If I want to catch a fish, then I go fishing. If I want to use social engineering and catch a user in my web of deceit, I go phishing.
A Fish not a Phish
In both cases I set out bait and hope for a bite.
Before I go further, let’s talk about what social engineering is. TV shows like to show the hacker sitting at their keyboard, clicking away and the magic occurs. They’re in the system and causing trouble.
It doesn’t always happen like that. What happens more often is that the hacker tricks the person (not the computer) into doing something that gives the attack an edge into hacking into the system. This is social engineering. It isn’t nearly as cool as the hacker sitting at the keyboard and clicking away, but it’s more effective.
In phishing, the hacker sends emails that have URLs in them they want you to click. So they have to bait you into clicking them. A common email is they pretend to be your bank and send you an email saying ‘You must log into your account because if you don’t, all the gerbils will eat your money!’ (That’s not exactly what they say, but they do give you a scary reason why you should do it). Then there’s a helpful URL in the email that you can click to log in.
A vicious money eating gerbil
This is where the attack happens. The URL may look like your bank, the page it sends you to may look like your bank, but it probably isn’t your bank. Especially if the email talks about gerbils. Once you go to that page and try to log in, you’ll probably get a ‘oops, something went wrong, bye!’ message. Or it might even send you to your real bank page and tell you to try again. Or it might just go away.
Now the bad guys have your information on how to log into your bank account, and there’s nothing stopping them from using that information to steal money from you. They didn’t even have to break into your computer to do it, they just stole it all.
How can you protect yourself? If you get an email that claims to be from your bank and wants you to do something, never ever click on any URL in the email. Or if it wants you to log into an account of any type, don’t click on that email either. If you want to check if it’s true, call your bank and ask. Or, you can type in the URL for your bank at your keyboard (NOT using the one in the email) and log in that way.