Spear phishing, Trojans, and Malware…oh my! At first, these terms sound like they have little in common. Sure, there’s some connection between them and cybersecurity, but is Malware a type of Virus? And what in the world is a Spoof?
In order to promote a culture of cybersecurity, it’s important to know what you’re securing your company against. So, in the spirit of cybersecurity awareness month, we’ve compiled a list of common cybersecurity threat and attack terms, starting with the infamous, fishy process of phishing.
If you’ve read literally any of our cybersecurity articles, you’ve probably heard the word “phishing” before. That’s because phishing is an all-too-common cyber-crime that can result in stolen passwords, identity theft, or lost revenue.
You can think of phishing as a type of attack, as well as the strategy behind that attack. Specifically, phishing is a means of obtaining information or spreading viruses by impersonating loved ones, friends, or coworkers.
There are several types of phishing attacks. The main ones include:
- Whale Phishing: no whales are hurt in this attack, but it specifically targets C-level employees
- Spear Phishing: a personalized attack in which the attacker already has some of your data, such as your name
- Smishing/SMS Phishing: an attack that utilizes SMS texting
- Vishing/Voice Phishing: an attack via automated phone calls
Spoofing is similar to phishing, as it also involves impersonation. However, rather than try to sound like a coworker or loved one, spoofers try to imitate someone else’s website url, phone ID, or email address. For instance, a spoofer might add a dash to an email address, turning 1path into 1-path. Sometimes, they’ll also utilize a strategy called homograph attacking in which they’ll replace all o’s with 0’s, l’s with 1’s, or vice-versa—in these instances, they might also utilize phishing to sound like the person they’re pretending to be.
Though not identical, spoofing can be viewed as phishing-adjacent, since hackers often use the two in tandem. Manipulation is obviously a huge component behind both phishing and spoofing attacks, which means social engineering is a component, too.
Social engineering sounds straight out of Hollywood, but unfortunately, it’s very real. This tactic involves psychologically manipulating someone into sending you their credentials, files, or money. In terms of phishing, social engineering can involve making someone excited about a monetary opportunity (such as the famous Nigerian prince scams) or worried about upsetting a boss who’s made a bizarre request (ex. Hi, it’s your CFO, George. Please wire a billion dollars to this address. Thx.).
Social engineering isn’t just used for phishing. A cybercriminal can also utilize social engineering to trick their way inside your office building. In order to do this, they might offer you donuts, dress slightly not-workplace-appropriate, or pretend to be running late for a meeting. All of these actions are meant to catch you off guard juuuuuust long enough that you’ll open the door and let them inside.
Once inside, the hacker will find an unsecured computer, turn it on, and set to work. At this point, they might download your data, delete your files, or even infect your computer with malware and viruses.
The best defense against the risks of Phishing, Spoofing, and Social Engineering is End user Security Awareness Training and Mutifactor Authentication.
Malware and Viruses
Although often used interchangeably, malware and viruses aren’t the same. Simply put, malware is any malicious software that can infect a computer, whereas a virus is a type of malware.
Some common types of malware include:
- Ransomware: this attack will hold your data hostage by encrypting your files until you pay a ransom (again, right out of Hollywood!)
- Spyware: this malware literally spies on you, taking note of your internet browsing and usage, often for the purpose of sending you ads (should we mention Hollywood again?)
- Trojans: a type of virus that pretends to be a useful, secure app, only to pull a Trojan horse and allow others to secretly enter your device
All of these attacks are meant to disrupt computer functionality, steal data, and/or corrupt your important files. And there’s another attack that can be just as damning: DDos and DoS attacks.
DDoS and DoS
Denial of Service (DoS) attacks are similar to Distributed Denial of Service (DDoS) attacks, but there’s one key difference: the former uses one computer or internet connection to flood a network with useless traffic, whereas the latter uses multiple computers or connections. Essentially, cybercriminals are trying to route so much traffic to your website that it shuts down and becomes inaccessible. If a website can’t be accessed, it’s almost like not having one.
Being prepared, knowing your enemy, and staying informed are all important in promoting a culture of cybersecurity. Now that you know these basic terms for cybersecurity attacks, it’s time to take a look at our Master List of cybersecurity articles and learn more about staying prepared.