Spoofing and phishing. If you watch the Fox television show Gotham (@Gotham), those terms might sound like something Edward Nygma, a.k.a. The Riddler, might use to confound James Gordon and the Gotham City PD.
Whenever I talk to new employees about what the Abuse, Compliance and Delivery group does here at Net Atlantic, I usually get a few giggles when I bring up spoofing and phishing. Heck, they still make me chuckle sometimes! But even though they might sound funny, spoofing and phishing are no laughing matter. In fact, these practices are actually pretty nefarious!
Phishing is an attempt to get someone to divulge personal information, such as credit card or social security numbers, login and password credentials, etc. The phisher then uses this information for identity theft and/or other fraudulent acts. The phisher sends emails that look like they came from a legitimate source, like the recipient’s bank, credit card company, or an online retailer that they frequent. The emails usually direct the recipient to go to a website, which is a hoax site disguised as the real thing, in order to update personal and/or confidential information. The information that the victim provides is then stolen by the phisher in order to perpetrate their crimes.
Phishing is a highly successful criminal endeavor because of the massive number of emails that are sent to countless recipients. Even if only a small percentage of the recipients act upon the instructions within that email, it’s enough for it to be extremely lucrative for the phisher. Think about it this way: How many times does a fisherman bait his hook and cast before he reels in the big catch of the day? Phishing scams employ the same idea: cast a wide enough net (i.e., millions of emails), and you’re bound to catch some victims.
Unfortunately, it doesn’t stop there.
Spear phishing focuses on a single person or a specific department/group within an organization. This type of attack uses email which looks as if it’s coming from someone within the same company, and usually requests login IDs and passwords.
Then, there’s whaling, which is a higher level of spear phishing aimed at executive officers within a single organization.
In both instances, the goal of these attacks is to gain access to secure networks.
Now let’s move on to spoofing.
Spoofing is when an email is created with a forged sender address, making it look like it came from a different person/place than it actually did. The sender inserts commands in the email header that change the information in the message. In short, the sender can add specific commands to any message to make it look like it’s coming from anyone they choose, and it can be about anything they want.
A lot of spoofed mail is just noise, and can simply be deleted. However, some are phishing attempts aimed at getting private personal information or login/password combinations.
All this doesn’t mean that you need to be afraid of every email you get from Gotham City Bank or your boss at Wayne Enterprises. But if you receive emails that request personal information, or that want you to share a password for a work computer, turn on the Bat Signal, because you could be getting spoofed or phished!
Have you ever been phished or spoofed? Let me know in the comments below – or on Twitter @NabushelmSteven