What is phishing?

What is phishing?

Phishing is the most common form of cyber attack worldwide. In recent years, phishing campaigns have become increasingly sophisticated, leveraging advancements in AI to create highly personalized attacks. You can fall victim to phishing attacks in both your personal and professional life, so it is important to know what phishing is and how phishing attacks are carried out.

Understanding phishing

Phishing is a type of cyber attack that involves tricking users into revealing sensitive information or installing malware on their devices. It is a form of social engineering that uses psychological manipulation and deception through phishing messages to achieve its goals. Cybercriminals craft convincing messages that appear to come from trusted sources, such as banks, credit card companies, or other organizations, to lure victims into their traps.

If you’d like to learn more about how hackers manipulate victims using social engineering, check out our guide on what is social engineering.

How phishing works

Phishing works by exploiting human psychology and trust. Cybercriminals craft deceptive messages that appear to come from legitimate sources, such as banks, social media platforms, or government agencies. These messages often create a sense of urgency or fear, prompting the recipient to act quickly without thinking critically.

When a user receives a phishing email, text message, or phone call, they may be asked to click on a link, download an attachment, or provide sensitive information. The link often leads to a fake website that looks almost identical to a legitimate one. Once the user enters their information, it is sent directly to the cybercriminals, who can use it for identity theft or other malicious activities.

Phishing attacks can also involve malicious attachments that, when opened, install malware on the victim’s device. This malware can steal sensitive data, monitor the victim’s activities, or even take control of the device.

Understanding how phishing works is the first step in protecting yourself from these attacks. Always be cautious when receiving unsolicited messages and verify the authenticity of the sender before taking any action.

For an in-depth look at how cybercriminals exploit stolen data, check out our guide on malicious activities.

Phishing as a cyber attack targeting sensitive data

Phishing is a type of cyber attack where hackers trick their victims into giving up personal information or allowing them access to their computer system. The personal information is usually name(s), address(es), passwords, credit card information and social security numbers. Phishing is a social engineering attack, as hackers often manipulate their victims through a variety of behavioural techniques and exploit victims’ impaired judgement.

Organizations often use sophisticated systems to identify suspicious emails through anomaly detection and traffic analysis, enhancing overall security against phishing attacks.

Phishing simulations are often used to train employees, but it is unrealistic to expect them to detect every phishing attempt, which can lead to negative consequences such as legal risks and a breakdown of trust within the organization.

Most phishing attacks consist of e-mails (e-mail phishing), supposedly from companies or public bodies. This could be banks, tax authorities, streaming services, social media, software providers, etc. In the emails, the victim will be tricked into clicking on a link that will take them to a fake phishing website. The website will look like the real company’s website and the victim will be asked to enter personal information. The link may also contain malware which will be downloaded to the victim’s computer. These emails are not targeted at specific individuals and are sent to as many people as possible.

Typical examples of content in phishing emails are:

• Your account has been blocked

• Your password needs to be updated as it is about to expire

• You have won a prize or received a gift card

• You need to transfer money for an invoice

• You need to validate your account or login details

• Your package cannot be shipped or you have not paid for shipping

Phishing attacks can stand alone or be part of a larger attack, such as ransomware or APT (advanced persistent threat) attacks.

Types of phishing emails

Phishing attacks are becoming increasingly sophisticated as hackers become more professional and their technical skills grow. There are different types of phishing, targeting both individuals and businesses.

Watch out for the spears

Through spear phishing, hackers can directly target specific companies or employees. The phishing emails are tailored to the specific victims using personal information. This information can be retrieved from Google or social media through Open Source Intelligence, which is publicly available information. Spear phishing often targets people working in financial departments. Learn more about these targeted attacks in our guide on spear phishing.

The big catch

Like spear phishing, whaling attacks target specific individuals, specifically high-level employees or executives within a company. Conversely, hackers can also impersonate a senior employee of a company to trick employees into giving up confidential information. This is called "CEO fraud".

Cloning your emails

Clone phishing is a type of attack where hackers gain access to the victim's inbox. Here they find legitimate emails with links or attachments that they create a clone of. The clone mimics the legitimate email completely, except the link or attachment is replaced with a fake link or file containing malware. Read more about how hackers clone legitimate communications.

Vishing and smishing

Vishing, or "voice-phishing", is a variation of email phishing carried out through telephone calls. As with email phishing, hackers impersonate an employee of a company or government agency who needs some information from the victim in order to perform a specific action. Smishing, or "SMS phishing", is also similar to email phishing, except that hackers use SMS as the medium to carry out the attacks. To learn how to protect yourself from these tactics, check out what is vishing and smishing.

Pop-up phishing

In pop-up phishing attacks, hackers use pop-up banners on Internet browsers or notification features on legitimate websites. They install malware in the banners or notifications, which infect the victim's computer when they click on them.

In recent years, social media has become an increasingly popular place for hackers to carry out phishing attacks. When hackers use social media it is called angler phishing and it is similar to vishing and smishing as hackers use notifications or chat features to send their fake messages.

