Phishing and Vishing for Database Administrators (DBAs) - Here are the details
Phishing is the fraudulent act of attempting to obtain sensitive information such as usernames, passwords, and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Vishing (voice phishing) is a type of phishing attack that occurs over the phone.
Organizations are constantly under attack from phishes who are using increasingly sophisticated methods to try to trick employees into revealing sensitive information. DBAs are particularly vulnerable to these attacks since they often have high-level access to systems and data.
In this article, we will discuss the 15 most common phishing and vishing techniques that attackers use and some steps that DBAs can take to protect themselves and their organizations.
The Most Common Phishing and Vishing Attacks and How to Protect Against Them
1. Spoofed Emails:
One of the most common phishing techniques is to send an email that appears to be from a legitimate, trusted source but is actually from an attacker. These spoofed emails often contain typos or other clues that indicate they are not legitimate.
2. Attachments and Links:
Another common phishing technique is to include attachments or links in emails that, when clicked, download malware or take the user to a malicious website.
3. Malicious Websites:
Some phishes will create websites that look identical to legitimate websites but are actually designed to steal information from unsuspecting users. When creating these websites, attackers will often register domain names that are similar to the legitimate website (e.g., www.example.com vs. www.examp1e.com).
4. Spear Phishing:
Spear phishing is a type of targeted phishing attack that is directed at a specific individual or organization. These attacks are usually more sophisticated than general phishing attacks and often include personalized information about the target that makes the email appear to be from a legitimate source.
5. Social Engineering:
Social engineering is the act of manipulating people into performing actions or divulging confidential information. Attackers will often use social engineering techniques as part of a phishing or vishing attack.
6. Domain Spoofing:
Domain spoofing is a type of email attack in which the attacker forges the email headers to make it appear as if the email is coming from a legitimate source.
7. Business Email Compromise (BEC):
Business email compromise (BEC) is a type of phishing attack in which attackers target businesses that conduct wire transfers or other financial transactions. The attacker will spoof the email of a senior executive or another authority figure within the organization and request that a wire transfer be made to an account controlled by the attacker.
8. Voice Phishing (Vishing):
Voice phishing (vishing) is a type of phishing attack that occurs over the phone. In a vishing attack, an attacker will call a victim and try to trick them into revealing sensitive information or downloading malware.
9. SMS Phishing (Smishing):
SMS phishing (smishing) is a type of phishing attack that uses text messages to trick victims into revealing sensitive information or downloading malware.
10. USB-Based Attacks:
USB-based attacks are a type of social engineering attack in which an attacker leaves a USB drive containing malicious software in a public place in the hope that someone will find it and insert it into their computer.
11. CEO Fraud:
CEO fraud is a type of business email compromise (BEC) attack in which attackers spoof the email of a senior executive and request wire transfers or other financial transactions.
12. Pretexting:
Pretexting is a type of social engineering attack in which an attacker creates a false story or scenario (the pretext) in order to obtain sensitive information from the victim.
13. Dumpster Diving:
Dumpster diving is a type of physical security attack in which an attacker rummages through garbage or trash in search of sensitive information that has been improperly disposed of.
14. Shoulder Surfing:
Shoulder surfing is a type of physical security attack in which an attacker looks over the shoulder of a victim to obtain sensitive information, such as passwords or PIN numbers.
15. Tailgating:
Tailgating, also known as piggybacking is a type of physical security attack in which an attacker gains access to a secured area by following a legitimate user through the door.
Conclusion:
Phishing is a type of cyber attack that uses email or malicious websites to trick victims into revealing sensitive information or downloading malware. These attacks can be difficult to detect, and they can have serious consequences for individuals and organizations. To protect yourself from phishing attacks, you should exercise caution when opening emails or clicking on links and you should never provide confidential information in response to an unsolicited request. If you suspect that you have been the victim of a phishing attack, you should report it to your local police department.