Spam, also known as junk mail, is simply unsolicited email. In most cases, it is a method of advertising. However, a lot of spam is sent in bulk by computers infected by viruses or worms—and often contains malicious links, malware, or deceptive content that aims to trick recipients into disclosing sensitive information, such as a social security number or bank account information.
Almost all email providers filter spam, but it still consumes bandwidth. And even if you have security features implemented, some spam might still get through to you. Look out for the following indicators of spam:
- The email has no subject line.
- The email asks you to update your account details.
- The email text contains misspelled words or strange punctuation and characters.
- Links within the email are long and/or cryptic.
- The email looks like correspondence from a legitimate business, but there are tiny differences—or it contains information that does not seem relevant to you.
- The email asks you to open an attachment, often urgently.
- The email originates from an unusual domain or contains links to domains that are not likely to belong to the identified sender.
If you receive an email that contains one or more of these indicators, you should not open the email or any attachments. Many organizations have an email policy that requires employees to report receipt of this type of email to their cybersecurity team for further investigation. If in doubt, always report.
Phishing (38.5.9)
Phishing is a form of fraudulent activity often used to steal personal information.
Phishing
Phishing occurs when a user is contacted by email or instant message—or in any other way—by someone masquerading as a legitimate person or organization. The intent is to trick the recipient into installing malware on their device or into sharing confidential information, such as login credentials or financial information.
For example, you receive an email congratulating you for winning a prize. It looks like it was sent from a well-known retail store and asks you to click on a link to claim your prize. This link may in fact redirect you to a fake site that asks you to enter your personal details, or it may even install a virus on your device.
Spear Phishing
A highly targeted attack, spear phishing sends customized emails to a specific person based on information the attacker knows about them—which could be their interests, preferences, activities, or work projects.
For example, a cybercriminal discovers through their research that you are looking to buy a specific model of car. The cybercriminal joins a car discussion forum you are a member of, forges a car sale offering, and sends you an email that contains a link to see pictures of the car. When you click on the link, you unknowingly install malware on your device.
Vishing, Pharming, and Whaling (38.5.10)
Criminals make use of a wide range of techniques to try to gain access to your personal information.
Vishing
Often referred to as voice phishing, this type of attack sees criminals use voice communication technology to encourage users to divulge information, such as their credit card details.
Criminals can spoof phone calls using voice over Internet Protocol (VoIP), or leave recorded messages to give the impression that they are legitimate callers.
Pharming
This type of attack deliberately misdirects users to a fake version of an official website. Tricked into believing that they are connected to a legitimate site, users enter their credentials into the fraudulent website.
Whaling
Whaling is a phishing attack that targets high-profile individuals, such as senior executives within an organization, politicians, and celebrities.
Practice Item—Phishing Attacks (38.5.11)
Refer to the online course to complete this activity.