As I mentioned, I am about to take a CompTIA Security+ exam in December. I am writing a set of articles to solidify my learning. There will be a lot of notes published in the future. I am doing this for transparency reasons. I hope it helps you as well in your journey to get certified. 

Before I dive into CompTIA Security+ contents, I want to explain how I will be knowledge sharing the information. Because CompTIA+ divides exam objectives into domains, I will cover each part with its sub-topics. Today I want to start with Attacks, Threats, and Vulnerabilities. It covers 24 percent of the examination. The first sub-topic was named: Compare and contrast different types of social engineering techniques. There is a lot to cover, so get ready!

Phishing

It’s a term to describe a fraudulent acquisition of information. Attackers are usually interested in usernames, passwords, and other valuable information. To gather this information, they use emails. Typical phisher crafts an ideally looking email pretending to be an IT administrator or another critical person asking to click a link containing malware or a webpage that looks very similar to Microsoft’s. An unsuspecting victim clicks a link, and the rest is history.

They use all sorts of tricks to fool you. Unfortunately, even the best fail to notice a phishing attempt. A few recent stories highlighted this truth, for example. Cloudflare and Twilio became victims of a phishing attempt. As mentioned in an article: “In both cases, the attackers somehow obtained the home and work phone numbers of both employees and, in some cases, their family members. The attackers then sent text messages that were disguised to appear as official company communications. The messages made false claims such as a change in an employee’s schedule, or the password they used to log in to their work account had changed. Once an employee entered credentials into the fake site, it initiated the download of a phishing payload that, when clicked, installed remote desktop software from AnyDesk.”

A few variations of phishing exist. For example, when conducting a phishing attack via SMS, it’s called smishing, but while doing it via voice, it’s vishing. 

Specific terms can also identify phishing targets. For example, phishing targets CEOs or CFOs is called whaling. Spear phishing targets particular people or groups in the company.

The best prevention against phishing is education. Therefore, companies must address this issue through digital courses, mandatory quizzes, and training programs.