Phishing - The Inevitable, The Eventual

Hacking the human

<img>

Phishing vs Spear-Phishing
There are two main strands of phishing. The kind you are most likely familiar with is simply called phishing. It pertains to the act of sending a victim to an impersonated site with the intention of them putting real credentials and info down. The second being spear phishing which is the same with one main difference. That difference is the scope and scale. A normal phishing attack tends to be widespread, generic, and assuming. The spear counterpart prefers to use reconnaissance to tailor-make the email into something that fits them. The goal is to exploit some kind of weakness for a higher payoff via privileged users such as CEOs and unsuspecting admins.

A Few Tell-Tale Signs:
- You weren't expecting an email
- The FROM field looks odd - Spoofed addresses or fakes
- There is a random attachment
- They are asking for private info
- They are applying urgency

A case of smishing tried on me - they spoofed the number to give the illusion of trust because of the previously legit log. Contacted Revolut and investigations found that this was done to a large scale.

2FA
Let's assume the worst, you have been compromised by an attack. It happens to even the most aware with a tailored enough attack. What then? Well assuming no extra security, they can log-in to your account and possibly others with the same credentials (Please check you don't do this!). Let's stop that process by requiring an extra step - a second factor. You can use your phone or a physical device, it does not matter. It turns it into a situation where the login process is "Something you know, and something you have".

The Culture Shift
We have to be vigilant about all emerging social engineering threats. Why bother with securing your cyber-security if your physical defenses are lackluster; if someone can just walk in and out citing they are maintenance. Training can help mitigate all kinds of social engineering attacks and while we cannot erase the human element, we can provide support to those unaware. Every company will face it to some extent, many fall for it, but how would you handle it?