Phishing is a type of attack that is based on impersonation with a malicious purpose, many say that phishing is a type of social engineering, others say that phishing is an attack that uses social engineering techniques, however you want to see it, you have to understand that phishing is the simplest and also the most critical type of attack, Obviously this also depends on the context, but most of the time it does not require high technical knowledge to be able to carry out this type of attacks, which causes that the public that can perform it is wider and therefore, the number of affected people is also wider.
Tipos de phishing
There are many classifications if we are talking about types of phishing, in this case, I prefer to simplify it and classify them both by scope and by means of communication, being scope the number of users to whom it is sent and means of communication, the means by which it is sent.
- Phishing (Aimed at the general public, without any type of personalization).
- SpearPhishing (Targeting a specific group or person).
- Whaling (Directed at important people).
By means of:
- Phishing (Carried out by means of e-mails).
- Smishing (Performed by means of text messages).
- Vishing (Performed via phone calls or voice chat).
- QR (Performed by means of QR codes).
As you will see, the term “Phishing” is repeated both in the classification by scope and by medium, and this is due to the fact that, traditionally, this term is related both to the sending of phishing to a general public and, being sent through e-mails, for which reason, it was only a matter of disentangling the term and adapting it to each classification.
Good practices to avoid phishing
At the end of the day, all of these types are based on phishing, so are there ways to avoid and detect phishing? Yes, let’s see some of them:
- Avoid exposing your data in social networks, personal data that can help cybercriminals to know more about you or have means by which to contact you.
- If in any given case you receive a message that you suspect, make sure to check several points before clicking on any attached link or downloading any file, these points are:
- Check the spelling, general phishing attacks often contain many spelling and consistency errors.
- Look at the architecture of the message and contrast it with the architecture that messages sent by the original company usually have.
- Look at the sender of the email, although this can be changed to appear to be legitimate, it is a point that can help you detect phishing.
- Observe how you are addressed in the message, if an entity writes to you for something important, it is most likely to call you by the name you have associated with that entity, not calling you generically as “customer”, “user”, “sir”.
- Similarly, if you receive a message that you suspect, you can go to the entity physically so that they can tell you with complete certainty if it is a phishing or not.
- Look at all the resources with hyperlink that are in the body of the message, with only pass the cursor over any resource with hyperlink, in the left inferior part, you will be able to appreciate the URL to which it takes you if you click, this URL you can analyze it with VirusTotal or, if it is a shortened URL, to use tools like ExpandURL to see the final destination and, then to analyze it with VirusTotal.
- Use common sense, it is the easiest thing to do, but also the easiest thing not to do, understand that no serious entity is going to ask you for confidential information by email, messages or calls that you never requested.