What is phishing?

How this cyber attack

works and how to prevent it
Phishing is a method of trying to gather personal information using
deceptive e-mails and websites. Here's what you need to know about this
venerable, but increasingly sophisticated, form of cyber attack.

"Phish" is pronounced just like it's spelled, which is to say like the word
"fish" — the analogy is of an angler throwing a baited hook out there (the
phishing email) and hoping you bite.

Types of phishing
If there's a common denominator among phishing attacks, it's the disguise. The
attackers spoof their email address so it looks like it's coming from someone else,
set up fake websites that look like ones the victim trusts

Hand over sensitive information. These messages aim to trick the user into
revealing important data — often a username and password that the
attacker can use to breach a system or account. EX.

The classic version of this scam involves sending out an email tailored to
look like a message from a major bank; by spamming out the message to
millions of people, the attackers ensure that at least some of the recipients
will be customers of that bank. The victim clicks on a link in the message
and is taken to a malicious site designed to resemble the bank's webpage,
and then hopefully enters their username and password. The attacker can
now access the victim's account.

Download malware. Like a lot of spam, these types of phishing emails aim
to get the victim to infect their own computer with malware. Often the
messages are "soft targeted" — they might be sent to an HR staffer with an
attachment that purports to be a job seeker's resume, for instance. These
attachments are often .zip files, or Microsoft Office documents with
 malicious embedded code. The most common form of malicious code is
ransomware — in 2017 it was estimated that 93 percent of phishing emails
contained ransomware attachments .

Spear phishing

When attackers try to craft a message to appeal to a specific individual, that's

called spear phishing. (The image is of a fisherman aiming for one specific fish,
rather than just casting a baited hook in the water to see who bites.) Phishers
identify their targets (sometimes using information on sites like LinkedIn) and use
spoofed addresses to send emails that could plausibly look like they're coming from
co-workers. For instance, the spear phisher might target someone in the finance
department and pretend to be the victim's manager requesting a large bank
transfer on short notice.

Whaling

Whale phishing, or whaling, is a form of spear phishing aimed at the very big fish —
CEOs or other high-value targets. Many of these scams target company board
members, who are considered particularly vulnerable: they have a great deal of
authority within a company, but since they aren't full-time employees, they often use
personal email addresses for business-related correspondence, The goal is to
steal data, employee information, and cash.
How to prevent phishing

There also are a number of steps WE can take and mindsets WE should get into that
will keep from becoming a phishing statistic, including:

 Always check the spelling of the URLs in email links before you click or enter
sensitive information
 Watch out for URL redirects, where you're subtly sent to a different website with
identical design
 If WE ARE receive an email from a source WE know but it seems suspicious,
contact that source with a new email, rather than just hitting reply
 Don't post personal data, like your birthday, vacation plans, or your address or
phone number, publicly on social media
