Phishing (Phishing Attack)

Why Trust Techopedia

What is Phishing?

Phishing is a type of cyberattack in which a threat actor “fishes” for potential victims by impersonating a trustworthy entity. The objective is to lure potential victims into revealing sensitive information, transferring funds, or completing some other action that will benefit the attacker.

Advertisements

Phishing scams can be conducted through text messaging, comments in social media posts, or phone calls – but email is still the most cost-effective way for attackers to target potential victims with minimal effort. According to the United States Cybersecurity and Infrastructure Security Agency (CISA), 90% of all cyberattacks begin with email phishing.

What is Phishing Attack

Key Takeaways 

  • Phishing is a cyber security exploit that is illegal in most countries with established cybercrime laws.
  • The exploit involves fraudulent electronic communication designed to trick a victim into doing something that benefits the attacker.
  • Most phishing attacks are conducted through email.
  • Phishing emails are designed to appear as if they come from a trustworthy source.
  • Artificial intelligence is making it easier for phishers to target victims at scale.  

History of Phishing

The term “phishing” is believed to have been coined in the late 1990s by a notorious spammer and hacker who went by the AOHell Usenet handle Khan C. Smith. The word choice was meant to convey the idea that if the attacker used the right bait and cast a wide enough net, they were bound to catch at least one fish (victim).

Early phishers required technical skills to carry out an attack. Today, criminals can purchase phishing kits on the dark web or team up with Phishing-as-a-Service (PhaaS) partners who handle the technical side of phishing in exchange for a fee or share of the profits.

How Phishing Works: Phishing Attack Indicators

Criminals who conduct phishing campaigns typically impersonate legitimate organizations or trustworthy entities and make requests that allow the attacker to intercept sensitive information, benefit from a financial transaction, or gain access to a network.

The biggest red flags that indicate an unsolicited email or text message is part of a phishing attack are that the urgent communication is unsolicited, the message’s content requests you to click on a link, and the sender’s email address looks somewhat legitimate but slightly off.

Here is an example of a phishing email.

Phishing Email Example

Here are some examples of phishing text messages.

Phishing Text Messages Examples

Types of Phishing Exploits

9 Different Types of PhishingPhishing exploits can easily be adapted to meet the needs of different types of attack objectives. Phishers can either cast a broad net hoping to catch a few victims – or a narrow net designed to catch a specific victim. It’s this versatility that is so appealing to criminals and so frustrating for law enforcement.

Types of phishing exploits include:

Email phishing
This is the most common type of phishing attack. The attacker sends an email that appears to be from a legitimate source, such as a bank, credit card company, or government agency. The email often contains a link that, when clicked, takes the victim to a fake website that looks like the real website. Once the victim enters their login credentials or other sensitive information on the fake website, the scammers can steal it.

Chatbots that use generative AI have made it easier than ever for phishers to craft email communications that appear to be from a legitimate source.

Smishing
This type of phishing exploit uses SMS text messages to communicate with the target. The text messages will often contain a link that, when clicked, takes the victim to a fake website or asks the victim to provide sensitive information.
Vishing
This type of phishing exploit is conducted by phone. The attacker uses their own voice, or an AI-generated voice, to impersonate a representative from a legitimate company or organization.
Spear phishing
This is a more targeted type of phishing attack in which the attacker crafts a communication that is specifically tailored to the victim. For example, the attacker’s email might be about a topic that the victim has shown previous interest in because it is relevant to their work. When artificial intelligence (AI) and machine learning (ML) are used for personalization, the email is more likely to be opened, and the victim is more likely to fall for the scam.
Whale phishing
This type of spear phishing attack seeks to exploit a “very big fish”, such as a large enterprise’s Chief Financial Officer (CFO) or another C-level executive.
Crypto phishing
This type of scam targets cryptocurrency investors and traders. The scammers send emails or messages that appear to be from a legitimate source, such as a cryptocurrency exchange or wallet provider. The emails or messages often contain a link that, when clicked, takes the victim to a fake website that looks like the real website. When the victim enters their login credentials or other sensitive information on the fake website, the scammers can steal the information.
Angler phishing
This type of phishing attack uses popular social media websites like Facebook and TikTok as the attack vector. The attacker creates fake social media accounts to interact with real users on social media platforms and gain their trust. Eventually, the attacker will send a direct message (DM) or post something on the site that contains a link to a phishing website.
Malvertisements
This type of phishing attack places malicious ads on legitimate websites. When victims click on the ads, they are taken to a fake website that will infect them with malware.

