Phishing is part of a spectrum of security threats referred to as social engineering. In a social engineering attack, the intruder targets us as technology users, rather than the technology itself. The term was coined in the early 1990’s to describe hackers who impersonated America Online staff members in order to collect usernames, passwords, and other personal data from AOL’s users. Pronounced “fishing,” any social engineering attack that tricks a user into revealing information or making a payment under false pretenses can be described as phishing.
Since phishing relies on our fallibility as users, phishing emails tend to play to our emotions and instincts. In almost every case, a phishing email will include a call to immediate action. The attackers capitalize on our instinct to be helpful and prompt, using this tendency to override our critical thinking and better judgement. In other examples, the attackers rely on a sense of panic, threatening negative consequences if we fail to comply. As over 90% of successful cyber attacks originate with an email, their incentive is clear.
Almost any email user will have seen a phishing email delivered to their inbox. Phishing covers a broad spectrum of SPAM emails, including the now-infamous “Nigerian Prince” scam, as well as more sophisticated attacks that masquerade as notifications from Google, Microsoft, or Apple. Phishing also includes “CEO Fraud” emails, in which an individual is impersonated by the attacker to build trust. In this series, we’ll cover several of the most common phishing emails, as well as techniques you can use to identify a suspicious message the next time one crosses your inbox.