Suppose that you are working one day when you receive an urgent email. The sender claims to be a familiar source, and their message is a request for you to download something, click on a link, or reply with sensitive information. If you do any of these three things, and the sender is an imposter, you would be a victim of phishing. Imperva defines phishing as “a type of social engineering attack often used to steal user data” that “occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message.” Oftentimes, clicking on a link or attachment in a phishing email leads to downloading malware. The U.S. Computer Emergency Readiness Team (US-CERT) notes that it is possible to download a virus just by opening an email, and mentions that viewing emails in plain text is a safe precaution. For the most part, however, phishing works when victims reciprocate by replying or clicking on something within the email. Imperva mentions the following possible outcomes that can result from clicking on a link in a phishing email: suffering from a ransomware attack; having your sensitive information exposed; being directed to a fake sign-in page set up to steal your credentials, a scam that can be foiled by inspecting the domain name; or, being directed to the real sign-in page, but with a script operating in the background to hijack your session cookie for what is known as a reflected XSS attack. Cisco explains that session cookies are strings of data—including login data—exchanged by browsers and servers. They exist to help websites “remember” visitors and keep track of logins; hijacking them can help attackers access your network, even if you’re on the right page.
Spear phishing is a more focused form of phishing. Regular phishing is impersonal and involves sending out messages to as many potential victims as possible, whereas spear phishing “is an email or electronic communications scam targeted towards a specific individual, organization or business,” as defined by Kaspersky. Regular phishing emails are effective when they are disguised as emails from official sources, such as banks, universities, and streaming services (both the FTC and Imperva show some examples). A spear phisher takes this deception one step further. Instead of claiming to be a generic representative of a trusted organization, they may claim to be someone you know, such as your employer or a coworker. They would also use your personal information, such as your name, in an effort to lull you into a false sense of security. In this scenario, the illegitimacy of the phishing email can be discovered by inspecting the email address itself. If someone claims to be a friend or coworker who is contacting you through a different email address, it may be best to verify their claim by trying to contact them via their usual email address or phone number. If the real individual states that they didn’t email you, you know you’ve discovered a spear phishing attempt.
Imperva notes that spear phishing can be the first step in an Advanced Persistent Threat (APT). Kaspersky notes that such a threat “uses continuous, clandestine, and sophisticated hacking techniques to gain access to a system and remain inside for a prolonged period of time, with potentially destructive consequences.” If someone manages to steal the login credentials of one of your coworkers or employees, they could remain hidden as spies and exfiltrate important data or unleash malware throughout your network. Ideally, you would want to prevent these threats from getting in through the front door. Ultimately, humans—rather than computers—are the weakest links exploited by phishing scams. Although your email service may automatically detect potential phishing attempts, policies and training can make your employees and coworkers much less vulnerable than if they relied on software alone.