CS406: Information Security

Phishing attacks are the most common attacks conducted by social engineers. They aim at fraudulently acquiring private and confidential information from intended targets via phone calls or emails. Attackers mislead victims to obtain sensitive and confidential information. They involve fake websites, emails, ads, anti-virus, scareware, PayPal websites, awards, and free offers. For instance, the attack can be a call or an email from a fake department of lottery about winning a prize of a sum of money and requesting private information or clicking on a link attached to the emails. These data could be credit card details, insurance data, full name, physical address, pet’s name, first or dream job, mother’s name, place of birth, visited places, or any other information the person could use to log in to sensitive accounts such as online banking or services.

Phishing attacks can be classified into five categories: spear phishing, whaling phishing, vishing phishing, interactive voice response phishing, and business email compromise phishing as illustrated in Figure 5.

Figure 5. Phishing attacks.

Spear phishing attacks refer to specific phishing that target specific individuals or selected groups using their names to make claims or communications. They require collecting information about the victim using available data online. As they attack an entity from inside, it is difficult to detect and distinguish them from legitimate users, which explains the high success rate of these attacks compared to other social engineering attacks. Whaling phishing is a spear phishing attack targeting high profiles in companies named big fishes. Vishing attacks refer to phone phishing to manipulate persons to give their sensitive information for verification like calls from a bank. The name of this attack, ‘vishing’, is derived from voice and phishing to describe the attacks performed via voice over the internet protocol (VoIP). Interactive voice response phishing is performed by using an interactive voice response system to make the target enter the private information as if it is from a legitimate business or bank.

Business email compromise phishing mimics the whaling by targeting big "fishes" in corporate businesses in order to get access to their business emails, calendar, payments, accounting, or other private information. The social engineer uses this data to send emails by mutating past emails, change meeting schedules, read professional information about the enterprise, and contact clients or service providers. The attacker starts by researching high profile employees through social media to know and understand their professional information such as authorized range of money a target can get from the bank. After gaining desired information, the attacker sends a highly convincing business email to get a normal employee to click on a link or download an email attachment to compromise the company’s network. The attacker chooses a specific time according to the target’s calendar and inserts an emergency sense into the email to get the employee act quickly.