What is Phishing?
Phishing is a type of cyberattack in which a threat actor “fishes” for potential victims by impersonating a trustworthy entity. The objective is to lure potential victims into revealing sensitive information, transferring funds, or completing some other action that will benefit the attacker.
Phishing scams can be conducted through text messaging, comments in social media posts, or phone calls – but email is still the most cost-effective way for attackers to target potential victims with minimal effort. According to the United States Cybersecurity and Infrastructure Security Agency (CISA), 90% of all cyberattacks begin with email phishing.
Key Takeaways
- Phishing is a cyber security exploit that is illegal in most countries with established cybercrime laws.
- The exploit involves fraudulent electronic communication designed to trick a victim into doing something that benefits the attacker.
- Most phishing attacks are conducted through email.
- Phishing emails are designed to appear as if they come from a trustworthy source.
- Artificial intelligence is making it easier for phishers to target victims at scale.
History of Phishing
The term “phishing” is believed to have been coined in the late 1990s by a notorious spammer and hacker who went by the AOHell Usenet handle Khan C. Smith. The word choice was meant to convey the idea that if the attacker used the right bait and cast a wide enough net, they were bound to catch at least one fish (victim).
Early phishers required technical skills to carry out an attack. Today, criminals can purchase phishing kits on the dark web or team up with Phishing-as-a-Service (PhaaS) partners who handle the technical side of phishing in exchange for a fee or share of the profits.
How Phishing Works: Phishing Attack Indicators
Criminals who conduct phishing campaigns typically impersonate legitimate organizations or trustworthy entities and make requests that allow the attacker to intercept sensitive information, benefit from a financial transaction, or gain access to a network.
The biggest red flags that indicate an unsolicited email or text message is part of a phishing attack are that the urgent communication is unsolicited, the message’s content requests you to click on a link, and the sender’s email address looks somewhat legitimate but slightly off.
Here is an example of a phishing email.
Here are some examples of phishing text messages.
Types of Phishing Exploits
Phishing exploits can easily be adapted to meet the needs of different types of attack objectives. Phishers can either cast a broad net hoping to catch a few victims – or a narrow net designed to catch a specific victim. It’s this versatility that is so appealing to criminals and so frustrating for law enforcement.
Types of phishing exploits include:
Most Targeted Industries for Phishing Attacks
Currently, the top targeted industries for phishing attacks include:
- Social media platforms
- Financial institutions
- Technology companies
- Healthcare providers
- Government agencies
- Education institutions
- Online retailers
Phishing Examples
Here are four notable examples of successful phishing exploits:
Psychological Strategies Used in Phishing
Phishing uses social engineering strategies designed to exploit people’s emotions and social values. While technical tactics are critical components, psychological manipulation is often the primary factor that determines an attack’s success.
Popular strategies include taking advantage of people’s trust in authority figures, their desire to be helpful, and their fear of missing out (FOMO).
Technical Techniques Used in Phishing
Technical tactics commonly used in phishing attacks include:
Phishing and AI
Artificial intelligence (AI) is making it easier for criminals to create realistic phishing content that is harder for humans or anti-phishing services to detect. Attackers are using large language models (LLMs) and generative AI prompts to:
- Automate spear phishing at scale.
- Conduct A/B testing to optimize email content.
- Publish realistic phishing web pages.
- Create chatbots that allow the attacker to engage with potential victims before launching an attack.
10 Ways to Prevent Phishing Attacks
To mitigate the risks associated with phishing, individuals and organizations need to prioritize phishing awareness education, implement robust email filtering, consider using anti-phishing cloud services, and follow best practices for online safety.
The following security precautions are recommended to prevent phishing attacks from being successful:
- Hover over links to preview URLs before clicking.
- Never open unsolicited email attachments.
- Do not click on links in unsolicited email or text messages.
- If you receive an unexpected request for personal or financial information, contact the sender directly.
- Enable two-factor authentication (2FA) for all online accounts.
- Use strong passwords and antivirus software.
- Don’t answer cell phone calls from unknown numbers.
- Always allow updates for web browsers, operating systems, and software applications.
- Avoid using public networks.
- Report suspected scams.
Anti-Phishing Software
Anti-phishing software can help protect individuals and organizations from phishing attacks. This type of software is often bundled with anti-virus software. Key features and functions include:
- Email sender authentication
- Link analysis
- Attachment scanning
- Heuristic filtering
- Sender blacklists/whitelists
- Anti-phishing browser extensions
- Features that make is easier to report phishing messages
The Bottom Line
Phishing, by definition, requires the attacker to cast a wide net in hopes of catching a few unsuspecting victims. To protect yourself from phishing attacks, it’s important to be aware of the tactics criminals use in this type of attack. Common features of phishing emails include unexpected requests for sensitive information and urgent calls to action.
FAQs
What is phishing in simple words?
What is an example of phishing?
What is the detailed definition of phishing?
What are the four types of phishing?
Why are phishing attacks so effective?
References
- 4 Things You Can Do To Keep Yourself Cyber Safe (Cisa)
- Avoid and report phishing emails – Gmail Help (Support.google)
- Angler Phishing: What is it? (Clearviewfcu)
- The RSA Hack: How They Did It – The New York Times (Archive.nytimes)
- The Target Breach 10 Years Later (Securityinfowatch)
- New Email Scam Related to Target Data Breach (Blog.memcu)
- Lithuanian pleads guilty in U.S. to massive fraud against Google, Facebook (Reuters)
- Twitter Investigation Report | Department of Financial Services (Dfs.ny)
- Report a Phishing Page (Safebrowsing.google)
- On the Internet: Be Cautious When Connected (Fbi)
- Bird (formerly MessageBird) Guides | Introduction To Email Authentication (Bird)
- Don’t Be A Phishing Victim : Know Your Anti-Phishing Chrome Extension (Phishprotection)