The term “phishing” was coined back in the 90’s when Khan Smith started sending email to AOL Users attempting them to give up their password or financial details. Since then it evolved into being one of the leading ways hackers get onto corporate networks. In 2011, RSA announced that the initial breach of their network was caused by an attacker targeting four low level employees by sending a malicious email with the subject “2011 Recruitment Plan.xls”. Just recently, the US Government stated that a simple phishing campaign was the start of the “DNC Hack”. One of the things many people don’t consider is that phishing doesn’t require any exploitation. All it requires is tricking a single employee into clicking a button.
There are a lot of easy to spot phishing emails such as the Nigerian Prince, which makes it easy for any person to believe only the foolish can get phished. However, the few well executed phishing campaigns are honestly very good and even the most careful of security people can fall pray.
Until people stop joking about phishing and take it seriously, you can bet on it being a major issue. Still think you’re unstoppable? Imagine getting a text message late Friday Night stating: “Your timecard is late. Please submit your timecard ASAP. http://goo.gl/0imas”. It’s odd, you’ve never received an automated text from the timecard system before. But setting it up would make sense, as management does harass you about getting your timecard in. Even if that wouldn’t trick you, there’s probably a few people in your organization that you can imagine would enter their credentials to that page.
Another scenario, is tricking people to click the “Enable Content” Button of an Office Document. Surely no one would do that! Well with a little bit of pre-texting that security warning now makes sense and people are bound to click it. What’s awesome about this is that the document can actually populate the calendar with events upon clicking Enable Content along with giving the attacker remote access to the computer.