Unlike fishing, where the aim of activity is to catch a fish, phishing is the attempt to obtain sensitive information, such as usernames, passwords, credit card details (and sometimes, indirectly, money), or sensitive data, often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
The interesting thing about phishing is that most of the attacks are carried out thanks to social engineering techniques used to deceive users and exploit their personal vulnerabilities. Nowadays, for companies, it is not so rare to experience the malicious attack from within the company itself.
Phishing as a term came about with technological advancement, but similar social manipulation techniques have been used through the centuries, allowing manipulators to gain what they want.
Almost every company has some trade secrets that are at the core of the business. In order to keep a competitive advantage in the market, along with keeping clients, the company has to keep those secrets secure. As every company grows with time, usually it has a need for new employees, and those new employees are the greatest liability. Sometimes, new employees will give away information unknowingly, and sometimes they will try to extract information deliberately, carrying out an actual “attack.”
To deal with potential threats from within, every responsible company will give limited access to its resources and secrets to new employees. If a new employee is a con-man with malicious intents of stealing data for himself or for some other company, he/she will need some other approach, in order to gain access to the privileged information.
In normal circumstances, for new employee to get higher permissions takes a very long time, usually years, and it can be correlated with the employee’s advancement in the company’s hierarchy. Con masters and spies are usually not that patient; being eager to gain access to the core company secrets, they will try another approach. That other approach has to do with social engineering manipulation techniques, where one exploits another person’s trust by hacking their psychological state.
There is a plethora of emotions they can abuse; sometimes, those vulnerabilities are just simple, primal urges, like greed or lust, but, more often, they will exploit simple human feelings like loneliness, compassion, sympathy, or friendship...
For a social hacker, the more knowledge someone has about a potential target, the easier it is to find and later abuse some knowledge against the target.
Company phishing attempts are very similar to personal ones: the attacker will use the target’s sensitive emotions and use that as a potential door. If a person is lonely, for instance, the social hacker will act as a friend or lover. Being emotionally vulnerable, targets may give away a lot more, just in order to keep the new “friend.”
Pathological liars are very good at social hacking, and, as science says, that skill comes naturally to them.
The Science of Lying:
The way to protect against this type of vulnerability is first to educate people about technical, but also social, ways perpetrators usually carry out their phishing attacks. Just with that small step of awareness, companies can save millions.
How to deal with the cases when there may be a breach of trust?
If you catch an adversary while trying to access information they should not have access to, he or she will try to deny everything. It is of crucial importance to use the "We don't negotiate with ‘Terrorists’" policy. The case should be reported to the justice department and dealt with accordingly.
A woman from Uxbridge lost £65,000 *1 by falling for an online romance scam and is facing “financial ruin and extensive, long term debt.” She is one of many who are there to testify to this type of crime. According to statistics, the number of unique phishing reports is constantly growing — in fact, so fast that from 2014 to 2015 that number doubled, increasingly threatening individuals. *3
When you meet people trying to befriend you, who soon after ask for money or to join some kind of terrorist organisation or religious cult, cut every connection as soon as possible. Do not negotiate with them, do not try to reason, do not explain your emotions, do not try to play a moral trip on them thinking that they will feel remorse, just stop all contact at once, ban/block them from contacting you on any communication channel.
It is highly likely that the attacker will continue trying to use the same exploit, justifying his actions, trying to influence the victim’s emotions, and he/she will be persistent for quite some time.
It is similar to the movie “A Beautiful Mind (2001)” (https://youtu.be/Yqj1DhUKJco?t=4m7s), where mathematician John Forbes Nash Jr recognises that he has an issue with schizophrenic hallucinations and, although he knows that they may never be gone, he decides to ignore them completely, hoping that, eventually, they will give up on him. You should forget about scammers regardless how tempting their offer sounds.
Phishers usually do not have time to spare by singling out one specific prey. Like vultures in savannas, they usually pick those weakest, as losing time and energy on strong individuals would only lead them to their demise.
For spammers and phishers, the worst thing that can happen is you wasting their time, so most the enjoyable sport for real knights of the Internet is to spam the spammers. If you have not seen it before, you should check out this video. I promise you will have fun!
James Veitch: This is what happens when you reply to spam email!
“That’s what it's like with all our dreams and nightmares,
got to keep feeding them for them to stay alive.”
-- Nash character "A Beautiful Mind" (2001)
Comments