Social Engineering 101: Phishing

by Trava, Cyber Risk Management

When it comes to attacks on human error, the only defense is knowledge. Protect yourself.

The methods used by hackers today are clever and deceptive. They have ways to bypass your security and wreak havoc in a matter of minutes. Staying up to date on your security measures like firewalls, data encryption, and multi-factor authentication are all great first steps.

These days, however, hackers are most prone to attacking a weak point that is common for every business: People. Hackers are using our own interpersonal relationships against us to break into secure data and cost businesses millions of dollars in damages or ransom. These attacks prey on human error, and the only defense is knowledge.

This series will go in depth into a few of the most common types of Social Engineering attacks. You will know how to identify an attack and how to handle it before it's too late.

Phishing, Vishing, and Smishing

Phishing is the most common type of social engineering attack there is. Chances are you've seen some poor attempts in your email's spam folder throughout the years. Phishing is the attempt to steal a user's information by sending emails posing as vendors, customers, or partner companies asking for some kind of action from the email recipient. Vishing is similar to phishing only they use phone calls (voice phishing), and smishing uses text messages (SMS phishing).

All three variations utilize the same or very similar tactics, so spotting them and defending against them involves the same steps for all. In their basic forms, phishing attacks cast a wide net and hope to get one or two victims out of dozens of phony emails.

Spear Phishing is the method of picking a specific target and tailoring an email to that person for the best chance of success. Whaling is similar, but the attackers will specifically target high ranking executives (CEOs, CFOs, COOs) within a company. They conduct research on their targets to determine the most likely approach to get a response.

Phishing Techniques

Understanding the different types of phishing is only half of the battle. Listed below are the common deployment tactics used by hackers.

  • Tax-Themed Attacks. Bad actors will often impersonate tax professionals in order to extract sensitive information. They often have a link that reroutes to a site that gives social engineering attackers access to your system.
  • Invoice Fraud. Attackers will often send notices for outstanding invoices pretending to be known vendors or companies. Links provided will likely direct you to sites that sneakily download mallard or other hacking tools they can use to get deep into your protected data.
  • Downloads. Hackers sometimes impersonate trusted figures from within companies or in communities with emails containing downloadable files like PDFs or Word Documents that can contain harmful malware. Sometimes, these tools can go unnoticed for months while the extract data slowly and stealthily. They can extract your login credentials to get access to all kinds of private information.

What can you do to prevent phishing?

Knowing what to look for when it comes to social engineering attacks like phishing is the foundation of protecting your sensitive data, but there are tools that can help you prepare for them as well. Phishing simulations can provide your entire organization training and show you where you are most vulnerable to phishing scams. Trava Security offers an industry leading phishing simulation to get your staff up to speed on current techniques and how to spot them before any damage is done.

Trava can also provide full system vulnerability scans so you can give your business the best possible chance of fighting off all attacks. The scan can analyze everything from password protocols to multi-factor authentication effectiveness to help defend your network even if a phishing scam gets through the first line of defense. Click here to schedule a demo today.

Watch as Trava Director of Engineering Josh Hurst demonstrates Trava's phishing simulation.


Get cybersecurity tips, articles, and videos sent straight to your inbox