An estimated 91-percent of hacking attacks begin with a phishing or spear-phishing email

Your IT department has no doubt warned you not to click on suspicious links in e-mails, even when the missive promises a hilarious video or comes from a seemingly trustworthy source. If the link looks suspect: Do. Not. Click.

That’s because these emails are often phishing scams designed to trick you into clicking on a malicious attachment or visiting a malicious web site. In the latter case, the web site may appear to be a legitimate bank site or email site designed to trick the user into disclosing sensitive information—such as a username and password or bank account information—or may simply surreptitiously download malware onto the victim’s computer.

Just ask the White House employee who apparently clicked on a phishing email purporting to come from the State Department and allowed hackers into several government networks.

TL;DR: Phishing refers to malicious emails that are designed to trick the recipient into clicking on a malicious attachment or visiting a malicious web site. Spear-phishing is a more targeted form of phishing that appears to come from a trusted acquaintance.

Spear-phishing is a more targeted form of phishing. Whereas ordinary phishing involves malicious emails sent to any random email account, spear-phishing emails are designed to appear to come from someone the recipient knows and trusts—such as a colleague, business manager or human resources department—and can include a subject line or content that is specifically tailored to the victim’s known interests or industry. For really valuable victims, attackers may study their Facebook, LinkedIn and other social networking accounts to gain intelligence about a victim and choose the names of trusted people in their circle to impersonate or a topic of interest to lure the victim and gain their trust.

Read more details here.

Author: Kim Zetter