In its original sense, phishing is the social engineering tactic in which an attacker attempts to obtain sensitive information from a user by posing as a trustworthy figure through email communications. Due to the rise of communication media other than email, the term "phishing" can also encompass an attempt to obtain sensitive information through any electronic communication medium. Phishing is one of the most common and effective social engineering tactics because it easy to distribute, impersonal, and can leverage technical tricks—like spoofing the FROM headers in email—to make it more convincing.
For instance, an attacker may prepare an email in which the attacker claims to work for the victim's bank. The contents of the email tell the victim they should send their password to the attacker so that their account can be properly reset. If the victim doesn't comply within one week, the bank will terminate their account. This leverages the motivation techniques of urgency and fear. When the victim receives the email, the spoofed headers make it appear as if the email is actually coming from the bank. The victim, unwise to the threat, complies with the fraudulent request. A number of tools, including Metasploit Pro and the Social Engineering Tookit (SET) in Kali, have built-in features that make it easy to launch a phishing campaign.
Types of Phishing
The following are some terms that refer to specific types of phishing:
- SMiShing: Also called SMS phishing, this is a phishing attack in which the attacker entices their victim through SMS text messages. The prevalence of smartphones may make using SMS more attractive to an attacker than email, but people are more likely to ignore text messages from unknown or untrusted senders than with email.
- Vishing: Also called voice phishing, this is a phishing attack in which an attacker entices their victim through a traditional telephone system or IP-based voice communications like Voice over IP (VoIP). While speaking to someone directly in order to entice them may be difficult for an attacker to pull off, it can also be more effective, as people tend to place more trust in those they can have a real-time conversation with.
- Pharming: In this type of attack, the attacker entices the victim into navigating to a malicious web page that has been set up to look official. The site may mimic an existing website, like the victim's banking website, or it may simply have an air of legitimacy. The victim interacts with this site in order to provide their sensitive information to the attacker, like filling out a fake "login" form with their password.
- Spear phishing: This is a phishing attack, irrespective of medium, that is crafted to target a specific person or group of people. Spear phishing attacks require that the attacker perform some reconnaissance and gather some people-based information on their targets before launching the attack. The attacker uses what they learn about their targets' habits, interests, and job responsibilities to create a custom message that is much more convincing than a generic message sent to anyone and everyone. For example, an attacker might know that a target's birthday is coming up soon and that they plan on holding a party at a specific venue. The attacker can pretend to work for this venue and mention the target's birthday party.
- Whaling: This is a form of spear phishing that targets particularly wealthy or powerful individuals, like CEOs of Fortune 500 companies. The risk is higher for an attacker, as such individuals are likely to be better protected than an average person. However, the payout for the attacker will be significantly higher. For example, an urgent phony invoice might induce a CEO to order the finance department to wire a "long overdue" payment to the attacker's account.