What is Phishing?

What is Phishing?

Social engineering attack strategies and how to mitigate risk

Phishing Overview

Divider text here
Phishing is an attack strategy that uses deception in order to solicit sensitive information or directly breach a system, typically in the form of an email. Although phishing is almost as old as email, it has become increasingly more sophisticated, often evading spam filters and human detection. In fact, phishing is considered one of the most effective attack vectors being used today. According to the Verizon Data Breach Investigations Report, 94% of malware deliveries being completed through a phishing email of some type. It’s more critical than ever to learn what phishing is, and how to avoid becoming the next victim.

Phishing Motivations and Techniques

Divider text here
Breaching a system

Some phish are used to get malicious code past the perimeter. Initial scrutiny is vital in this case, because all it takes is a click and the malware can begin to download itself to your computer. Often, malware will lurk unsuspected in the system, either quietly collecting data or waiting to strike so the user may never realize that what they clicked was malicious. These emails contain either an attachment, a download, or a link to a website that will deliver a malware payload. This malware could be any number of things—ransomware, cryptomining malware, worms, or other cyber threats.

Gathering sensitive credentials

Phishing is also used as a means for gathering credentials, which can then be used for further attacks. This typically requires users to have to type in their personal information in some way, which is usually achieved by linking the target to a threat actor’s website. Users have more time to determine if the site is legitimate, so more work may go into making it look realistic, perhaps spoofing websites, using covert redirects, or ensuring the email appears as though it comes from a trustworthy source.

Types of Phish

Divider text here
The most familiar type of phish are also the most basic. These emails cast a wide net, and vary in terms of how realistic they are, but are aimed at a general audience with a goal of getting clicks from careless or unaware employees. However, there are other, more specific types of phish that are also used, including:



Spear phishing
Spear phishing uses targeted attacks against a specific person or organization. A threat actor does research in order to learn personal information to tailor emails accordingly. For example, phish could be created to look like an individual’s specific bank, or an organization may be phished with emails that appear to be from those working in human resources. Since spear phish are from familiar names or organizations, and often look more realistic, users are much more likely to open them.



Whaling

Whaling is an even more precise type of phish aimed at high level targets, like C-level executives. While threat actors must again carefully research and craft an email that is not only tailor made, whaling presents an additional challenge. Such high-profile individuals are typically so busy that they are particularly discriminating about the emails they will open, so whaling must also attract their attention enough for them to consider it important enough to click on.



Vishing
Not all phish are in email form. People can receive automated or live calls on their work phones or cell phones requesting personal information that can either be given in person or dialed into the keypad. Now that caller id is universal, many vishing attacks also incorporate spoofing, in which a phone number from a local area code, or even a recognized company, appears to be calling. The most common vishing attacks include calls from banks, credit card companies, loan offers, car companies, or even charitable requests.



Smishing
Threat actors utilize every communication method, including short message services (SMS). Attackers send text messages or use messaging apps to solicit personal information or solicit malicious links. Malicious links opened on a cell phone are particularly dangerous, since there typically isn’t antivirus software to protect these devices.


What are Phishing Simulations?

Divider text here
Since you can never stop phishing emails from appearing in inboxes, the best way to manage these threats is by learning to recognize them so they can be avoided. Phishing simulations are a type of social engineering testing that imitates such phishing campaigns. Pen testers deploy a number of phish of varying difficulty levels, and monitor whether any are opened, clicked, or have credentials entered. These simulations can assist not only in uncovering which employees are vulnerable to phishing, but can discern patterns and find what types of phish are most likely to fool them. 

Benefits of Phishing Campaign Simulations

Divider text here
  • Testing Employee Vigilance: Get data on which employees are susceptible to phishing attacks, and how severe of a problem phishing is within your organization.
  • Testing Technical Controls: Find out the effectiveness of your email security filters, anti-malware, and other security barriers. 
  • Increased Security Awareness: The more phishing simulations are run, and corresponding education efforts are made, the better employees become at discerning a suspicious email from an authentic one. 
  • Compliance: Phishing simulations are often part of penetration tests, which are regularly a part of industry requirements or regulation adherence. 
  • Training Validation: Running phishing simulations before and after training, or making it a regular practice in general, can provide valuable data about how successful education efforts are.


Anti Phishing Solutions from Core Security

Divider text here
Core Impact is a leading pen testing and anti phishing tool that can provide critical assistance in running a phishing campaign. Core Impact has extensive phishing capabilities, with a highly usable interface so both junior and advanced pen testers can take advantage of this functionality. You can also gather additional information to help plan further testing and exploitation activities. Impact’s phishing functionality provides valuable metrics like click rates, login numbers, and flagging instances that will help show what an organization needs to work on. Additionally, these reports will become even more valuable to show progress after regular retesting.

Core Security’s pen testing services can conduct phishing campaigns, targeting your users and workstations. With phishing test tools and emails tailored to your organization, they will put your defense mechanisms, detection and reaction capabilities through their paces, finding susceptible employees and security measures that need improvement. Upon completion, you’ll receive a comprehensive report with valuable data about potential security weaknesses, which can serve as educational opportunities to teach employees about ways to recognize and avoid getting phished. 

How Do You Run a Success Phishing Simulation?

Divider text here
In order to deploy a campaign that will better prepare an organization against attacks, you’ll need to know how to craft different types of phish, think like an attacker, create phish with different audiences in mind. Where should you start? Get expert advice by enrolling in our eCourse, Best Practices for Effective Phishing Simulations.
Enroll Now