What is phishing?
Phishing is a type of cyber crime involving a hacker, who pretends to be a trustworthy source, who tries to steal sensitive information (such as passwords, data or credit card numbers) from a victim.
There are several ways a hacker can try to steal data, install malware or spy on its victims. Most of the time, an assailant will start by using a phishing attack, and social engineering, to gain access to his victim's resources.
Phishing can take on many forms, the main ones being via email, by phone(vishing or voice phishing), or via a text message (smishing or SMS phishing). The purpose of phishing is to gather sensitive information. This can range from passwords or identifiable information to even bank details. This data is used for identity theft or spam, fraud or corporate espionage just to name a few examples.
Phishing has been around since the beginning of the internet, but in recent years there has been a huge expansion of the number of phishing mails sent. Due to the growth of the internet, more and more people are coming into contact with e-mails (and phishing) every day. We can hardly imagine a day where we don’t check our email.
At this moment about 150 million phishing e-mails are sent every day. Of these 150 million e-mails, 16 million get through the spam filters. About half of these are opened, and 800,000 links are clicked. Every day, more than 80,000 people share sensitive information due to these types of phishing attacks.
This, in combination with the decreasing cost of sending these phishing e-mails, results in the continued increase of victims. That is why it is vital for your organization that your users are able to handle phishing emails and recognize them.
Different types of phishing
Phishing is the umbrella term we use when talking about this kind of attacks. It encompasses every conceivable method to steal someone's data or gain access to their networks, devices,... Phishing is originally used when speaking about email messages.
When an attacker uses text messages (SMS, WhatsApp,...) to make initial contact with a possible victim, we use the term smishing. Text messages are more difficult to check for veracity, which means that you always have to be careful when clicking a link in one.
When phone calls come into play, we use the term vishing - a technique that relies heavily on social engineering. This can be during initial contact or further down the funnel - when a hacker will try to convince you to cooperate by claiming dubious activity was spotted on one of your accounts. Never share sensitive information during a phone call!
Spear phishing is a specialised form of phishing. Regular phishing is usually done by casting a wide net: attackers will send malicious messages to as many recipients as possible, whereas spear phishing is often aimed towards one specific would-be victim.
A hacker will be well-prepared when approaching his victim, by researching the recipient's social media, interests, job,... For the approach to be even more convincing, they can try to impersonate a colleague or a customer. Another example of spear phishing includes CEO fraud.
Whaling is a specialised form of spear phishing: it aims resolutely at the biggest fish within an organisation. It is not to be confused with CEO fraud, where a hacker will impersonate someone at C-level, in order to pressure the victim into taking a certain action.
How can we help you with this?
We'll teach your users to recognize phishing emails through lifelike simulations and we learn them how to respond appropriately. We’ll also provide training related to these emails, smishing and vishing.