From the course: The Cybersecurity Threat Landscape
Explore the threat of phishing and smishing
- [Instructor] Phishing and smishing are social engineering attacks designed to trick users into sharing sensitive personal information, like usernames, passwords, and credit card details with attackers. Let's take a look at what these threats are and how they work. Phishing has been around since the 1990s, but it's still going strong. IBM Security X-Force reported that phishing was the top method of compromise in 2021. The most common phishing technique is to send a fraudulent email to a targeted user. The email is designed to look like it came from a trusted entity and it will often appear urgent, so the recipient will quickly open it. Typically, the email will contain a manipulated link that looks like it goes to a real website. If the user clicks the link, though, it goes to a forged website designed to look like the real thing. Once there, the target will usually be prompted to enter their username and password for the site. If they do, the attacker will now have their credentials for the real site. Depending on the site, this can turn into an immediate loss of information or money for the victim. In some cases, the phishing email won't have a link. It will have a malicious attachment. If the recipient clicks on the attachment, it will often attempt to install ransomware, which is another threat I cover in this course. One of the keys to a successful phishing attack is making the emails look like they came from trusted sources. So phishing attackers frequently co-op trusted brands like Microsoft, Apple, Google, Chase, and Amazon. Phishing email subject lines often have a certain style. Here are examples of typical subject lines used in phishing emails. "Your account will be locked." "Important: Please log into your account to verify your info." And "Invoice due." Note, how they sound urgent or at least important enough to not ignore. Spear phishing is a variety of phishing that customizes email attacks to specific users, hoping the illusion of familiarity will create more trust. Smishing has many of the same characteristics of phishing, but instead of sending fraudulent emails, the attackers send SMS texts to the victim's phone. Common smishing text messages often impersonate a bank with an urgent message about how your account has been locked due to suspicious activity, or a recent payment was made and the bank needs your confirmation. Then there's usually a link to a malicious site designed to steal your online banking credentials. Smishing scams can also include text messages about winning a prize that you have to redeem through a website. You should immediately be suspicious of getting anything for free through a text message. Another form of smishing includes text messages impersonating someone you work with, like your boss or the CEO of your company. Threat actors can easily find the company you work for and get your cellphone number to pull off this attack. They'll send a text message, pretending to be your boss or CEO, and ask you to help them with a task. The task often requires you to buy gift cards to give to employees or clients. If you buy the cards, the attackers will ask you to send them the codes, which will allow them to instantly extract the money off the cards. Because both phishing and smishing attacks are cheap, simple, and effective, we can expect that they will continue to be among the most common attacks on the cybersecurity threat landscape.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.