Phishing is a process whereby an attacker approaches either an end-user or an employee of an organisation and attempts to either extract information from them such as usernames or passwords or otherwise attempts to make them install some type of malware in order to extract valuable data from an organisation or possibly to create the first step of several to work their way towards the valuable core of a business.
There are two types of phishing attacks
Un-targeted phishing makes use of large lists of email addresses and the statistical likelihood that a number of those targets have a relationship with the target of hackers attack. The attack will usually consist of an email designed to look like it originates from the target organisation e.g. “HSBC Bank needs you to confirm your login credentials”. The email will usually contain either a link or some type of document to capture the data that the attacker wants and the email will usually contain words to increase the urgency of the action or imply that something serious will happen if they do not comply.
Passwords are particularly prone to this type of attack since it is very easy to mimic a legitimate password entry screen or otherwise capture these details in an electronic document that can be posted or sent to an attacker.
PixelPin, on the other hand, uses a personal image as the first part of the authentication handshake, meaning an attacker would have a much higher amount of work to do in order to either attempt to send actual images to users and attempt to harvest click data, or otherwise to try and automate the harvesting of images from PixelPin on-demand, something our intrusion detection systems try hard to thwart.
A targeted attack is much lower volume and might, for example, attempt to target only those employees who work for the target organisation. For this reason, more time is likely to be taken to make the emails personal and effective by, for instance, using data taken from social media to make the email look like it originates from a friend. It is harder for PixelPin to prevent these attacks since in all likelihood, an attacker would be able to obtain PixelPin images for these users and produce at least a believable honey trap for a user.
The last line of defence from phishing is the use of an Extended Validation (EV) SSL/TLS certificate on the PixelPin Web Applications which we use in our education materials to remind users to look for the EV information if they are ever told that they need to login to PixelPin.
For more information, visit our website www.pixelpin.io or contact us at firstname.lastname@example.org