasingly difficult to recognize and combat.
As we’ve learned over the years, phishing is a method of obtaining personal information by some form of social engineering.
Phishers attempt to convince people to click on a link or disclose personal information by tricking them into thinking they are doing something necessary and legitimate. These days phishing takes many forms. Here are a few of the latest types of phishing:
• Spear Phishing is the most popular technique targeting a specific group. Spear Phishing attempts are more sophisticated, using targeted and relevant details to trick the victim. Most of the breaches that occurred this year started with this method.
• Whaling is phishing aimed at senior management or other high-value targets of an organization.
• Smishing uses SMS or text messages sent to mobile devices as the medium for the phishing attack.
• Vishing uses voice communications as the means of attack. These attacks can use Voice over IP (VoIP)
and/or spoofed Caller-ID to aid in the scam.
• Tabnabbing opens new browser tabs that look similar to sites that were already open. These tabs quietly
redirect the victim to a phishing site behind the scenes. Many users don’t notice the change and click or
login to the phishing site.
• Evil twin creates a fake wireless hotspot and collects personal data from everyone who connects to it. This
type of phishing attack is popular in airports, hotels, coffee shops, etc.