Phishing is a common tactic used by online scammers and hackers to trick users into sharing their online credentials or other sensitive information. It is a type of “Social Engineering” that is usually done by sending a genuine and trustworthy looking message (E-mail, SMS, social media etc.) containing a link to a deceptive website. Once there, users are asked to provide their authentication credentials to log in, without suspecting they’re actually proving an attacker with their precious password.
Once the attacker has the credentials in hand, it can immediately be used to login to the real service and easily steal data or funds, damage online assets, impersonate the victim and so on. Since this “hack” is done without ever employing sophisticated cyber attacks against the breached system, it can take a while to detect and by the time it is, irreparable has been done to the user and/or the organization.
In order to increase their success rates, attackers try to perfectly imitative the appearance and user experience of the real service. This can become complicated as users get more educated about the dangers of phishing, but attack methods are constantly developing in response. Online scammers have a growing range of tools to imitate email addresses, web domains and even SMS and phone calls that are used as a 2nd factor authentication mechanism.
In many cases it can be very hard to distinguish between a phishing message and a genuine one. Moreover, scammers tend to design and phrase these messages in a way that will prompt an immediate action by the user, typically demanding a “periodical password change” or a “security audit”. It is not unusual to see fraudulent messages threatening users with account lock or deletion unless immediate action is taken, hurrying them to act without sufficient attention. The same can be said about the web domains used in many attacks – both email addresses and destination URLs can be very similar to the official versions and trick even the keenest eye.
The term “Phishing” is a deliberately incorrect spelling of fishing, and is based on the slang term “phone phreaking”. Just as fishers use baits and nets to capture fish, scammers use phishing messages to bait users and capture their credentials in large amounts.
Spear phishing, as its name suggests, is a phishing attack targeting a specific person (or sometimes a small group). Unlike standard phishing campaigns, that are trying to deceit as many victims as possible (due to the naturally low success rates), these are intended to gain very specific credentials, often as part of a broader attack against an organization.
Cloud phishing is a specific type of phishing attack aimed at cloud services and SaaS accounts. As businesses are moving more of their operations to different cloud platforms, there are becoming more prevalent and harder to prevent.
Spear phishing attacks rely on fraudulent communications, usually in the form of email following a business email compromise (BEC) incident. When using Secret Double Octopus, users are never prompted to reset or update passwords, meaning users will know that any such request is an attempt by a cybercriminal. Secret Double Octopus both removes the credentials target and negates the mechanism by which spear phishing works.