Phishing is the practice of sending unwanted email to users with the purpose of tricking them into revealing personal information (such as user account or bank account information) or clicking on a link.
As an example, I have an email account with cox.net and I often receive different phishing email’s from accounts that state they’re from cox.net (but they aren't). These follow a similar format of many phishing emails.
- They state some fictitious problem. Some state they’ve noticed suspicious activity on my account, others state that my account has been discovered to be accessed from different computers, others state that they are upgrading security, and some just say they're upgrading their database.
- They request personal information such as username, password, PIN, SSN and/or my date of birth. This is supposed to be to be verify my account, but instead the purpose is access my account with an ultimate goal of stealing my identity.
- They include a threat such as disabling my account if I don’t reply. Phishing emails often say this is to protect my privacy, but it’s really a “call to action.” They are trying to create some sense of urgency.
The following image shows the message options from one of these phishing messages in Microsoft Outlook. You can access this page by right-clicking the message and selecting Message Options.
While the From address may sometimes look official and at least have the address of the company (such as cox.net), the Reply-To address is the real destination. When the From and Reply-To addresses are different with different domain names (aol.com instead of cox.net), it's a real give away. Don't trust it.
Links within email can also lead unsuspecting users to install malware.
Other common social engineering tactics are:
- Piggybacking or tailgating
- Impersonation
- Dumpster diving
- Shoulder surfing
Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide
