Phishing 101: Back to the basics

Vishing

Cybercriminals call you on behalf of a well-known organisation and claim that you owe them money, or you have a virus on your computer that they can quickly fix, for a fee. In other instances, they claim that you’ve won something or are eligible for a loan, just when you desperately need money.

Vishing examples

Disclaimer: The names used in this scenario are fictitious. No association to real people is intended or inferred.

Spear phishing

Some academic staff have also received spear phishing emails from a malicious individual who pretends to be a person in authority. In most cases, the spoofed email looks like it’s coming from a Dean. Most of the time, the spoofed email address contains some aspects of the senior leader’s UCT email address, such as name.surname, but it ends with gmail.com or outlook.com. When you respond to these emails, the sender indicates that they urgently need the person to buy some form of voucher.

SmiShing

You receive an SMS or MMS asking you to click a link or watch the provided video. When you act, a cybercriminal can take control of your mobile device without you even knowing about it. You only realise what’s happened when you try doing something but all attempts are unsuccessful because the criminal has changed your passwords and is now control of your device and the apps on it.

Whaling aka CEO Fraud

Cybercriminals target those in executive management levels to get access to their login details. Senior management usually has access to privileged information, which is valuable to cybercriminals. Criminals do a lot of preparation for these so that the attacks look and sound legitimate. This includes getting to know the potential victim’s interests, finding out who they regularly communicate with, familiarising themselves with their writing style, and so on.

Watering hole phishing

The aim of this phishing attack is the waiting game. A cybercriminal selects their target and monitors their online activities to see which websites they frequently visit. They select one of these sites and infect it with malware. When the victim accesses the infected site, the malware infects their device – which gives the cybercriminal access to their details.

Pharming

Cybercriminals create a fake website, which resembles a legitimate one. Individuals do not even need to click anything to go to the site, as attackers either infect their computer or the organisation’s DNS server. 

Domain spoofing

A fake domain is created to impersonate an actual entity. When individuals see that the same domain is used in an email address, they automatically believe it to be a trusted company.

Clone phishing

A legitimate email address is cloned to make it seem that the communication is coming from an actual person.

Deceptive phishing

This is the most common phishing type. You’ll get an email claiming to be from your bank, and you’re asked to click a link to verify your banking details. It’s a classic trick, but still effective.

View an example of an attack that happened right here at UCT.
Disclaimer: The names used in this scenario are fictitious. No association to real people is intended or inferred.

Office 365 phishing

With many organisations using Microsoft Office 365, cybercriminals have created a range of attacks where they pretend to be from Microsoft. Targeted individuals are then asked to click the provided link to log in to their Office 365 account, change a password, resolve an issue with their account, or prevent their account from being deactivated.

Search engine phishing

Cybercriminals create website advertising for attractive online deals. They’re in cahoots with fake banks, so the websites seem legitimate. The criminals then capture individuals’ details and use them for fraudulent activities.