A hacker has to gain access to your machine to steal your usernames and passwords. Once done, said hacker can then access your financial accounts, drain them and wire that money to a bank in a country where you will not be able to get it back. He does this by hijacking your machine and installing malware which he can then control remotely. He then hijacks your machine through several technological and social methods, which brings us to our definition of the day, Phishing. (Note, we will define ‘Spear Phishing’ in a subsequent blog post.)
So, what is phishing?
Phishing is the swiss army knife of online hacking. A phishing attack is commonly an email sent to you that appears to be from a credible source asking you to do something like;
• Click on a link to go to a website.
• Click on a special offer link in the email
• Download a piece of entertaining media or content.
Increasingly, it might be a text (SMS) message. It could also be a ‘robo-call’ voicemail (allegedly from a bank or credit card company) asking you to update/confirm card information.
• Most phishing scams demonstrate the following characteristics:
• Seek to obtain personal information, such as names, addresses and social security numbers.
• Use link shorteners or embed links that redirect users to suspicious websites in URLs that appear legitimate.
• Incorporates threats, fear and a sense of urgency in an attempt to manipulate the user into acting promptly.
By now you know that ‘phishing’ does not mean going on tour to see the summer shows and setlists of the band ‘Phish.’ Though early web historians have suggested that the term is an honorific homage to the band Phish, who was among the very first band to have an online community on the web, in the early 1990s.
Pardon that brief but interesting digression. Phishing exists because it works. In fact, in a recent test the Canada Revenue Agency (CRA) warned its employees that a phishing email was going to be sent to them and that they should not click on any of its links. Guess what? 1 in 5 clicked on the phishing email, giving theoretical hackers access to the CRA’s internal network. (Full story here.)
Protect your company by educating and testing your employee’s susceptibility to attacks like this. Get them in the practice of asking, ‘Is this website safe? Is this email legitimate?” Define legitimate in relation to your company. Your entire company is only as safe as your most gullible employee. Tests like that done by the Canada Revenue Agency demonstrate this.