Hackers (ph)isch for your information

You might be wondering why phishing is spelled with "ph-" instead of "f-". You've certainly never gone phishing with your dad before. Phishing comes from the English word "fishing", as hackers fish for your personal information by casting a digital net of emails, text messages, phone calls and more. The term phishing was coined around 1996 by American hackers. The use of "ph-" is a reference to some of the first hackers in the US who carried out an early form of hacking called phone freaking, and they were subsequently named "phreaks" (phone freaks).

Phishing techniques

Cybercriminals use a variety of phishing techniques to trick users into revealing sensitive information or installing malware. These techniques can be broadly categorized into three primary types: malicious web links, malicious attachments, and fraudulent data-entry forms.

Malicious web links: These links are designed to lead users to phishing websites that steal sensitive information or install malware. They can be embedded in phishing emails, text messages, or even phone calls. When a user clicks on a malicious link, they may be redirected to a fake website that mimics a legitimate one. The fake website may ask the user to enter sensitive information, such as login credentials or financial information.

Malicious attachments: These attachments can contain malware or viruses that can harm a computer or steal sensitive information. They are often sent via phishing emails or text messages. When a user opens a malicious attachment, the malware can be installed on their device, allowing cybercriminals to access sensitive data.

Fraudulent data-entry forms: These forms are designed to trick users into entering sensitive information, such as login credentials or financial information. They can be embedded in phishing emails, text messages, or phone calls. When a user enters sensitive information into a fraudulent form, the information is sent to cybercriminals, who can use it to commit identity theft or other cybercrimes.

By familiarizing yourself with these phishing methods, you can enhance your ability to avoid becoming a target of phishing scams. Always be cautious when clicking on links, downloading attachments, or entering information into forms from unknown sources.

Phishing examples

To better understand how phishing attacks work, let’s look at a few real-world examples:

Phishing email: Imagine receiving an email that appears to be from your bank, asking you to verify your account information by clicking on a link. The link leads to a fake website that looks just like your bank’s official site. Once you enter your login credentials, the cybercriminals behind the phishing attack can access your account and steal your money.

Text message: You receive a text message claiming to be from a delivery company, asking you to click on a link to track your package. The link leads to a phishing website that installs malware on your device. This malware can steal sensitive information, such as your passwords and credit card details.

Phone call: You get a phone call from someone claiming to be from a tech support company, saying there’s a problem with your computer. They ask you to provide sensitive information to fix the issue. In reality, the caller is a cybercriminal who uses the information to commit identity theft.

These examples illustrate the various ways phishing attacks can occur. Being mindful of these strategies can help you safeguard yourself against phishing scams.

How to avoid becoming a victim of spear phishing attacks

Although hackers are getting better at creating convincing phishing attacks, there are still a number of ways you can protect yourself or your workplace. Here are a few reminders to keep in mind every time you get an email.

Always be aware of unknown senders. If you don't know the sender of an email, it's usually best to avoid responding to the email. If you are unsure whether it is a legitimate email, you can contact the sender. This should be done through a phone number or email address you find through a search engine.

Check the URL. Hackers use link manipulation to make links look legitimate. Often they spell a company's domain slightly differently, e.g. faceb00k.com or use subdomains. They may also change the link text displayed to hide the fake link. By hovering over a link, you can see the URL and check if it looks right.

Be careful about downloading files from emails. If you don't expect to receive a file, or if you don't know the sender of the file, it's usually a bad idea to download it.

What information should you provide? Hackers can make phishing emails look legitimate, both graphically and in terms of content. It is therefore easy to be fooled. It is always important to read the content carefully. If you are asked for confidential or sensitive information, the email is not from a legitimate company or government agency - they would never ask for that kind of information in an email.

Use search engines instead of links. If you are in doubt whether a link is a legitimate link, use a search engine to find the company's website that the link supposedly takes you to.

Use antivirus programs. Antivirus programs can scan email attachments and determine if they are safe.

The role of fake websites in phishing attacks

Fake websites are a cornerstone of many phishing attacks. Cybercriminals create these sites to trick users into revealing sensitive information or installing malware. These fake websites are designed to look almost identical to legitimate ones, making it difficult for users to distinguish between the two.

For instance, a phishing email might contain a link to a fake website that mimics a bank’s official site. The user is asked to enter their login credentials, which are then sent to the cybercriminals. Similarly, a text message might direct the user to a fake website that installs malware on their device.

To protect yourself from phishing attacks involving fake websites, it’s essential to be cautious when visiting websites, especially if you’re asked to enter sensitive information. Here are some tips to help you avoid falling victim to phishing attacks:

• Verify the URL: Always check the website’s URL to ensure it’s legitimate. Look for subtle misspellings or unusual domain names.

• Look for spelling and grammar mistakes: Fake websites often contain spelling and grammar errors, which can be a red flag.

• Be wary of requests for sensitive information: Legitimate websites typically do not ask for sensitive information, such as login credentials or financial information, via email or text message.

• Use two-factor authentication: Adding an extra layer of security can help protect your accounts even if your login credentials are compromised.

• Report phishing attempts: If you encounter a phishing attempt, report it to the relevant authorities, such as the Federal Trade Commission (FTC) or your email provider.

By being aware of the role of fake websites in phishing attacks and taking steps to protect yourself, you can reduce the risk of falling victim to a successful phishing attack.