Phin Security

What is Phishing and How to Spot it | EP 001

In the first episode of "Gone Phishing," Connor Swalm, CEO of Phin Security, introduces phishing as a cybercrime where attackers impersonate individuals or organizations to steal information, access, or money, and emphasizes the importance of recognizing and preventing increasingly sophisticated phishing attempts in today's connected world.

Full Episode 001 Transcript

Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swalm, CEO of Phin Security, and welcome to Gone Phishing.

Hey everyone, and welcome to the first episode of Gone Phishing. My name is Connor, and over the course of this show, I want to give you insights and advice around the cybersecurity space, as I believe it's going to be an important, if not an essential, part of every business in the coming years. Some episodes are just going to be me, but for others, I'll bring in experts and we'll unpack certain topics in greater detail together.

Today I thought it best to give you my take on what phishing is because, well, it's in the title of the show. And for those who already know what phishing is, I want to share with you some ways to spot it, some ways to prevent it as these scammers are getting more and more advanced these days.

Let's dive into it. So first, it's in the title. It has a "ph" instead of an "f". So, you know, we're not fishing for actual fish here. But what is phishing? Simply put, phishing is any organization or group of people attempting to steal information, access, or money by impersonating an individual at a company or by misrepresenting themselves. These are malicious individuals who are attempting to steal access, information, and sometimes just actual cash. Sometimes it can look really realistic, incredibly hard for you to detect. Other times, it's as simple as noticing that it comes from an email address that has a million different letters and numbers, so you know it can't possibly be Amazon reaching out to you about a million-dollar gift card.

From the top level, it's just people trying to steal things from you. Sometimes it's not just an individual; sometimes it's an organization that's been funded, or a group of people who have gotten together. Whatever it is, it's just somebody attempting to steal stuff from you.

Phishing can look very different. Phishing is a type of something called social engineering. Social engineering is a broader sense of an individual misrepresenting themselves and then again attempting to steal information, access, and money. Phishing is the direct act of trying to do it, and social engineering is the broader concept, so it can look super different.

All of you listening are probably familiar with email phishing. That's just somebody sending you an email that's clearly not real, trying to get you to click it, go somewhere on the Internet, change banking information on an invoice, or asking for information you shouldn't give out, like bonuses and compensation or other employee information. Other times, it's just, "Hey, can you give me that two-factor authentication code you just received?" Email phishing is just an email you get that you didn't expect and that is malicious in some sense.

One twist on email phishing is a concept called business email compromise, where someone is attempting to represent that one of your internal folks got compromised. It's someone pretending to be an employee at your company, or it could be that the employee's email actually is compromised and a malicious actor is on the inside representing that employee improperly, trying to exfiltrate information, access, or money.

Depending on the scale of the phish itself, email phishing could look a little different, but at the end of the day, it's just people trying to steal stuff from you using your email address.

The second type that should be familiar is spear phishing. Spear phishing is when someone has an incredible amount of information on you. It's not a common attack blasted to thousands of people; it's targeted at a company, industry, or you specifically. Maybe they pulled your information from LinkedIn or found every employee you work with. Spear phishing is the act of leveraging that information to attempt to phish people. It's a more targeted attack style than common phishing, like "you have an inheritance to claim" or "you got a million-dollar gift card in your Amazon account."

One thing to remember about email phishing is the actual phish can have many different what I call directed actions. A directed action is what exactly the phish is attempting to get you to do. For some, it's "go to this website and log into your Microsoft account"—but maybe it's not actually Microsoft and it's going to steal your username and password. Maybe the directed action is "send me a spreadsheet of XYZ information" or "change the banking information on this invoice." The directed action is really important to pay attention to. It's something we pay attention to a lot—what kind of directed actions are people more likely to take as a result of the information we're gathering on them? It's important to keep track of that, as individuals are vulnerable to all sorts of directed actions.

Another type of phishing is vishing and smishing. Vishing is phishing via voicemail or phone call, and smishing is phishing via SMS or text messages. Text messages and voicemail phishers have become super popular, even more so than email, simply because they're so effective. I used to do cybersecurity presentations for small business groups and always had to put a disclaimer that the IRS is never going to call you, leave you a voicemail, or reach out via your phone to get you to pay off some massive debt. People always had stories about this, but the reality is the IRS isn't going to do that.

SMS phishing is effective because people trust their cell phones more than email. When someone gets a text message saying their bank account has been hacked and they need to log in or confirm activity, there's often little to no information in it. SMS phishing has evolved to just "click a link" that sends you to a website to steal your information or lure you into a deeper scheme.

If you're provisioning work phones for your employees, you should have SMS phishing as a piece of your awareness training program. One of the philosophies we have at Phin is that to train people to recognize real-life social engineering, we should attempt to do real-life social engineering and then teach them how we did it. If your people have phones provisioned by the organization, that's part of the attack surface, and you should also be SMS phishing those folks.

What are the risks of getting phished? Really, every single person is at risk of getting phished. Another philosophical belief I have, and one of the reasons I started Phin, is that every human is unique. Everyone at your organization, every friend you have, is a unique individual, and their vulnerabilities are unique. Directed actions are a piece of a unique vulnerability someone may have. Everybody is at risk of getting phished because everybody is vulnerable in some way to a social engineer or a phish. If someone sent you the right kind of communication via the right method at the right time, you could fall for it. We're human, and we're going to fall prey to that at some level.

Everyone needs to be aware—not necessarily worried, but aware. This is applicable to everybody, including the C-suite, owners, managers, directors—everyone at the top of an organization. You too are vulnerable to this.

What can you do to prevent this? I'll go into greater detail in other episodes, but basically, prevention is a multilayered approach. Anyone who sells you a cybersecurity silver bullet is lying to you. There is no single thing you should be doing to prevent all security incidents and breaches. It's a layered approach. There are many things you can do on the technological side to prevent phishing from becoming a huge problem, but one piece I have specific expertise in is awareness training—launching awareness training programs, running them effectively, and measuring the results.

Security is a layered approach. Thank you for tuning in. That's it for today. Next time, I'm going to talk about human vulnerability—what it is, why it's important, why it's relevant to you, and how we can leverage that to create safer human beings.

Until next week, thanks so much for tuning in to Gone Phishing. If you want to find out more about high-quality security awareness training campaigns and how to launch them in ways that actually engage employees to change their habits, then check us out at Phin Security at Phinsec.io.

Thanks for phishing with me today, and we'll see you next time.