Full Text

Phishing is a social attack, directly related to social engineering. Commonly centered around email, criminals use phishing to obtain access or information. Phishing attacks can be basic or customized toward the victim and their organization.

A phishing attack with a directed focus is called spear phishing. If, for example, the criminal were targeting a group or person within a company, they'd use spear phishing to make the email look and feel legitimate. Usually this is done by using the victim's correct name and title, referencing legitimate projects, known co-workers, or spoofing an email from a senior executive.

Vishing is the term given to phishing via telephone. Same goals, same emotional triggers, only instead of email the criminal calls the victim directly. Examples of common vishing attacks include IRS scams and tech support scams. In both cases, the criminals are hoping to get personal information and money.

No matter what type of phishing attack is launched, the goal is to get the victim to do something, such as reveal usernames and passwords or share documents and other sensitive details.

Phishing attacks typically stress urgency or play on a person's willingness to help. Phishing attacks can also evoke a sense of fear, by warning of serious consequences. Sometimes you'll see this as a threat to suspended services, the loss of critical data, or various personal consequences. The most common observation, though, is that phishing attacks start by triggering the victim's sense of curiosity. This is why the victim opens the email to begin with.

What is a phishing kit?

A phishing kit is the web component, or the back-end to a phishing attack. It's the final step in most cases, where the criminal has replicated a known brand or organization. Once loaded, the kit is designed to mirror legitimate websites, such as those maintained by Microsoft, Apple or Google.

The goal is to...