A security administrator notices large amounts of traffic within the network heading out to an external
website. The website seems to be a fake bank site with a phone number that when called, asks for
sensitive information. After further investigation, the security administrator notices that a fake link was
sent to several users. This is an example of which of the following attacks?

A.
Vishing

B.
Phishing

C.
Whaling

D.
SPAM

E.
SPIM

Explanation:
Phishing is the act of sending an email to a user falsely claiming to be an established legitimate enterprise
in an attempt to scam the user into surrendering private information that will be used for identity theft.
Phishing email will direct the user to visit a website where they are asked to update personal information,
such as a password, credit card, social security, or bank account numbers, that the legitimate organization
already has. The website, however, is bogus and set up only to steal the information the user enters on
the page.
Phishing emails are blindly sent to thousands, if not millions of recipients. By spamming large groups of
people, the “phisher” counts on the email being read by a percentage of people who actually have an
account with the legitimate company being spoofed in the email and corresponding webpage.
Phishing, also referred to as brand spoofing or carding, is a variation on “fishing,” the idea being that bait
is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting.
Incorrect Answers:
A: Vishing is the telephone equivalent of phishing. Vishing is the act of using the telephone in an attempt
to scam the user into surrendering private information that will be used for identity theft. The scammer
calls the victim, usually pretending to be a legitimate business and fools the victim into thinking he or she
will profit. The question states that a fake link was sent to several users (probably by email). Therefore,
this is not the correct answer.
C: Whaling is a specific kind of malicious hacking within the more general category of phishing, which
involves hunting for data that can be used by the hacker. In general, phishing efforts are focused on
collecting personal data about users. In whaling, the targets are high-ranking bankers, executives or
others in powerful positions or job titles.Hackers who engage in whaling often describe these efforts as “reeling in a big fish,” applying a familiar
metaphor to the process of scouring technologies for loopholes and opportunities for data theft. Those
who are engaged in whaling may, for example, hack into specific networks where these powerful
individuals work or store sensitive data. They may also set up keylogging or other malware on a work
station associated with one of these executives. There are many ways that hackers can pursue whaling,
leading C-level or top-level executives in business and government to stay vigilant about the possibility of
cyber threats. The question states that a fake link was sent to several users (probably by email). As the
email was sent to general users rather than upper management, this is not the correct answer.
D: Spam is most often considered to be electronic junk mail or junk newsgroup postings. Some people
define spam even more generally as any unsolicited email. However, if a long-lost brother finds your
email address and sends you a message, this could hardly be called spam, even though it is unsolicited.
Real spam is generally email advertising for some product sent to a mailing list or newsgroup.
In addition to wasting people’s time with unwanted e-mail, spam also eats up a lot of network bandwidth.
Consequently, there are many organizations, as well as individuals, who have taken it upon themselves to
fight spam with a variety of techniques. But because the Internet is public, there is really little that can be
done to prevent spam, just as it is impossible to prevent junk mail. However, some online services have
instituted policies to prevent spammers from spamming their subscribers. Spam is usually marketing for
legitimate businesses, not fake imitation web sites. Therefore, this is not the correct answer.
E: SPIM is a term sometimes used to refer to spam over IM (Instant Messaging). It’s also called just spam,
instant spam, or IM marketing. No matter what the name, it consists of unwanted messages transmitted
through some form of instant messaging service, which can include Short Message Service (SMS). The
question states that a fake link was sent to several users (probably by email). Therefore, this is not the
correct answer.

http://www.webopedia.com/TERM/P/phishing.html
http://www.webopedia.com/TERM/V/vishing.html
http://www.techopedia.com/definition/28643/whaling
http://www.webopedia.com/TERM/S/spam.html