While cybercriminals are always focused on somehow making money, stealing money, or getting things without having to pay for them, the way they can achieve these objectives is constantly evolving. In many cases, criminals may try to attack a user or an organization directly to get money out of it.
Sometimes they may sell false goods and trick people into buying things. However, one of the oldest, and most effective strategies of scamming people to exploit money or any other resource, is by stealing their information. Rather than trying complex attacks to break into systems to steal money, it's a lot easier for them to steal the credentials of a user and then simply withdraw money. Moreover, they can use this data for several other things as well.
Phishing is the general term that is used to describe an attack in which the attacker is trying to get sensitive information out of a user. This could be their bank details, their identification details, their address, or any other form of data. Essentially the attacker devices a 'net' or a 'hook' that lures the user in.
Phishing is a technique that relies on targeting large masses of users, usually, a fraudulent email is sent to thousands and even millions of users at a time. On the other hand spear phishing is a lot more focused on a specific group of people, or even a single user. This could be employees of a certain company, people in a certain occupation, or even the CEO of a large organization.
However, there are various mediums through which phishing can be done. Take a look at below
Smishing – this is SMS phishing, where the attackers contact the user through an SMS. People tend to trust SMS messages more than emails which is why this technique is very effective. With today’s modern smartphone most smishing attacks ask the user to either download a file or continue to an external link. Once on the page or the app, the user provides their information and conveniently hands over their information to the attacker.
Vishing – this is a phishing attack done through the phone. In most cases, the attacker will make use of a VoIP system and it will appear to the user that they are receiving a call from a reliable source such as a bank, insurance company, or government agency. Using different scripts, the attacker will convince the person to share their information over the phone.
Malvertising – This is an advert that is loaded with harmful scripts that are triggered when you click the ad. This is most common with Flash and Adobe PDF-based ads. Previously this was only effective for PC users but now can work against users on any kind of smart device.
Business Email Compromise – This is when the attacker disguises themselves as a senior member of the company, the CFO, or the CEO, and uses this mask to steal information from employees through email. This is especially effective within a business as employees don't realize it's a scam until much later.
In most of these attacks, the criminal uses a well-established name or company, or title to disguise themselves and this wins them the confidence of the user. Even though there can be small tell-tale signs that there is something fishy about the landing page, SMS, or any other medium that the attacker is using, the users don't usually pay attention to these finer details. They assume that the person is legitimate and they often share their information directly or they follow through on the action that the attacker suggests, such as downloading a compromised application that conveniently steals all their information.