<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview[1]
[{$pagename}] ([Spear-Phishing]) is a [Social Engineering Attack] to obtain [data] including [Sensitive Data] such as [usernames], [passwords], and [Payment Card] details (and, indirectly, [money]), often for [malicious] reasons, by disguising as a trustworthy [entity] in an [Telecommunications] like [Email].


[{$pagename}] is an example of [Social Engineering Attack] used to deceive users and [exploits] weaknesses in current [Website] security.

[{$pagename}] typically directs users to enter [personal data] at a fake [website], the look and feel of which are almost identical to the legitimate one. Communications purporting to be from social web sites, auction sites, banks, online payment processors or IT administrators are often used to lure victims. [{$pagename}] emails may contain links to [websites] that are infected with [malware].

[{$pagename}] may involve use of a [HTML link] to [Malicious] [Website] which then deploys [Malicious Software]

[{$pagename}] may use [Punycode] so [HTML links] appear to be reputable [Organizational Entity]

!! [{$pagename}] [Attacks]
More than 2/3 of the incidents in [2015|Year 2015] involved [{$pagename}] ([Verizon Data Breach Investigations Report]). 

[One-Time passwords] and other [Multi-Factor Authentication] help against your account being used to perform [{$pagename}] but __not from you being the subject__ of [{$pagename}]__

!! [{$pagename}] leads to other [Attacks]
[{$pagename}] is often just the entry point to more [attacks]. For [example], To obtain a perform such [attacks] like [pass-the-hash] or [pass-the-ticket], the [attacker] needs [credentials] of a [user] to get in the door.

!! [{$pagename}] [Example]
One trick that [bad guys|Attackers] use a lot is called [CEO] Fraud. CEO Fraud involves a scam in which [cybercriminals] impersonate executives in order to fool an [employee] into executing unauthorized wire transfers, or sending out confidential [Sensitive Data]. A sense of urgency is usually employed, pressuring the victim to act before thinking. According to [FBI] statistics, CEO fraud is now a $12 billion scam.


!! [Spear-Phishing]

Where general email attacks use spam-like tactics to blast thousands at a time, spear phishing attacks target specific individuals within an organization. In this type of scam, hackers customize their emails with the target’s name, title, work phone number, and other information in order to trick the recipient into believing that the sender somehow knows them personally or professionally. Spear phishing is for organizations with the resources to research and implement this more sophisticated form of attack.

!! 2. [Whaling]

Whaling is a variant of spear phishing that targets CEOs and other executives (&quot;whales&quot;). As such individuals typically have unfettered access to sensitive corporate data, the risk-reward is dramatically higher. Whaling is for advanced criminal organizations that have the resources to execute this form of attack.

!! 3. [BEC] (Business Email Compromise)

BEC attacks are designed to impersonate senior executives and trick employees, customers, or vendors into wiring payments for goods or services to alternate bank accounts. According to the FBI's 2019 Internet Crime Report,  [BEC scams were the most damaging and effective|https://www.zdnet.com/article/fbi-bec-scams-accounted-for-half-of-the-cyber-crime-losses-in-2019/]  type of cyber crime in 2019.

!! 4. [Clone Phishing]

In this type of attack, the scammer creates an almost-identical replica of an authentic email, such as an alert one might receive from one's bank, in order to trick a victim into sharing valuable information. The attacker swaps out what appears to be an authentic link or attachment in the original email with a malicious one. The email is often sent from an address that resembles that of the original sender, making it harder to spot.

!! 5. [Vishing]

Also known as [Voice] phishing, in [vishing], the scammer fraudulently displays the real telephone number of a well-known, trusted organization, such as a bank or the IRS, on the victim’s caller ID in order to entice the recipient to answer the call. The scammer then impersonates an executive or official and uses social engineering or intimidation tactics to demand payment of money purportedly owed to that organization. Vishing can also include sending out voicemail messages that ask the victim to call back a number; when the victim does so, the victim is tricked into entering his or her personal information or account details.

!! 6. [Snowshoeing]

In a snowshoeing scheme, attackers attempt to circumvent traditional email spam filters. They do this by pushing out messages via multiple domains and IP addresses, sending out such a low volume of messages that reputation- or volume-based spam filtering technologies can’t recognize and block malicious messages right away. Some of the messages make it to the email inboxes before the filters learn to block them.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Phishing|Wikipedia:Phishing|target='_blank'] - based on information obtained 2017-05-05- 
* [#2] - [What is Phishing?
|https://www.fortinet.com/resources/cyberglossary/phishing?utm_source=blog&amp;utm_campaign=phishing|target='_blank'] - based on information obtained 2021-07-21 
</pre>