Phishing is a social engineering attack that uses deceptive emails, websites, messages, or attachments to trick people into revealing credentials, payment data, or other sensitive information. It remains one of the most common entry points for cybercrime because it targets human trust instead of relying only on technical exploitation.
What is Phishing?
Phishing is a method that hackers employ to collect personal data using deceptive websites and emails. The goal is to trick the victim into believing that a message, a website, or an attachment is something they want or need. Hackers use deception to trick employees into clicking phishing emails. For instance, they create emails masquerading as requests from banks, additional information from vendors, or an urgent note from a colleague or manager.
Key Takeaways
- Phishing is an attack method that uses deceptive emails and websites to steal confidential information
- In phishing, an attacker masquerades as a trusted entity, such as a real person or business that the victim knows
- More than 75 percent of all recent breaches involved phishing
- Hackers have access to bundled kits with resources and tools that make phishing easy and effective
- Cybercriminals increasingly use phishing attacks during periods of crisis and uncertainty to lure stressed or distracted victims
History of Phishing
Phishing is one of the oldest cyberattack types, dating back to the 1990s. It is still one of the most prevalent and successful attack methods in use today. Hackers are devising more clever messages and advanced techniques to launch sophisticated phishing attacks. Phishing comes from the word “phish,” which is pronounced like it is spelled. The name comes from the “fishing” analogy that entails using a baited hook to trick a target. In this case, cybercriminals send phishing emails hoping you will fall for their trick.
Real-World Phishing Examples
A 2019 Verizon Data Breach Investigations Report indicates that more than a third of all recent breaches involved phishing. Some real-world examples of phishing tricks include:
- Deactivation scares – a deactivation notice lures victims into reacting quickly without scrutinizing the email or URLs
- Look-alike sites – cybercriminals create phony websites that are difficult to detect
- Advanced fee fraud – this phishing trick, also known as the Nigerian scam, involve someone oversea offering a share in a large sum of money or payment if you help the sender to transfer the funds out of their country
- Tech support scam – hackers masquerade as reputable organizations like Microsoft by sending emails containing official-looking contacts. If you respond, a technician will request you to install remote access for troubleshooting. The scammers easily take control of your system
In 2016, hackers used phishing to trick Hillary Clinton’s campaign chair, John Podesta, into sharing his Gmail password. Several successful phishing attempts led to an attack in which criminals released intimate photos of several celebrities to the public.
Bundled Kits Make Phishing Effective Today
The availability of phishing kits is making it easy for attackers to launch their phishing campaigns. Cybercriminals have access to a bundled kit with phishing resources and tools to launch attacks from a remote server. Phishing kits and target’s mailing lists are available on the dark web. Some sites like PhishTank and OpenPhish run crowd-sourced phishing kits lists. An attacker installs the kit on a server and sends emails to potential victims.
Phishing Increases During a Crisis – COVID 19 Case
As mentioned, cybercriminals leverage deception and create a sense of urgency to succeed in a phishing campaign. Crises like the coronavirus pandemic offer an opportunity for hackers to trick victims into falling for phishing baits. A pandemic pushes people to the edge. They are desperately looking for information from companies, governments, research organizations, and other relevant authorities. People will undoubtedly open emails from these bodies during a pandemic, without much scrutiny. The frequency of phishing threats has risen considerably since the onset of COVID-19. Companies are experiencing an average of 1,185 attacks each month. COVID-19-themed phishing emails include:
- Fabricated notices from the CDC, World Health Organizations (WHO), state health departments, and other health organizations
- Fake updates from organizations with procedures to address the coronavirus disease
- Phony websites containing maps and statistics
- Emails with links and information about protecting yourself and community
- Illegitimate links to charitable appeals to help victims
Preventing Phishing Attacks
You can take these steps to mitigate phishing attacks:
- Be on the lookout to detect misspelled URLs in emails before you click or share sensitive information
- Watch out for any URL redirects to avoid sharing information on identical but phishing websites
- Make a habit of typing the correct URL directly on the browser bar instead of clicking the link on emails
- Contact the source through a different channel (SMS, phone call) if you receive suspicious emails with attachments and links
- Avoid sharing personal information like physical address, vacation plans, birthday, phone number, and email address on social media
- Ignore emails offering money from Nigeria or any other country
Organizations can implement these measures to prevent phishing threats:
- Install tools and policies to monitor and analyze web traffic
- Sandbox inbound emails and assess the safety of external links
- Conduct regular cybersecurity awareness training
- Simulate phishing attacks to determine cybersecurity awareness gaps for employees
Phishing vs. Spam
Spam is unsolicited bulk messaging, while phishing is a deceptive attempt to steal information or trigger unsafe actions. Some phishing arrives as spam, but phishing is more targeted and malicious in intent.
Frequently Asked Questions
What makes phishing effective?
Phishing works by exploiting urgency, trust, fear, and familiarity rather than depending only on technical compromise.
Can phishing happen outside email?
Yes. Phishing can occur through text messages, social media, collaboration tools, fake websites, voice calls, and other communication channels.
Related Cybersecurity Terms
