| |

What is Phishing

Phishing is a form of criminally fraudulent social engineering. Phishing is a type of cyber attack where attackers attempt to trick you into divulging sensitive information such as your usernames, passwords, credit card details, or other personal information by posing as a trustworthy entity in an electronic communication.

Phishing often mimics legitimate organizations such as banks, social media platforms, or online services, and typically involve deceptive emails, text messages, or websites. Phishing attacks often rely on psychological manipulation to prompt victims to take actions that benefit the attackers, such as clicking on malicious links, downloading harmful attachments, or entering confidential information into fake forms.
Common phishing tactics include emails claiming to be from popular social web sites, banks, auction sites, or IT administrators.

Common Phishing Techniques (not an exhaustive list)

  • Email/Spam: Using the most common phishing technique, the same email is sent to millions of users with a request to fill in personal details. These details will be used by the phishers for their illegal activities. Most of the messages have an urgent note which requires the user to enter credentials to update account information, change details, or verify accounts. Sometimes, they may be asked to fill out a form to access a new service through a link which is provided in the email.
  • Spear Phishing: Think of spear phishing as professional phishing that is much more targeted. The hacker has either a certain individual(s) or organization they want to compromise and are after more valuable info than credit card data. They do research on the target in order to make the attack more personalized and increase their chances of success. 
  • Smishing (SMS Phishing): Phishing conducted via Short Message Service (SMS), a telephone-based text messaging service. A smishing text, for example, attempts to entice a victim into revealing personal information via a link that leads to a phishing website.

While researching phishing attacks, one example caught my eye because it targeted an organization’s donors. A vendor email compromise attack targeted the Special Olympics of New York, leverage their email system to reach their approximately 67K registered families with an adult or child having an intellectual disability. Their email server was apparently hacked in December and was used to send out phishing emails to their donors under the guise that a donation of nearly $2,000 was about to be posted automatically (creating the necessary sense of urgency on the part of the potential victim). Upon realizing the email had been sent out, a follow-up email was sent, communicating that Special Olympics New York was aware of the hack, that donors should ignore the email, and that no information – other than contact details – was accessed.

Pregnancy centers are not immune to phishing attacks. It is important that your organization remains vigilant. There are many types of email phishing attacks, so it is important to implement Security Awareness Training.

Leave a Reply