Skip main navigation

About Phishing Emails

This video explains the link between phishing attacks and social engineering and why these attacks are so prevalent.
In this video, we’re going to be talking about phishing emails. Now, to give you an idea of the statistics for phishing, phishing grew 40.9% in 2013, according to PhishLabs. Now, PhishLabs is a company that monitors and sends phishing emails. So that’s a pretty giant growth in phishing emails that were launched in 2018. Now, phishing emails are generally categorised in two categories. One is spear phishing. Now, spear phishing is sending a malicious email to a targeted person. In general, since it is targeted, the attacker will take some time, research that target, specially craft an email just for that particular individual, making it very customized, very targeted for that particular individual.
And these are particularly dangerous because, again, you’re targeting one person, and you’re doing research on it instead of sending a generalized email. Now, a generalized email would be a phishing attack. Now, a phishing attack would be the typical emails that a corporation might get. Everyone in the corporation might get them. It’s not targeted for a particular individual. They are more generalized. And we tend to see these in our inboxes also for our home computers and whatnot. Now, that again is a phishing email. It’s not targeting a specific person. But it’s more of a generalized blast-out-this-email type scam or attack. Now, why phishing attacks? So phishing attacks are generally easy to do.
You don’t need a particularly high skill set in order to launch a phishing attack. Home users, teenagers, an entry-level hacker, pretty much anyone can launch a phishing attack. Phishing attacks costs little or no money to launch an attack in most cases. In most cases, phishing attacks just need one person to comply. Now, what I mean by this is if I launch a phishing campaign against, say, AT&T, I send 1,500 emails out to 1,500 different employees. And the payload is going to be, say, a remote connection to the computer, or credential harvesting, or something of that nature. Realistically, I just need one person to open that email out of 1,000, 1,500, whatever it is.
And now I have control of the network. Or I have control of, at least, part of the network. We’ve got a foothold now. Again, it’s a really great odds. I only need to get one person. It’s not like I have to get half of them, or 3/4, or whatnot. So that’s, again, a really powerful statistic for phishing. Phishing attacks can be used for a number of ways. It can used for scams, remote access, ransomware, credential harvesting, or any number of other reasons. A good phishing email can be very compelling to open or comply with. Now, phishing emails typically work because it uses one of the following. And these all relate back to social engineering.
Fear, unfortunately, is a really common tactic. Fear of getting caught, fear that we did something wrong. And we’ll take a look at some examples of this in the next section. Authority– authority can be a common vector in the workplace– a spoof email from your boss, for example, asking you to transfer funds, to make an order, pay a purchase order that, really, was never placed in the first place. A spoofed email from your boss can also be something like, well, I need access to this. I need you to give me this particular password. Again, it’s coming from your boss. It’s someone from authority. So people are generally compelled to take action and comply with it.
Scarcity or time– scarcity typically works in the usual manner that this is a limited-time offer, you need to act now. We only have X amount to go around, and they’re going fast, something that puts a limit on it, either a limited number or limited time to actually take action and to hit that window. Greed– appealing to a person’s common greed is another tactic. You won money, click here. Your raffle number has been picked, click this link. Your free 30-account starts here, go ahead and click this link. And again, all these things will generally have some sort of payload or take you a site that gets clicks, information. It could be credit card numbers, social security, whatnot.
Now, phishing payloads are not always detectable by antivirus or intrusion detection system. So in other words, phishing emails don’t necessarily have to have a virus attached to it. Some payloads could be enticement. So in general, these attacks will have to take some sort of action that’s not in your best interest, entice you to click a link, entice you to transfer money. So transfer money– they may have transfer funds in some method, wire it, gift card, Bitcoin, et cetera. Files– a file may ask you to open an attachment. And it may compromise your system. An example would be, “hey, here’s a network file that we need to instal to update your computer”.
Calling– an email may have a user’s number on there for you to call them. And generally, when you call these people, they’re going to attempt some sort of social engineering attack. Some of these have been things like, “Hey, this is Microsoft. We detected a virus on your computer. You need to call us right now so we can work through this”. And when you call them, they’ll walk you through some common steps and go, “Okay, open a command prompt. Okay, I’m going to have you type this command in.” And it’s going to pop up all sorts of funny stuff. And you’re going to go, “Oh, wow, that’s a pretty nasty virus”.
And they’ll keep you on the hook for a while until you finally have to pay money. Now, that’s a common social engineering tactic. Again, it generally starts from either a popup, or it could be a phishing email, or a link. An email may contain a link for you to click on. And that link and be a malicious link.
In wrapping up, social engineering is generally used in most phishing attacks. And again, it’s going to be used to entice a user to take some sort of action. Payloads– not all phishing emails will contain a payload that antivirus or IDS will be able to detect. And finally, phishing emails are a cheap, effective attack method for a malicious hacker to use. And in general, they don’t need a high skill set to launch these type of attacks. So this was about phishing emails. And next, we’re actually going to take a look at some real phishing emails and kind of break them down. Thanks for watching. I’ll see you next video.

This video explains the link between phishing attacks and social engineering and why these attacks are so prevalent.

We have discussed social engineering several times, and by now you know that it can be used by hackers in several ways to attack your network. Phishing attacks are easy to implement, and they rely on social engineering to get the user to take actions that will allow the hacker to gain access to information they can use for malicious purposes.

Reflect and share: Phishing emails rely on social engineering by taking advantage of our emotive responses. Can you think of any possible phishing attempts that made you pause before you disregarded them? Share your experience and the reasons why you almost believed the email in the comments section below.

This article is from the free online

Advanced Cyber Security Training: Network Security

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now