Phishing is a common social engineering tactic ever since the early days of computers and the internet. Phishers not only are trying to gain sensitive information like usernames, passwords, and credit card details, but also may look to cause damage and destruction to your data or accounts just for kicks.
Due to employee negligence, this most common type of social engineering attack still tends to be the most successful. And there are a wide variety of phishing attacks and methods used by social engineers.
For instance, attackers may send an email requesting specific information or suggesting a specific action is required to proceed with common tasks people may already be engaged in—such as requests to change some details regarding bank transfers, for example. Other phishing emails commonly include links to malicious websites that appear legitimate to recipients in order to trick them into revealing personal details like login credentials or entice them to unknowingly download malware. And as technology has become more prevalent in everyday life the threat of phishing has spread beyond email into social media, instant messaging, and mobile apps.
Advanced attackers like to take the next step and target individual people using collected personal information discovered through research. Researched personal details can deliver a more believable and enticing email scam. This technique is known as spear phishing and is becoming more common every day.
In a spear phishing campaign, as opposed to normal phishing, attackers who target individuals with personalized email messages to make the communication appear more believable realize higher success rates. This method however obviously requires a little more work from the attacker. It will be necessary to first find a specific valuable target and then learn something personal about them, their company, or their industry. But if they do find something—and the internet makes this a relatively easy task—the attacker has much better odds of successfully phishing.
Most companies have security awareness programs to train employees how to spot a phishing email and to avoid clicking on suspicious links, especially from unknown or unexpected senders. If you do receive an email that seems suspicious, you should contact the sender in a different email message or different method entirely (e.g., face-to-face, internal chat system, or telephone) to verify any email actually came from them before proceeding. This verification activity will reduce your personal risk and the risk to your company.