I just read the tag wiki of phishing and I’m a bit confused:
Phishing is an attempt to steal user’s personal information such as username, password, credit card number etc. The main idea of such attack is that the attacker pretends to be a trusted web-site which asks the user to re-enter the personal information and in this way steels it.
I thought any action by a person who disguises himself/herself online as another person in order to gain personal benefit on the expense of others would be phishing. Especially the following ones:
- Email-only: The attacker could simply write an email à la “I’m your system operator and need to install antivirus on your system. Please send me your availability and your Team viewer code via email”. I would call that definitely phishing, but there is no website involved. Hence, according to the current tag wiki, it would not be phishing. This kind of attack is likely more effective if the senders address is spoofed.
- SMS phishing: Same store, but via an SMS (which potentially spoofed the number)
- The Nigerian prince scam: The attacker claims to be the/an nigerian prince who wants to safe tax money. In order to do so, they need you to transfer money to one of their accounts. Once that is done, they can transfer their millions on that account and you will receive several thousands dollars.
- CEO fraud: The attacker claims to be the CEO of the victim. The victim works in a position in which he/she can transfer money on behalf of the company. The attacker claims to want to give giftcards to all employees or that there is an important business decision which needs the victim to transfer the companies money now.
- Mandate fraud: The attacker claims to be a business partner who changed their bank account. So the attacker impersonates a real business partner to receive the money which should be received by the business partner.
All of those involve some social engineering. The attacker makes it urgent to prevent the victim from thinking about it and potentially additionally “confidential” to keep the victim from talking with others about it. All three examples are also spoofing attacks as the attacker impersonates another person.
The following would help to answer my question:
- Is there any phishing attack that is not also a spoofing attack? (Not necessarily spoofing something technical, but spoofing a role or a person)
- Is there any spoofing attack that is not also a phishing attack?
- Is there any social-engineering attack that is not phishing?
- Is there any phishing attack that does not use some form of social engineering?