What is Phishing? Flashcards
In order to correctly identify phishing emails, you need to know exactly what phishing is. There are a number of different descriptions for phishing emails out there, so we have created our own that we believe is appropriate:
Phishing is the act of sending an email with malicious intent, to coerce recipients into disclosing information, downloading malicious files, or otherwise completing an action that they would not normally do, by exploiting a human using one or more social-engineering techniques.
In short, phishing is a type of email-based attack, where malicious actors are actually attacking humans instead of computer systems, in order to get them to do something they normally wouldn’t. Examples include giving out their account credentials, downloading malware, transferring money, disclosing information, and more.
While phishing is primarily email-based, there are other attacks that use voice calls (Vishing) and SMS or text messages (SMiShing). We will cover these in a future lesson.
Impact of Phishing
Phishing is a serious issue, but some organizations still don’t think it is a priority. Throughout 2019, a staggering 90% of all data breaches were linked to phishing (Retruster, 2019), with the average financial cost of a data breach being $3.86m (IBM, 2019) organizations can’t afford to make email security and phishing analysis an afterthought. This attack vector isn’t going away any time soon, it’s cheap and effective, and attackers only need to ‘hook’ one person to potentially gain access to a company’s systems. Phishing attempts have grown 65% from 2018 to 2019 (Retruster, 2019), and roughly 1.5m new phishing sites are created each month (Webroot, 2019). It’s not just malicious URLs that take recipients to fake login pages, or foreign princes trying to extort money from you for a stake in their inheritance, extremely advanced malware is sent inside emails, with up to 1 million Emotet trojan emails sent in a single day (Proofpoint, 2019).
That’s why we’re teaching you the skills you need to detect, analyze, and respond to phishing emails and messages, working to protect the organization from this highly effective cyberattack.
Want to see some more interesting phishing statistics? Check out the links below.
The SSL Store - 20 Phishing Statistics to Keep You From Getting Hooked in 2019
Retruster - Phishing and Email Fraud Statistics 2019
ProofPoint - Emotet Phishing Emails
APWG - Phishing Activity Trends Report
Avanan - How Email Became the Weakest Link
Further Reading
This lesson is designed to provide students with additional reading material on different aspects of phishing analysis in case you didn’t fully understand a specific part of the course, or you just want to read more about this area of cybersecurity to strengthen your skills ready for the BTL1 practical exam. We suggest that students come back to this lesson once they have completed this domain.
Resources
The Weakest Link - User Security Awareness Game
// https://www.isdecisions.com/user-security-awareness-game/
Online Phishing Quiz
// https://phishingquiz.withgoogle.com/
A curated list of awesome social engineering resources
// https://github.com/v2-dev/awesome-social-engineering
Youtube Social Engineer CTF Winning Voice Phishing Call
// https://www.youtube.com/watch?v=yhE372sqURU
Phishing and Spear Phishing Wiki
// https://www.peerlyst.com/posts/the-phishing-and-spearphishing-wiki-peerlyst
Anti-Phishing Working Group (AWPG) Phishing Resources
// https://apwg.org/resources/
Phishing.org Phishing Resources (Tools, Webinars, Whitepapers)
// https://www.phishing.org/phishing-resources
GoPhish - Simulated Phishing Exercise Toolkit
// https://getgophish.com/
SpearPhisher by TrustedSec - Simulated Phishing Exercise Toolkit
// https://github.com/kevthehermit/SpearPhisher
Cofense Blog - Phishing Defenses and Awareness
// https://cofense.com/blog/
Report Phishing Webpages to Google
// https://safebrowsing.google.com/safebrowsing/report_phish/?rd=1&hl=en
