Social Engineering - In the realm of computers, the act of obtaining or attempting to obtain otherwise secure data by conning an individual into revealing secure information. Social engineering is successful because its victims innately want to trust other people and are naturally helpful. The victims of social engineering are tricked into releasing information that they do not realize will be used to attack a computer network. For example, an employee in an enterprise may be tricked into revealing an employee identification number to someone who is pretending to be someone he trusts or representing someone he trusts. While that employee number may not seem valuable to the employee, which makes it easier for him to reveal the information in the first place, the social engineer can use that employee number in conjunction with other information that has been gathered to get closer to finding a way into the enterprise’s network.
Phishing - The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information.
Spear Phishing - A type of phishing attack that focuses on a single user or department within an organization, addressed from someone within the company in a position of trust and requesting information such as login IDs and passwords. Spear phishing scams will often appear to be from a company's own human resources or technical support divisions and may ask employees to update their username and passwords. Once hackers get this data they can gain entry into secured networks. Another type of spear phishing attack will ask users to click on a link, which deploys spyware that can thieve data.
Whaling - You've heard of phishing attacks. Are you now ready for whaling attacks? While phishing tries to trick employees into giving up personal information, whaling tries to trick corporate managers and executives into giving up information that can be used to steal sensitive corporate information.
SMiShing - A compound of 'phishing' and 'SMS'. SMiShing (SMS phishing) is a type of phishing attack where mobile phone users receive text messages containing a Web site hyperlink, which, if clicked would download a Trojan horse to the mobile phone.
Vishing - The telephone equivalent of phishing. Vishing is the act of using the telephone in an attempt to scam the user into surrendering private information that will be used for identity theft. The scammer usually pretends to be a legitimate business, and fools the victim into thinking he or she will profit.
Pharming - Similar in nature to e-mail phishing, pharming seeks to obtain personal or private (usually financial related) information through domain spoofing. Rather than being spammed with malicious and mischievous e-mail requests for you to visit spoof Web sites which appear legitimate, pharming 'poisons' a DNS server by infusing false information into the DNS server, resulting in a user's request being redirected elsewhere. Your browser, however will show you are at the correct Web site, which makes pharming a bit more serious and more difficult to detect. Phishing attempts to scam people one at a time with an e-mail while pharming allows the scammers to target large groups of people at one time through domain spoofing.
Evil Twin - Evil twin is a type of Wi-Fi attack, similar in nature to Web site spoofing and e-mail phishing attacks. Here's how an evil twin attack works:
A hacker sets its service identifier (SSID) to be the same as an access point at the local hotspot or corporate wireless network. The hacker disrupts or disables the legitimate AP by disconnecting it, directing a denial of service against it, or creating RF interference around it. Users lose their connections to the legitimate AP and re-connect to the "evil twin," allowing the hacker to intercept all the traffic to that device.
Obfuscated URL - Also called a hyperlink trick, an obfuscated URL is a type of attack where the real URL that a user is directed to is obfuscated - or concealed - to encourage the user to click-through to the spoof Web site. For example, the attacker may use a cleverly misspelled domain name (e.g. PayPals.com instead of PayPal.com), or hide the actual URL in friendly text, such as "click here to verify your account now". Obfuscated URLs are commonly used in phishing attacks and other spam e-mails.
Twishing - Twishing is the act of sending a message to a Twitter user in an attempt to obtain his or her name and password. The message may instruct the recipient to visit a Web site where he or she is asked to log in. The Web site, however, is bogus and set up only to steal the user's information.
Twishing is a combination of the words Twitter and phishing. The idea is that bait is given out (the concept behind the term phishing) to Twitter users with the hopes that while most will ignore the bait, a small percentage will be tricked into revealing their user names and passwords. Twishing may also be seen written in lowercase as twishing.