st11_WhatIsPhishing.md

---
title: What is Phishing
---


Last week we talked about social engineering, and how hackers can
make use of publicly available information to discover more about
a target.


## What is Phishing

Phishing is a form of social engineering, where targets are contacted
by someone posing as a legitimate entity, in an attempt to get them to
provide sensitive information.


It's one of the oldest forms of Cyber Attack, and has been prevalent
since the 1990s, and the non electronic form of confidence trick has
been around for ever.  I think that one of the more interesting things
about phishing, is unlike other significant cyber threats, the
propagators need no coding or technical skills.

The motivation behind a phishing attack can vary, but can generally be
broken into two categories:

 * Get the user to hand over sensitive information: Such as usernames,
   passwords or other account details.  These can then be used to
   access the victim's account and potentially other information.

 * Get the user to install malware: Tricking the victim into
   installing malicious code that can then be used to further
   compromise a machine. It was estimated that around 92% of all
   phishing emails contained some form of malware. [https://www.csoonline.com/article/3077434/93-of-phishing-emails-are-now-ransomware.html]


## Examples of Phishing

The "Classic" Phishing example is the **419**, or **Nigerian Prince**
scam. There the target is contacted with an offer of a large payment
in return for some information such as bank details.  While most
people recognise the attempt, the FBI states that this type of scam
still costs millions of dollars in
losses. [https://www.fbi.gov/scams-and-safety/common-fraud-schemes/nigerian-letter-or-419-fraud]

> Sidenote: Interestingly, the first recorded instance of a 419 scam
> was in 1920, with a letter advertising "Magical powers" was sent by
> "Professor"
> Crenstil. [https://www.newsweek.com/origins-nigerias-notorious-419-scams-456701]


Other examples of Phishing include emails from online organisations,
asking you to confirm account details, which then redirect you to a
fake website for credential harvesting.

Some phishing attempts are not targeted, for example sending out bulk
emails in the hope that some people will fall for them.  The bulk 491
scam spam emails sent out are an example of this.  While this approach
lacks sophistication, the number of targets means that the scammer is
likely to get some success.

Other Phishing attempts may be *soft-targeted* for example,
targeting employees of an organisation using publicly available
information.  This is a slightly more sophisticated approach, but
still relies on volume to be successful.

When combined with other forms of social engineering and open source
intelligence gathering, Phishing becomes an effective and targeted method of compromising the security of a system.  This approach known
as *spear phishing* targets a specific individual, and relies on putting
effort into convincing the target the source is trusted.

## Your task: real world examples of phishing

Some examples of real world Phishing emails can be found here:
[http://www.phishing.org/phishing-examples](http://www.phishing.org/phishing-examples)

Do you recognise any of these attacks? What kinds of trends do you
see?  Discuss in the Forum.
	---
	title: What is Phishing
	---


	Last week we talked about social engineering, and how hackers can
	make use of publicly available information to discover more about
	a target.


	## What is Phishing

	Phishing is a form of social engineering, where targets are contacted
	by someone posing as a legitimate entity, in an attempt to get them to
	provide sensitive information.


	It's one of the oldest forms of Cyber Attack, and has been prevalent
	since the 1990s, and the non electronic form of confidence trick has
	been around for ever. I think that one of the more interesting things
	about phishing, is unlike other significant cyber threats, the
	propagators need no coding or technical skills.

	The motivation behind a phishing attack can vary, but can generally be
	broken into two categories:

	* Get the user to hand over sensitive information: Such as usernames,
	passwords or other account details. These can then be used to
	access the victim's account and potentially other information.

	* Get the user to install malware: Tricking the victim into
	installing malicious code that can then be used to further
	compromise a machine. It was estimated that around 92% of all
	phishing emails contained some form of malware. [https://www.csoonline.com/article/3077434/93-of-phishing-emails-are-now-ransomware.html]



	## Examples of Phishing

	The "Classic" Phishing example is the 419, or Nigerian Prince
	scam. There the target is contacted with an offer of a large payment
	in return for some information such as bank details. While most
	people recognise the attempt, the FBI states that this type of scam
	still costs millions of dollars in
	losses. [https://www.fbi.gov/scams-and-safety/common-fraud-schemes/nigerian-letter-or-419-fraud]

	> Sidenote: Interestingly, the first recorded instance of a 419 scam
	> was in 1920, with a letter advertising "Magical powers" was sent by
	> "Professor"
	> Crenstil. [https://www.newsweek.com/origins-nigerias-notorious-419-scams-456701]


	Other examples of Phishing include emails from online organisations,
	asking you to confirm account details, which then redirect you to a
	fake website for credential harvesting.

	Some phishing attempts are not targeted, for example sending out bulk
	emails in the hope that some people will fall for them. The bulk 491
	scam spam emails sent out are an example of this. While this approach
	lacks sophistication, the number of targets means that the scammer is
	likely to get some success.

	Other Phishing attempts may be soft-targeted for example,
	targeting employees of an organisation using publicly available
	information. This is a slightly more sophisticated approach, but
	still relies on volume to be successful.

	When combined with other forms of social engineering and open source
	intelligence gathering, Phishing becomes an effective and targeted method of compromising the security of a system. This approach known
	as spear phishing targets a specific individual, and relies on putting
	effort into convincing the target the source is trusted.

	## Your task: real world examples of phishing

	Some examples of real world Phishing emails can be found here:
	[http://www.phishing.org/phishing-examples](http://www.phishing.org/phishing-examples)

	Do you recognise any of these attacks? What kinds of trends do you
	see? Discuss in the Forum.