Phishing is one of the most widespread methods used to compromise data and systems. In a phishing attack, a target or targets is contacted, often by email but it could also be through other messaging such as SMS texts. The attacker poses as somebody else, frequently in the guise of someone the victim knows – a friend, work colleague, or legitimate institution like a bank. The goal is to lure individuals into disclosing sensitive data such as personally identifiable information, banking information, credit card details, and passwords.
Here is an example of a phishing email:
This obviously looks like a normal purchase notice, something we see all the time. If one were to click on any of the links in this message, however, they would not go to an Amazon page. They would instead be shunted to a site which might silently install malware on the target system. Or there could be a valid-looking login page prompting the victim to enter their Amazon user id and password. Anything entered is gathered and quickly used to compromise the target’s Amazon account or other sites under their name.
Phishing is often aimed at collecting bank account login information. It might also involve confidentiality breaches, where information is gathered in the guise of another use, but for nefarious purposes.
Spear phishing is a specialized form of this technique. It involves a targeted attack instead of a broadcast to thousands or millions of targets. For example, if a law firm is known to hold sensitive information of interest to a hacker, certain individuals in the firm might be targeted, with a more specific, and therefore realistic, request. Because these attacks are personalized, they can be more dangerous and less obvious.