#7. Catch Me a Phish
A phishing attack occurs when a social engineer sends an email to a person who appears to come from a legitimate site, such as PayPal or a banking site, asking someone to visit a website and input sensitive information such as a bank account or password. The website appears to be the real website, but is instead a site created by the attacker.
Here is an example from an actual phishing email where the attacker impersonated an employee of PayPal:
“It has come to our attention that 98 percent of all fraudulent transactions are caused by members using stolen credit cards to purchase or sell non-existent items. Thus, we require our members to add a debit/check card to their billing records as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. Your debit/check card will only be used to identify you. If you could please take 5-10 minutes out of your online experience and renew your records, you will not run into any future problems with the PayPal service. However, failure to confirm your records will result in your account suspension.”
This e-mail went on to provide a link to a fake website for the e-mail recipient to access and input the credit card information.
If a social engineer is able to glean information specific to a person, such as a name or address, the engineer can take the phishing scam a step further and include this information in the email to make it appear more legitimate. This type of targeted attack is called a spear phishing attack.