Phishing – A Black Hat Tactic That Targets the Weakest Link in Cybersecurity
Phishing is a favorite black hat tactic because it targets what is widely described as cybersecurity’s weakest link: us. According to the 2022 DBIR, 82% of breaches involve human error, and much of that is due to people being duped into clicking malicious links or handing over sensitive data like usernames and passwords.
Attackers can send phishing messages via a variety of methods including email, text messages or instant messaging (e.g., WhatsApp). Messages are often cloned from previously sent and received emails with one or more malicious links or attachments added. This technique, called phishing through spoofing, is an advanced form of phishing and requires a combination of technological, process, and people-based mitigations to be effective.
Many phishing attacks attempt to exploit the fact that many individuals interact with brands on social media to report problems, make requests for assistance, or provide feedback. Taking advantage of this, attackers may create fake social media accounts and spoof the brand name to trick consumers into sending them personal information, such as their login credentials or account details. Attackers can then use this information for a number of purposes including to download malware from a fake website or access the victim’s company network via a bogus support page.
Other phishing attempts are more targeted and rely on the “spray and pray” approach to target large groups of users with a similar profile. These are called spear phishing and are more successful for attackers because they’re able to coax their targets into installing malware or handing over sensitive information. An example would be an attacker posing as a business partner and contacting a member of an executive team to request funds be transferred without going through the normal approval processes or asking for confidential information.