Despite what they say, what you don’t know can hurt you. While most people are aware of what a phishing scam is—even if they can’t always spot one—there are many phish in the sea and how they operate varies greatly. To help combat the phishing epidemic (which has affected more than 75% of businesses in 2018 alone), we’re providing a glossary of phishing words and related phishing terms that everyone should be aware of to avoid getting hooked.
15 Phishing Words Everyone Should Know
1. Business Email Comprise
2. Clone Phishing
4. Domain Fronting
5. Human Firewall
7. Meta Data
8. Multi-Factor Authentication (MFA)
9. Phishing Simulations
11. Rule-Based Anti-Phishing
12. Slack Attacks
13. Spear Phishing
BEC is a phishing tactic that targets lower-level employees who possess administrative rights by pretending to be a company executive requesting sensitive information. This phishing scam usually targets large corporations where employees know the name of the executives but rarely interact with them. BEC counts on employees not wanting to say no to a superior, and sending the requested information without question.
Clone phishing schemes replicate an email message someone has recently received, adding a malicious link to click on. To explain the duplicate nature of the email and to persuade recipients to click and re-enter personal information, it will usually state that it is being resent in order to provide an updated version.
A phishing defense strategy that uses multiple levels of security to prevent phishing, so that if one layer of defense turns out to be inadequate, additional layers are in place in order to prevent a full breach. The concept gained its catchy name in the 1987 book Principles of Programming Languages.
This phishing scam begins with an email asking recipients to click on a link designed to look like a legitimate site, which then re-routes them to another unsafe site in which hackers steal sensitive information. Originally developed as a way for political and human rights activists living under repressive regimes to circumvent heavy censorship, cybercriminals have hijacked the technique for nefarious purposes.
The act of relying on employees to protect the company from phishing by providing phishing awareness training. Unfortunately, this technique is insufficient as a stand-alone defense against phishing attacks.
Software that is designed to cause damage to or manipulate a computer, server, client, or computer network. Often distributed through phishing emails, malware implants itself into a computer when a link is clicked or an attachment is opened.
A description of the content of a webpage or email that is embedded within. Anti-phishing solutions such as Clearedin read meta data to determine if an email or site is a phish instead of reading the full content of the email, protecting the sender and recipient’s privacy.
A security measure that requires two or more steps to access an account. Steps usually include the following:
- Something you know: A password or PIN number.
- Something you have: A server-generated, one-time code given to a user that must be keyed into a device to be accessed.
- Something you are: Fingerprints, facial recognition, eye scans, and other biometrics.
Phishing simulations involve a company sending internal phishing emails containing attachments, embedded links, and requests for personal information to its own employees. The phishing simulations are designed to look like they’re coming from a stranger or from someone the employee knows. If an employee takes the bait, they are notified and either educated or reprimanded.
A form of malware that encrypts the victim’s data, and then a cybercriminal demands payment (usually in bitcoin) to release it. While the price is often low to encourage payment, cybersecurity experts and law enforcement officials have been adamant that companies should not pay the ransom, arguing that it will only encourage further attacks.
Rule-based approaches to phishing attacks create a series of rules based on a variety of factors to detect phish. When new threats come in, more rules are created. Critics of the rule-based approach argue that over time, rules become complex and difficult to manage, and challenging to keep up-to-date.
A cloud-based team collaboration service similar to instant messaging, Slack users can become victims of a phishing attack when a hacker sends malicious links or attachments through direct message or a Slackbot reminder. Because most people associate phishing with email only, Slack attacks catch them off-guard and are often successful.
Whereas normal phishing aims to hook anyone willing to bite, spear phishing targets a specific individual or individuals within an organization. Spear phishers personalize their emails, and use information specific to their target to lead the recipient to believe they have a connection with the sender. This is often accomplished by impersonating an employee or contractor to obtain sensitive data or banking details.
Unicode is an international encoding standard for use with different languages and scripts in which each letter, digit, or symbol is assigned a unique numeric value that applies across different platforms and programs. Hackers change unicode on their fraudulent sites and make it almost impossible to identify without carefully inspecting the site's URL or SSL certificate.
Whaling is similar to spear phishing, but rather than targeting just any employee within a particular organization, whaling goes after high-level executives (bigger targets usually yield a bigger payday). Phishers may spend months researching their targets, analyzing their routines, and mapping their personal relationships. The scam itself may last weeks as well; to harpoon a whale, phishers may first gain trust through a series of back-and-forth exchanges.
Phishing scams are constantly evolving and becoming more sophisticated. As they do, new phishing words and phishing terms will undoubtedly arise. For now, these 15 terms and their definitions should give you an idea of the threats that are out there. Want to learn more—or interested in an anti-phishing solution? Contact the experts at Clearedin today!