convince a person to take some action by impersonating a trustworthy party that reasonably may legitimately ask the user to take such action.
For example, a criminal may send an email that appears to have been sent by a major bank and that asks recipients to click on a link in order to reset their passwords due to a possible data breach. When users click the link, they are directed to a website that appears to belong to the bank, but is actually a replica run by the criminal. As such, the criminal uses the fraudulent website to collect usernames and passwords to the banking site.
Spear phishing
Spear phishing refers to phishing attacks that are designed and sent to target a specific person, business, or organization. If a criminal seeks to obtain credentials into a specific company’s email system, for example, the attacker may send emails crafted specifically for particular targeted individuals within the organization. Often, criminals who spear phish research their targets online and leverage overshared information on social media in order to craft especially legitimate-sounding emails.
For example, the following type of email is typically a lot more convincing than, “Please login to the mail server and reset your password”:
Hi, I am going to be getting on my flight in ten minutes. Can you please log in to the Exchange server and check when my meeting is? For some reason, I cannot get in. You can try to call me by phone first for security reasons, but if you miss me, just go ahead, check the information, and email it to me — as you know that I am getting on a flight that is about to take off.
CEO fraud
CEO fraud is similar to spear phishing (see preceding section) in that it involves a criminal impersonating the CEO or other senior executive of a particular business, but the instructions provided by “the CEO” may be to take an action directly, not to log in to a system, and the goal may not be to capture usernames and passwords or the like.
The crook, for example, may send an email to the firm’s CFO with instructions to issue a wire payment to a particular new vendor or to send all the organization’s W2 forms for the year to a particular email address belonging to the firm’s accountant.
CEO fraud often nets significant returns for criminals and makes employees who fall for the scams appear incompetent. As a result, people who fall prey to such scams are often fired from their jobs. CEO fraud increased during the COVID-19 pandemic as people worked from home and were unable to verify the veracity of communications with as much ease as they could prior to the arrival of the novel coronavirus.
Smishing
Smishing refers to cases of phishing in which the attackers deliver their messages via text messages (SMS) rather than email. The goal may be to capture usernames and passwords or to trick the user into installing malware.
Vishing
Vishing, or voice-based phishing, is phishing via POTS — that stands for “plain old telephone service.” Yes, criminals use old, time-tested methods for scamming people. Today, most such calls are transmitted by Voice over Internet Protocol (VoIP) systems, but in the end, the scammers are calling people on regular telephones much the same way that scammers have been doing for decades.
Pharming
Pharming refers to attacks that present much like typical phishing attacks, but exploit different technical vulnerabilities in Internet-based routing in order to do so. Like phishing attacks, pharming attacks involve impersonating a trustworthy party that may legitimately ask the would-be victim to take some particular action. However, in pharming attacks, this is achieved not by tricking users into taking an action that brings them to a rogue clone of a legitimate website, but rather by poisoning routing tables and other network infrastructure so that any user who clicks a link to the legitimate website, or even enters the legitimate website’s URL into a browser, will be routed to a criminal’s clone.
Whaling: Going for the “big fish”
Whaling refers to spear phishing that targets high-profile business executives or government officials. (I know that whales are mammals and not fish, but this is about phishing not fishing.) For more on spear phishing, see the section earlier in this chapter.
Messing around with Other People’s Stuff: Tampering
Sometimes attackers don’t want to disrupt an organization’s normal activities, but instead seek to exploit those activities for financial gain. Often, crooks achieve such objectives by manipulating data in transit or as it resides on systems of their targets in a process known as tampering.
In a basic case of tampering with data in transit, for example, imagine that a user of online banking has instructed the bank to wire money to a particular account, but somehow a criminal intercepted the request and changed the relevant routing and account number to the criminal’s own.
A criminal may also hack into a system and manipulate information for similar purposes. Using the previous example, imagine if a criminal changed the payment address associated with a particular payee so that when the Accounts Payable department makes an online payment, the funds are sent to the wrong destination (well, at least it is wrong in the eyes of the payer).
One can also imagine the impact of a criminal modifying an analyst’s report about a particular stock before the report is issued to the public, with the criminal, of course, standing by to buy or sell stocks when the report is released in order to exploit the soon-to-be-reversed impact of the misinformation.
Captured in Transit: Interception
Interception occurs when attackers capture information in transit. In the context of cybersecurity, the transit is usually between computers or other electronic devices, but it could also be between a human and a device as well (such as capturing voice spoken to a voice recognition system). If the data isn’t properly encrypted, the party intercepting it may be able to misuse it. And, of course, data captured directly from humans — such as the aforementioned voice recordings — often cannot be encrypted.
Man-in-the-middle attacks
One special type of interception is known as a man-in-the-middle attack. In this type of an attack, the interceptor proxies
