Phishweb is for any organization who needs a better understanding of what phishing is.
People will Lie or Tell the Truth to social engineer you.
They will be relatable and approachable.
Experience, time, and patience.
Become friends with an employee — then exploit.
"Trust" needs to be established to avoid suspicion. Manipulate.
Commercial, Residential, or Private property? CCTV, buildings, storage, airport & hangers, parking lots, highrises, physical security points. Locks in use, type of doors, ceiling tiles or straight drywall, HVAC layout.
Open Log Books
Employee schedules (days, evenings, graveyard, weekend shifts), printed contact numbers and addresses, printed email lists, printed client lists, printed social events, stick-it notes with passwords and emails for new employees, visitor sign-in logs.
Device types, server room, operating systems, software and hardware security, company website, databases, email servers, customer portals, company website, social media pages.
Zoom Info (name used in scam)
Scammers scrape CEO signatures off of invoices from unsuspecting companies and use it to charge that CEO's company for a service or good. Scammers will take legal action once they have invoiced you (mainly collection agencies). In Canada you will need to contact the RCMP and follow their directions.
Ages 11-24 are currently the most vulnerable to Social Media, Messenger, Chatbot, Online Romance, and Rewards Campaign Scams.
Industrial, Commercial, Residential bins. Recon first.
Dropping thumb drives with malicious payloads. Parking lots, librairies, shopping malls, and restaurants are high traffic areas. Notification upon activation. Remote attacks wreak havoc.
Business Email Compromise
An exploit in which the attacker gains access to a corporate email account and spoofs the owner's identity to defraud the company or its employees, customers or partners of money.
Excuse to do or say something that is false. Pretexts may be based on a half-truth or developed in the context of a misleading fabrication. Pretexts have been used to conceal the true purpose or rationale behind actions and words.
Quid Pro Quo
Exchange, trade, trade-off, swap, switch, barter, substitute, substitution, reciprocity, reciprocation, return, payment, remuneration, amends, compensation, indemnity, recompense, restitution, reparation, satisfaction, requital. In cases of "Quid Pro Quo" business contracts, the term takes on a negative connotation because major corporations may cross ethical boundaries in order to enter into these very valuable, mutually beneficial, agreements with other major big businesses. In these deals, large sums of money are often at play and can consequently lead to promises of exclusive partnerships indefinitely or promises of distortion of economic reports.
Part of a class of malicious software that includes rogue security software, ransomware and other scam software that tricks users into believing their computer is infected with a virus, then suggests that they download and pay for fake antivirus software to remove it.
An attacker attempts to trick people into believing that they’ve won a contest, but the less obvious ones pose as banks and credit card companies. They will then attempt to get the person’s information either by a link in the text or a prompt to call a number.
Using knowledge gained from social media profiles and other public information, a scammer can craft a legitimate-looking email to trap the victim into responding. This attack is usually targeted towards a specific individual, organization or business.
Walk in behind a person who is authorized. Impersonate delivery driver or caretaker. Parcel, clipboard and pen. Ask employee to hold the door open, say thanks you got it from here.
This kind of attack is done through Voice over IP (VoIP). Because a VoIP server can be used to appear as virtually anything, and the caller ID can be changed, vishing attempts can be very successful.
Attackers send you a text message stating a parcel is waiting to be picked up in your name. Do not click the link after the message. You will be asked to and verify personal information before the package details are released.
Watering Hole Attack
A security exploit in which the attacker seeks to compromise a specific group of end users by infecting websites that members of the group are known to visit. The goal is to infect a targeted user's computer and gain access to the network at the target's place of employment.
Attackers target high-level employees and executives to gain access to their email accounts or spoof them. If they’re able to do that, it puts the entire business at risk.