Phishing is a type of social engineering with a touch of spoofing attack that uses different means to steal confidential personal/corporate information (SSN, password, date of birth, address account details, etc.). The attacker usually masquerades as a trusted entity to deceive the victim into opening an email, instant message, or text message. The victim then clicks on the malicious link which can lead to the installation of malware or stealing of sensitive information.
The attacker uses emotions like fear, urgency, greed, curiosity to make their victims act on what they want them to do. Phishing attackers are designed to appear to come from legitimate individuals or organizations.
Phishing might take different forms.
Spear phishing. It targets specific individuals instead of a wide group of people. For example, the attacker might target someone in the finance department and pretend to the victim’s manager requesting a large bank transfer on short notice. It’s worthy of note that spear phishing is often the first step by attackers to penetrate a company’s defense to carry out larger attacks.
Whaling. It targets the CEO or someone with high-level access to a great deal of sensitive information. The attacker spends a lot of time gathering enough information about their victims.
Voice Phishing. Also called Vishing, is the act of using the telephone in an attempt to scam the user into surrendering private information that will be used for identity theft. The scammer usually pretends to be a legitimate business and fools the victim into thinking he or she will profit.
SMS Phishing. Also called Smishing, is the act of using text message in an attempt to scam the user into giving private information. Often these text messages contain links which the attacker entices the victim to click.
The solution to this type of social engineering is caution and critical thinking. While this is true, avoid opening emails or clicking links from unknown sources.