Most Targeted Industries for Phishing Attacks

Currently, the top targeted industries for phishing attacks include:

  • Social media platforms
  • Financial institutions
  • Technology companies
  • Healthcare providers
  • Government agencies
  • Education institutions
  • Online retailers

Phishing Examples

Here are four notable examples of successful phishing exploits:

RSA Security (2011)Target (2013)Facebook and Google Phishing Scam (2017)Twitter Bitcoin Scam (2020)
Attackers sent an email with the subject line “2011 Recruitment Plan” to a small group of RSA employees. The email contained a malicious Excel file that when opened, allowed attackers to gain access to the security firm’s network.
Attackers used phishing emails to compromise a third-party vendor, which then allowed the attackers to access the retail store’s network and install malware. The attack resulted in the theft of credit card information from millions of Target customers and kicked off a slew of follow-up spear phishing attacks aimed directly at customers who may have had their information stolen.
A Lithuanian man pleaded guilty to orchestrating a sophisticated phishing scheme that defrauded Facebook and Google out of over $100 million. He impersonated a legitimate supplier and requested that payment for services rendered be sent to fraudulent bank accounts.

Phishers used compromised high-profile accounts to lure victims into fake Bitcoin giveaway scams. By the time the exploit was stopped, the scammers were able to rake in over $100,000 in Bitcoin.

Psychological Strategies Used in Phishing

Phishing uses social engineering strategies designed to exploit people’s emotions and social values. While technical tactics are critical components, psychological manipulation is often the primary factor that determines an attack’s success.

Popular strategies include taking advantage of people’s trust in authority figures, their desire to be helpful, and their fear of missing out (FOMO).

Technical Techniques Used in Phishing

Technical tactics commonly used in phishing attacks include:

Email Spoofing
The attacker manipulates email headers so they appear to be from a trusted source. Email spoofing is facilitated by weaknesses in the standard protocol for sending emails, Simple Mail Transfer Protocol (SMTP). SMTP does not require email senders to verify the accuracy of the “From” address they provide, which makes it relatively easy for attackers to forge this information.
Credential harvesting
The attacker creates fake login pages for popular services to capture usernames, passwords, and other credentials.
Link manipulation
The attacker uses bogus links in emails to direct victims to malicious websites. Attackers often embed bogus URLs with legitimate subdomains to bypass URL filters.
Malicious redirects
The attacker uses hidden iframes or JavaScript to redirect victims from legitimate sites to phishing pages.
Domain spoofing
The attacker purchases domain names that appear to be legitimate because they closely resemble legitimate and well-known domain names.
Man-in-the-Middle (MitM) attacks
Session hijacking
The attacker steals active session cookies or tokens to impersonate a user and gain unauthorized access to their accounts.
Brand impersonation
The attacker solicits sensitive information from the victim by leveraging the trust they have in a particular brand name.

Phishing and AI

Artificial intelligence (AI) is making it easier for criminals to create realistic phishing content that is harder for humans or anti-phishing services to detect. Attackers are using large language models (LLMs) and generative AI prompts to:

  • Automate spear phishing at scale.
  • Conduct A/B testing to optimize email content.
  • Publish realistic phishing web pages.
  • Create chatbots that allow the attacker to engage with potential victims before launching an attack.

10 Ways to Prevent Phishing Attacks

To mitigate the risks associated with phishing, individuals and organizations need to prioritize phishing awareness education, implement robust email filtering, consider using anti-phishing cloud services, and follow best practices for online safety.

10 Tips to Protect Yourself Against Phishing

The following security precautions are recommended to prevent phishing attacks from being successful:

  1. Hover over links to preview URLs before clicking.
  2. Never open unsolicited email attachments.
  3. Do not click on links in unsolicited email or text messages.
  4. If you receive an unexpected request for personal or financial information, contact the sender directly.
  5. Enable two-factor authentication (2FA) for all online accounts.
  6. Don’t answer cell phone calls from unknown numbers.
  7. Always allow updates for web browsers, operating systems, and software applications.
  8. Avoid using public networks.
  9. Report suspected scams.

Anti-Phishing Software

Anti-phishing software can help protect individuals and organizations from phishing attacks. This type of software is often bundled with anti-virus software. Key features and functions include:

The Bottom Line

Phishing, by definition, requires the attacker to cast a wide net in hopes of catching a few unsuspecting victims. To protect yourself from phishing attacks, it’s important to be aware of the tactics criminals use in this type of attack. Common features of phishing emails include unexpected requests for sensitive information and urgent calls to action.

FAQs

What is phishing in simple words?

What is an example of phishing?

What is the detailed definition of phishing?

What are the four types of phishing?

Why are phishing attacks so effective?

Advertisements

Related Terms

Margaret Rouse
Technology expert
Margaret Rouse
Technology expert

Margaret is an award-winning writer and educator known for her ability to explain complex technical topics to a non-technical business audience. Over the past twenty years, her IT definitions have been published by Que in an encyclopedia of technology terms and cited in articles in the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine, and Discovery Magazine. She joined Techopedia in 2011. Margaret’s idea of ​​a fun day is to help IT and business professionals to learn to speak each other’s highly specialized languages.