I love fishing and I have no idea why. I don’t like going outdoors, it’s generally considered a “redneck” thing to do where I live, and again it’s outside, but I really just enjoy going to a pond for a few hours and fish. I unfortunately haven’t been able to lately but I plan on going this summer at least once before I start my final semester of college. This post is going to be somewhat technical, but it will definitely benefit you in the long run. Before I start on the topic though, to those who actually do read my posts and told me happy birthday, thank you.
Now what is phishing? It’s definitely not grabbing a pole and some tackle and attempting to catch fish, but the name will make sense when I explain it. Phishing is a very common social engineering tactic used by hackers to gain vital information to gain access to a system or critical information. I stand by the statement that a user is the weakest link, and that is why phishing is so common and has a very decent success rate when done properly. There are different types of phishing attacks, but the most effective is called Spear Phishing. A very directed and specific attempt to gain information from a specific person, generally somebody in a position of power. This could be a database admin, a system admin, a political figure, it varies, but what is consist through all of these attacks is that they are very carefully thought through.
In one case the attack was sending an email to a lower branch manager from a higher up manager thanking her for her team’s participation in recent training exercises and how they were model employees. The attacker had to do some homework to make this work, because they also need that e-cards were popular to send as a link in emails in this organization to help build moral. The lower branch manager received the email and clicked on the link, which installed ransomware on her system that then spread to infect an entire bank, effectively locking down operations.
Now here is my issue with precautionary action taken against phishing attacks, they can be so specific and can be masked to deceive the user, so companies train employees on how to deal with phishing attacks, but so many factors play into if the attack will be successful or not. Time, weather, location, or how a morning went, you can never train consistently with all of these variables. The best way I’ve thought about dealing with phishing attacks it to ALWAYS be cautious and wary of emails I receive. I’ve had multiple different emails containing links about helping deal with student debt and how to eliminate it now because I’m a college student and what’s is one thing I want to get rid of already? Student debt. Hook line and sinker, just like a bass biting on a plastic worm. Attackers know how to get people to bite and install malware or get passwords to benefit them.
Again this is why I stick to saying that the user is always the weakest link, they can be manipulated very easily into believing that an attack is a valid email and then the hackers win. Phishing is honestly a hackers best tool, it’s simple, but it can also be very direct with enough time and research to increase the chances of it working. Caution and skepticism, along with better training on HOW phishing attacks work will definitely decrease the chances of the phishing attacks being successful. I always lean on the side of skepticism especially when the email is coming from a domain I don’t go to or that I’ve never heard of.
Hopefully reading this you’ve learned something on how to better protect yourself, because honestly this is a common tactic and anybody could fall for it without proper knowledge. If you have anymore questions on what phishing is or anything in general please just ask me. I love talking about this stuff. Also if you’ve read this far thank you.