Regardless of the phishing variant employed, the attacker's goal is always to take advantage of the gullibility of the user they interact with. Just as with most other forms of social engineering, there is no way as an IT administrator to prevent someone from trying these tactics against users in your company, but educating them is the best way to prevent those attempts from being successful.

Phishing
Phishing is any attempt to collect sensitive information from a user through the Internet. The most common implementation is through an e-mail message similar to the one shown in this first figure.

[Click on image for larger view.]

In this case, the user is told there is something wrong with their account and they need to go to a site to verify their information and correct the problem. In this case, a hyperlink is provided to Comcast.com My Account, but the URL at the bottom of the window shows where the user will really land if they click on the link and it is certainly not at their Comcast site. Almost always, these sites go to http instead of https, and that can provide a quick clue as to their illegitimacy. Another clue to their illegitimacy is that they tend to be addressed generically -- to "member," "user," "customer" and so on.

In most lists of the top companies used in phishing scams, the same names appear over and over again: PayPal, eBay, Chase Bank, American Express and Citibank. Since the scammer is sending out mass quantities of messages and attempting to generate as many clicks to their site as possible, it makes sense for them to focus on companies that most users do business with as opposed to organizations the majority may not have heard of.

In the following figure, clues to the dishonesty of the message abound, even though it is intended to be mistaken for a legitimate message from Netflix:

[Click on image for larger view.]

Among the clues:

1. The To: field is "none," allowing it to be mass-mailed to a plethora of individuals.
2. Instead of having the user's name, the salutation is "Dear Netflix."
3. The hyperlink does not go to Netflix.com, but rather to "net-flix.co.cc" (see the bottom of the frame).

Spear Phishing
While regular phishing attacks send a standard message to as many users as possible -- trying to separate the easy to fleece from those who aren't -- spear phishing picks out a target and goes directly after them. This is accomplished by finding a relationship between the user and a company/organization/other individual and making it appear as if the message is from that entity. No longer does the salutation talk about member, user, customer -- instead it uses their name directly and appears to be far more legitimate message.

From an attacker's standpoint, this is much more time consuming to do. Instead of sending one message to thousands of users, you have to tailor each message and send it to only one person. From a user's standpoint, it is much more difficult to identify this quickly as a phishing attack and thus the odds of it being successful are significantly increased.

In the spring of 2011, one of the e-mail companies responsible for sending out opt-in e-mail for large companies was hacked and their database compromised. Armed with a database of relationships between users and companies, this opened the door for spear phishing attacks:

[Click on image for larger view.]

If you think this is something you would never fall for, imagine the e-mail looking as if it came from your significant other and asking you to click here to see the video that was just uploaded of your kids or telling you that you need to pay the utility bill now or it will be shut off at your house.

As a general rule of thumb, when spear phishing is targeted only to senior-level executives, it gets classified as whaling. The secret to preventing its success is to educate the top executives of the dangers and risks and why they should not fall for the urgent must-act-now! e-mail messages that come through.

Vishing
When you combine phishing with voice (as in a phone call), you get vishing. With the rise in the use of quality Voice-over-IP, this type of attack can now take place quite easily and from anywhere in the world. The attacker attempts to convince the subject that they are calling on behalf of another -- whether it is an individual the subject may know, a bank, a vendor or anyone else -- and that they need some information from them. Again: Think phishing, but using the phone instead of e-mail.

To increase the likelihood of success with vishing, an attacker can also implement caller ID spoofing. Just as e-mail spoofing makes it look as if an e-mail is sent from someone it wasn't, caller ID spoofing alters the values that appear on a caller ID box to make it look as if the call is coming from a phone number other than the one it truly is.

Just as regular training should be given to users about what information not to divulge online, you should similarly remind them of the importance of what they give out over the phone. Common ruses are to pretend to be a salesman needing to give an important presentation and unable to remember the guest password or a new vendor needing to access the extranet and make sure the warehouse isn't running out of stock.

In early 2011, a number of vishing attacks used automated dialers ("war dialers") to call numbers and tell anyone who answered that it was the credit union calling and there was a problem with their debit card.  In order to correct the problem, the individuals were told to use their phones to punch in their debit card number and PIN to verify that the card was indeed still in their possession.

In the Microsoft realm, Internet Explorer 7 introduced the Phishing Filter which was replaced in IE 8 and IE 9 by the SmartScreen Filter. Firefox 3 and later contain the Phishing and Malware Protection feature. Google Chrome also has the Phishing and Malware Protection feature and Safari includes phishing protection. With Opera, you have Opera Fraud and Malware Protection.