How to recognize the many phish in the cyber sea

Understanding phishing scams: the different types of phish that threaten security

Phishing for passwords

Of all the major breaches that made the headlines in 2015, many of them are believed to have started with some sort of phishing scam.  From Anthem to Sony, human error is often to blame for the majority of security incidents that enterprises experience. 

Understanding what a phishing scam is and how and why the organization is being targeted will help security professionals be on alert and better train their employees to identify and report potential threats.

Angela Knox senior director of engineering and threat research, Cloudmark said, “A phishing scam is when you receive an email or instant message or phone call where the person sending the message is pretending to be someone they are not in order to convince the recipient into giving over information because the receiver is someone they can trust.”

The problem is that these bad guys are so sophisticated in their tactics that it’s difficult to detect the frauds.

[ ALSO ON CSO: Social engineering: 7 signs that something is just not right ]

In one word, the criminals are successful because of trust. “A lot of times they will use social engineering tactics,” said Knox.  By creating a sense of urgency, the scammers are able to make end users act in a hurry. 

“Our brain shuts down from noting that there is something odd and focuses on the urgency, so these criminals use social engineering tactics to get past the normal doubt tactics. The people are experts,” Knox said.

Different varieties of phish include smishing, vishing, and spear phishing, and the goal of each is the same though the medium used to conduct the scam differs slightly.  Knox provided a quick definition of each:

  • Smishing takes those phishing techniques of building trust and establishing a sense of urgency but applies them to text (SMS) messaging.
  • Vishing uses voice, so it’s usually a phone call. The criminal can set the caller ID number to be anything they want it to be. The receiver may think the bank is calling because it’s the bank phone number. 
  • Spear Phishing involves a particularly targeted attack, so it’s usually in lower volume, especially if someone has more data available. Criminals can make the phishing attack more targeted to break into an enterprise network. The ‘spear’ part is more targeted. 

When Knox gave the example of a spear phishing attack that an end user might see, I shook my head in agreement. It was a tale I had heard many times before. An email from the CEO is sent to someone in the finance department asking them to make a wire transfer. I’ve talked with so many high-level executives from major security companies who noted someone in their own organizations had seen this type of attack. Fortunately for them, the threat was detected before trouble ensued. 

“If you look at the domain name, it’ll be a similar domain with maybe one letter change,” said Knox, and it’s really important that end users are trained to not respond to these calls for urgency. Teaching employees how to find the domain name can prevent them falling victim to deception.

Though phishing itself is not social engineering, bad guys use their understanding of the ways humans behave to develop these scams. Scamming someone is a psychological con, and these bad actors are some of the greatest and most skilled con artists because they know how to manipulate human trust.

Criminals conduct phishing campaigns by collecting data on sites like,, where a lot of employee emails, names, titles are listed. They learn who is in the organization and collect useful data that they use to start a conversation with targeted employees. 

“They will build up trust before they ask someone to open an attachment,” said Knox.  “They may talk to someone for weeks then say, ‘Now I’m sending you an attachment.’”

The attachments are where the money making comes in. Some are trying to get in to get data that they can sell or reuse. "It could be industrial espionage, or malware that demands someone transfer money out,” said Knox. Whether they are collecting credentials or installing bots, spam, or DDoS attacks, the techniques are different but usually the goal is money. The goal is to sell or trade sensitive data, and it's a lucrative market for criminals. 

Including examples of these types of scams in an ongoing awareness training program is a key step in mitigating the various threats to the security of the cyber seas.

New! Download the State of Cybercrime 2017 report