The Human Element of Phishing

Hackers continue to get creative in how they craft their scams, and what demographics they tailor them to. Beyond the prince of Nigeria scam (although reports say this scam still rakes in $700,00 a year), hackers are getting smarter. Security systems can protect us from a lot of threats, but we are only as good as our weakest link: us.

According to www.itgovernance.eu, the 5 most common types of phishing attacks are email, spear, whaling, smishing and vishing, and angler.

Email phishing is the most common form, typically involve a link you are directed to click, an attachment to download, or a number to call which all inevitably request password, bank, credit card, or social security information. Hackers can create domains such as ‘@amazonsupport.com’ to make you feel that the request is more legitimate. They can even recreate branding guidelines so email footers look legitimate too. The primary way to determine if you are looking at a phishing email is to verify the information in front of you. Separately google the phone number or email domain for the company the email claims to be from, or even call the company to verify the email you got was in fact sent from them.

Spear phishing is a more direct form of hacking where the criminal already has some of your information, such as your name, place of employment, and job title. These may appear as a customer or coworker asking for help with something vague that you probably haven’t heard about prior. Don’t doubt yourself. For these, pay attention to spelling, grammar, and branding.

Whaling is like spear phishing but even more targeted, usually trying to attack Senior Executives. Many times, these emails will come across as the sender being too busy to schedule a wire transfer of funds, as an example. Fake links and URLs are also common. Take into consideration who is sending these to you, and if the way they have typed looks consistent with the way they would structure an email.  When in doubt, send a separate email to or call to the claimed sender and ask if this was a real request.

Smishing and vishing are newer in the game of phishing, and typically come via text (smishing) or a direct call (vishing). We have all gotten a text from a ‘bank’ (possibly not even a bank you use) noting suspicious activity in our account. “Click here to view” with a link. Vishing may be someone pretending to call from a company offering a great deal on services. Never click a link from a text from a strange number.  If it is in fact coming from a service that you use, log into your account separately. Calls, just like emails, can be verified by hanging up, and calling the company yourself to ensure this ‘promo’ is real.

Angler are social media scams. A Facebook message from someone who actually is your friend (they were hacked), or potentially someone pretending to be your friend (scam account) asking you to click on a photo, link, or message. Again, picking up the phone and calling someone, or shooting them a text separately from the method of the potential scam and asking if they sent you a link via social media can answer your question of legitimacy.

To summarize, the most important things to remember are don’t click strange links and verify the senders via google or a separate communication method. The prince doesn’t have your email address, and your computer’s network security is only as good as you are!  Need outside IT support and education?

Give LayerEight a call for a free analysis of your vulnerability at 518-324-5978.