Preview

Start a free Courses trial
to watch this video

(Spear) Phishing

Name: (Spear) Phishing
Uploaded: 2017-08-23T11:40:51Z
Duration: 248 s
Description: You may already be familiar with this kind of attack; it’s certainly one of the most well-known. But it’s also one of the most effective. Learn to identify the common signs of a Phishing attack and it’s targeted relative, Spear Phishing.

4:08 with Greg Stromire

You may already be familiar with this kind of attack; it’s certainly one of the most well-known. But it’s also one of the most effective. Learn to identify the common signs of a Phishing attack and it’s targeted relative, Spear Phishing.

Teacher's Notes
Video Transcript
Downloads

New Terms:

Phishing -- An message attempting to trick a person into revealing sensitive information.
Spear Phishing -- A targeted phishing attack intended for a specific person.
Domain -- The main, or root, portion of the URL. It’s the “google.com” part of the “https://google.com/search?q=treehouse” URL.
Sub-domain -- One or more prefixes before the domain. It’s the “drive” part of the “https://drive.google.com/” URL. Phishing emails may disguise the trusting part here, e.g. http://gmail.secure.com is not related to Gmail in any way.
Credentials -- Typically a username and password, your credentials are whatever information you use to login to a site or service.

Now we'll start talking more specifically about some common attacks. 0:00

And we'll begin with perhaps one of the most well known, phishing. 0:04

The word comes from the term phreaking, 0:08

a form of hacking that attacks cell phone communications, 0:10

combined with the word fishing, since it involves baiting the target. 0:13

Phishing attacks are often email messages, 0:17

instructing you to confirm your user name and password on an external site. 0:20

But phishing really could be any attempt to trick you into providing sensitive 0:25

information to an unauthorized party, including phone calls, 0:29

text messages, or even in person requests. 0:34

I'll point out some red flags or hints that should raise some suspicion for 0:36

when you're reading messages like this. 0:40

Then you'll be able to better identify phishing attacks and prevent falling for 0:43

them yourself. 0:47

Here is an example of a phishing email. 0:48

This may look innocent enough and 0:51

many people have fallen victim to attempts much like this one. 0:52

Let's take a closer look at some of the warning signs. 0:56

The first thing to notice is that the sender email address is suspicious. 0:58

This looks like it's meant for the lehigh.edu students, 1:04

but the sender has an @udd.cl account. 1:09

Another suspect part is that it's addressed rather generically, 1:12

dear account user. 1:17

Usually, important emails include valid personal information. 1:18

There's an urgency to the email, and 1:22

a risk of losing access if you don't follow the instructions. 1:25

That should sound some alarms for you as well. 1:28

There's a grammatical error here, it may seem minor but 1:31

genuine emails are typically much more professional. 1:34

There's a misleading link to click on. 1:37

A valid link should come from a trusted domain, 1:40

which is the main part of the URL just before the .com. 1:43

The subdomain, or the prefix here before the domain looks like it is associated 1:46

with the institution. 1:51

But in fact, 1:53

whoever owns the jimdo.com website can add anything they want as a subdomain. 1:54

The email is asking for your credentials at all. 1:59

You should almost never be instructed to enter your login 2:02

information from an email. 2:05

I would even advise calling the institution directly 2:07

to verify if you think the message still may be legitimate. 2:10

Now, you may have recognized many of these red flags right away. 2:14

If so, that’s great, the better everyone is at identifying phishing 2:17

attacks the less likely they will occur. 2:21

Of course, not all of them have this many red flags. 2:24

The reality of phishing attacks is that they require almost zero effort 2:27

to create and send out to targets. 2:31

And all it takes is one or two people, 2:32

often out of the thousands who receive the message to fall for it. 2:34

Because the effort to reward ratio so heavily favors attackers, 2:39

many experts don't expect phishing scams to go away any time soon. 2:43

Spear phishing is a variation of phishing but quite a bit more insidious. 2:48

It gets its name from being pointed at someone specific. 2:52

So it's a message meant to trick you into providing sensitive info, but 2:56

there is a deceitful familiarity to it. 3:00

It may look like it's from a friend or 3:03

someone that knows details about your personal life. 3:05

Here's an example, and we'll go over the suspicious aspects. 3:08

Note the sender email again. 3:11

More grammar mistakes. 3:14

Of course, authentic messages contains mistakes too. 3:15

Refer to the attached document. 3:19

Attachments could potentially contain viruses, or 3:21

otherwise infect your computer. 3:23

Do not open, unless you know and trust the sender. 3:25

To recap, here are some common red flags for a phishing attack. 3:29

Email or domain doesn't match. 3:33

Careful of subdomains. 3:36

Spelling or grammar mistakes. 3:38

Incredible offers or rewards. 3:40

Inconsistent context. 3:43

Requests for money. 3:45

Urgency, threats or unrealistic risks. 3:48

Government agencies. 3:51

Includes suspicious attachments, asks for your credentials. 3:53

Now that you've seen some examples of phishing and its targeted variation, 3:58

spear phshing, you'll be better able to identify these types of attacks and 4:02

prevent falling for them yourself. 4:06

You need to sign up for Treehouse in order to download course files.

Security Literacy

(Spear) Phishing

New Terms: