Chris Lawrence is a journalist and chief editor at Wlan Labs. He has been writing about technology for more than ten years. He writes about everything ranging from privacy to open source software. His goal is to educate readers about important topics to help make their lives easier.
One of the most frequently asked questions we get is what is phishing? Phishing attacks are among the most common tools used by cybercriminals. An attack lures an unwary user to click a link that redirects them to a malicious website. Malware on this site infects your computer and sends sensitive information back to the hacker.
Alarming phishing statistics reveal that U.S. companies lose billions of dollars each year to phishing. Private individuals are also targeted for their bank details – many scammers deliberately target vulnerable individuals such as the elderly.
Businesses and individuals need to recognize phishing attempts. This includes where attacks occur, what they look like, and how to protect yourself against phishing.
Phishing Meaning: Quick Summary
What happens in a phishing attack?
Here’s a summary of how phishing works:
- A cybercriminal plants a malicious link or attachment in an email or on a website.
- The information around the link is designed to look trustworthy or like you could benefit from clicking it.
- You click the link or attachment. If it’s a link, it’ll redirect you to a malicious site where malware is downloaded onto your computer. If it’s an attachment, malware will be downloaded directly onto your device.
- The website might contain scripting that installs spyware or viruses on your device. Alternatively, it might require you to fill out fraudulent data entry forms when encouraging you to “win a prize”, “protect your account”, or another urgent-seeming request.
- In most cases, damage begins as soon as you click the link. However, there are steps you can take to mitigate the harm done by malicious software – these are outlined below.
The endgame of any attack is to acquire details that can be used for the hacker’s profit. This might mean stealing your banking information to withdraw money. It might mean harvesting sensitive data to use in a ransomware attack on a business.
The #1 rule of phishing awareness is always to pause before clicking a link. These attacks rely on carelessness rather than high-powered hacking software. However, the success of phishing has led to it becoming the most common type of cyber-attack today.
History of Phishing
The phishing method was developed on America Online (AOL) in the 1990s. A group of teenagers identifying as hackers discovered that they could trick other users into sharing sensitive information by posing as AOL employees.
This was referred to as “fishing”. Eventually, a user known as “Da Chronic” created a piece of software that automated the process called AOHell. He described this process as “phishing”.
Their initial goal was to maintain free and anonymous access to AOL’s services by stealing new users’ sign-up information. In time, they discovered this tactic could be used to steal credit card information and withdraw money from unsuspecting AOL users’ bank accounts.
First phishing lawsuit
This led to the first-ever phishing lawsuit in 2004. The defendant was a 17-year-old Californian teenager. Criminal charges weren’t pressed, but this was the start of a cybercrime strategy that now costs larger U.S. businesses around $15m annually.
Attempting to obtain valuable information through deception wasn’t “new” in the AOL case. Cybercriminals have attempted to con others since the beginning of the internet.
Nor was it the beginning of “spam” emails, although the teenager charged with phishing was subsequently banned from sending spam emails.
Rather, phishing represented a highly effective marriage of spam marketing tactics and identity fraud. Malicious parties could make easy profits by mass-sending phishing emails to a service’s userbase.
These emails would resemble official correspondence to gain the user’s trust. The final step was to encourage the user to click a harmless-looking link to “reset their password”, “claim a reward”, or something similar.
Phishing in the 2010s
The 2010s saw the phishing scam being widely adopted by organized crime groups. Spear phishing, a targeted attack that takes great care to make the phishing message look authentic, was behind some of the largest-ever scams.
High-profile victims of phishing in the 2010s included the internet giants Facebook and Google – the corporations lost over $100m between them to a phisher.
Sony Pictures was another well-known corporation to suffer, with some reports estimating a phishing leak in 2014 might cost the studio $100m to repair, although other estimates were much lower.
The Facebook and Google case was considered especially shocking. The 2 corporations supposedly protect the data of billions of users worldwide.
Furthermore, Gmail is one of the world’s most popular email services and millions of people rely on its spam filters to protect them from phishing emails. How could this happen?
Phishing is considered a “low-tech” type of cyberattack because it relies on unsuspecting users rather than forcing a way through complex security systems. This breach underlined the point that anyone can be fooled by a well-designed phishing campaign if they’re careless.
The devastating Colonial Pipeline attack in 2021 was facilitated by sophisticated ransomware. However, access to plant the ransomware was obtained via a single password. Some have speculated that this may have been obtained through a phishing email.
The attack cost millions of dollars and threatened to severely disrupt U.S. infrastructure. Even if the password was obtained through other means, the fact that it could have been phished shows how much damage a malicious link can do.
Information literacy has improved since the 1990s. However, this has not led to the decline of phishing as a scam strategy. It remains one of the most popular types of cybercrime and costs individuals and businesses huge sums each year.
Who Uses Phishing Scams?
Phishing campaigns are used by all kinds of cybercriminals. Phishing is extremely popular because:
- Phishing is cheap. Designing a phishing email is easy and takes almost no time for an experienced cybercriminal. The main cost consideration is the fake website behind the link.
- Anyone can do it. Even novices can purchase “phishing kits” for a low price. A phishing kit contains all the necessary software for a basic attack.
- It’s easy to find targets. You don’t need users’ login credentials to design an attack – just a mailing list. These are easy to find on the dark web.
- It has a high success rate. Cyber-criminals keep using this strategy because people keep clicking on malicious web links. We’re not as malware-conscious as we like to think.
More coordinated and targeted types of phishing attacks require a larger investment of time and resources.
For example, if a hacking group is targeting an organization, it pays to target only the most vulnerable parts of the business and put more effort into creating an official-looking message. As soon as an individual raises the alarm, the attack goes back to square 1.
However, generalized phishing that targets members of the public is a very cheap way for criminals to make money.
We don’t tend to tell our friends and colleagues about phishing messages unless we fall victim to them. Nor do we report them to the company being used as the “face” of the attack, enabling it to warn others on its mailing list.
A phishing campaign can remain active and effective for a long time without a coordinated response being made. This is partly why phishing remains one of the most popular types of cyber-attack today.
What are the Types of Phishing?
Broadly speaking, phishing attacks come from 2 sources:
- Malicious links or attachments in phishing emails
- Dubious links on websites
You might hear these referred to as “the 2 types of phishing attacks”. However, there are several types of phishing attacks within these categories. It’s useful to know these types in-depth – this gives you the best chance of protecting your data.
Phishing emails are the most common type of attack. The most general type is sent to a huge volume of email addresses. This kind of phishing email has a very low yield in terms of results but compensates for this by using enormous mailing lists.
These campaigns are often untargeted – they might not appear to be from a website or company you recognize. As they’re somewhat unsophisticated, these phishing emails usually end up in your spam folder.
Often, the email will carry a link accompanied by a CTA. This will suggest that clicking the link might benefit you in some way or that your account requires urgent action. Clicking this link redirects users to phishing websites. These websites contain malware that can steal your data or infect your device with viruses.
Alternatively, an email might include an attachment. Malicious attachments are popular because they download malware directly onto your device. They can also be framed more innocuously than links – a document might be assumed to only contain information.
The only type of attachment that is always safe to open is a .txt file. However, if you don’t recognize the email’s sender, it’s a good rule to never click on any attachment.
Targeted phishing attacks
Hackers might also mimic an organization that you’re subscribed to. This might be:
- Your bank
- A company you shop with
- A social media platform you use
- Any website site you receive marketing information from
- Your email provider
These campaigns have a higher rate of return than generic messages. They’re less likely to be detected by spam filters, as the email messages are designed to appear just like correspondence from a well-known company.
More thought and time goes into the design of these emails and they’ll often come from an address that is almost identical to the genuine article.
The address might include a character or pair of characters that resemble another – for example, “rn” instead of “m”.
Another common technique is domain spoofing. This means creating a fake email address that includes the company’s name, e.g. email@example.com. If the email is letter-headed and well-designed, this is often enough to persuade users that the message is legitimate.
Messages from financial institutions are especially popular. Cybercriminals exploit the immediate panic users feel when receiving an unexpected “urgent” message from their bank. It’s easier to click a “support” link in front of you than look up your bank’s fraud phone number and make a call.
Spear phishing is a highly targeted type of attack. It’s often used in scams that target businesses. Spear phishing attacks trick their victims into a sense of security by showing that they already know the victim.
This might include:
- Your name
- Your workplace (these phishing emails often purport to be from another department)
- Your role at your company, including specific information about your responsibilities
- The names and roles of other people in your business
This information builds a convincing message that the email is from an internal source. These emails almost always employ domain spoofing. If your company’s typical email address format was “firstname.lastname@example.org”, a spear-phishing email might come from an address like “email@example.com”.
Spear phishers will often use malicious attachments rather than links, although both are common. “See attached” is an everyday and innocuous phrase to see in a work email.
As spear phishing targets individuals rather than groups, the messages are tailored, which makes it easy to provide a good reason for the attachment.
Whaling is a type of spear attack that goes after high-ranking individuals in a company. It’s also called CEO fraud.
These messages need to be carefully designed, as they must:
- Present a legitimate reason for contacting a high-ranking staff member
- Often need to bypass a diligent PA or secretary who is trained to recognize suspicious emails
Again, attachments are more common than phishing links in whaling attacks. If successful, CEO fraud can devastate a company.
It allows a subsequent type of phishing called business email compromise (BEC), where the CEO’s email account can be used to send fraudulent emails to unsuspecting staff.
Clone phishing uses a real email sent by a legitimate organization and re-submits it with some subtle alterations. For example, a cloned email might mimic a “please rate our service” message from a courier service.
In a well-designed fraud attempt, the format of the message will be almost identical. The main 2 differences will be that the email domain is spoofed and the clickable button will lead to fake websites that contain malware.
This is a popular strategy because individuals are used to receiving multiple cloned emails from organizations. Unlike “urgent” messages from banks or utility companies, the low-key tone of the message can lull users into a false sense of security.
Pharming is a highly aggressive type of phishing. First, the attackers install malware on the victim’s device either via email phishing or through a dubious link on a website.
This malware causes your device to redirect to fraudulent websites every time you send a request through your browser, subsequently installing more malware and giving the attacker access to important details.
The longer this goes unchecked, the more information they can gain and the more devices they can spread the malware to.
The other type of pharming is also known as DNS cache poisoning. It involves taking advantage of vulnerabilities in a website’s server. It corrupts the server’s DNS (domain name system) table to redirect connections between a website’s URL and your device’s IP address.
Both types of pharming redirect traffic to malicious websites. DNS poisoning is much harder to protect against but is also a very complex type of attack. This makes it less common than other types of phishing.
A common tactic for scammers is to place malicious URLs on vulnerable websites. These are often “invisible” and cover a legitimate button.
You can usually detect these malicious links by hovering your cursor over the area around the button and checking the URL at the bottom-left corner of the screen.
The invisible links are often larger than the visible button, so if the URL remains, it’s probably a suspicious link. If the URL seems to have nothing to do with the website you’re on, this might also be a sign of fraud.
URL hijacking or typosquatting involves creating malicious sites with almost-identical URLs to legitimate websites.
People often make typos when entering web addresses, and hackers have often taken advantage of this by purchasing the misspelt domain name and placing phishing content on the “wrong” site.
This is a less common strategy today. Most major websites take steps to ensure there are no malicious “copycat” websites with similar URLs. However, it can still be an effective technique for smaller websites such as local businesses.
Tabnabbing is a form of phishing that changes the content of an inactive tab after it has loaded. In a busy browser display, an individual might not notice a pop-up. After some inactivity, this tab will “refresh” to mimic a legitimate website, e.g. your bank’s login page.
If you later decide to use online banking, you might notice the legitimate-seeming page and forget that it used to be a pop-up. Entering your details on this site will lead to malware installed on your device and/or your details being stolen.
Phishing remains the favored tool of cybercriminals worldwide. Email scams can still be successful but younger internet users tend to be wise to this method. Scammers are using social media, instant messaging, and other media to reach their targets in more innocuous locations.
This technique involves hackers creating fake social media accounts designed to look similar to major brands. On Twitter, this might be called “handle spoofing”, and is almost identical to domain spoofing.
These accounts create fake social media posts responding to customers who engage with the brand they’re impersonating. These posts claim to want to resolve the complaint and encourage users to send over information that can be used for identity theft.
The short, informal style of social media posts means they’re very easy to mimic. Link manipulation is also easy on Twitter as they’re typically sent using the bit.ly format, making it harder to verify if a link is safe.
Smishing, or SMS phishing, means sending malicious web links to users via SMS messages or instant messaging services. This is an increasingly popular type of attack, possibly due to the advent of 2-factor authentication.
This has made SMS messages more relevant to young people who have grown up using alternatives like WhatsApp or Facebook Messenger.
Large WhatsApp groups are easy for malicious parties to access for phishing attacks. Chat groups sometimes contain hundreds of members. This means that hackers can post a link to a phishing website disguised as a meme or video and reasonably expect 1+ responses for almost no investment.
Vishing, or voice phishing, attacks try to persuade users to submit personal details in a phone call. These often purport to be from the user’s internet service provider, utility company, or bank.
When pretending to be the user’s ISP, the fraudster will attempt to steal login credentials and even gain remote access to the user’s computer with a series of leading questions.
It’s typically framed as attempting to resolve an urgent issue such as a virus or hacking attempt. Voice phishing is widespread today and is highly effective.
Search engine phishing
Search engine phishing is an attempt to have a malicious site indexed on search engines. This is unlike most phishing scams because there’s no CTA other than a regular search link.
Google and other major search providers have powerful software to detect phishing domains and this is a difficult strategy to manage successfully. Many antivirus providers also flag dangerous results on search engines even when they’re indexed.
What Happens If You Get Phished?
So what is phishing used for? A successful phishing attack gives criminals access to valuable information. This might include:
- Your bank details
- Other personal details such as your social security number
- Your work login details
- Information that could be held against you
- Your company’s security infrastructure
From suspicious messages claiming you’ve won the lottery to CEO fraud, the goal of all phishing attacks is financial gain. Almost all devices store some type of information that has financial value to a fraudster. This is why phishing is still such an attractive technique for cybercriminals.
Simply opening a phishing email is almost always harmless. The only exception is if your email client allows scripting. This is extremely rare today and has to be manually enabled on most clients – others don’t allow scripting as an option.
Phishing emails rely on users clicking links or attachments to infect their devices. A link will typically redirect you to a malicious website. This will install malware designed to steal your data and potentially corrupt your device.
Attachments are popular in email phishing campaigns that target businesses. Opening the attachment will install malicious software onto your device. This could give the attackers a gateway into your business or infect other devices on your network.
Fraudulent data entry forms are popular in phishing attacks because they guarantee that the hacker receives certain valuable information. This usually includes your bank details and your social security number. It might also include employee identification data if you’re targeted at work.
Some phishing emails install harmful viruses onto your device as well as extract information. This can give the hackers more time to retrieve sensitive data by making your device inaccessible.
Am I Vulnerable to a Phishing Attack?
Everyone is vulnerable to phishing. High-quality antivirus software offers some protection and can warn you of phishing emails.
However, antivirus software specializes in blocking external threats. Malware phishing aims to circumvent this by making targeted users responsible for downloading malware behind the firewall.
You may not know if you’re the victim of an attack for some time. Some malware is designed to simply extract information without affecting your device’s performance.
You only become aware of this when criminals find a use for your information – this could take months or even years. It depends on the type of information and the purpose behind the attack.
Other attacks are more direct and may interfere with your device. In each case, the best way to know if you’ve been phished is to stop and think after clicking on a link that made no sense.
Even if the click was accidental or instinctive, any email that redirects you to a fake website is a phishing email. That means it’s time to take action.
What Should I Do If I Have Been Phished?
Falling victim to a phishing attack is frightening. However, there are several immediate steps you can take to mitigate the damage.
Was that link suspicious? A common first reaction to clicking a dodgy link in an email is denial and embarrassment.
There’s no shame in being the victim of a phishing attack. The most important thing is to acknowledge what’s happened and take action. Hoping for the best will lead to more data being compromised.
Immediately disconnect the device you used from the internet. Ensure it’s not connected to any other devices in a local network and switch it off. When malicious parties gain access to your device, their first goal is to spread the damage as far as possible. Cutting off internet access helps prevent this.
If you’ve suffered an attack at work, you should alert your business’s IT security teams. You should also raise it with your direct superior. If your account has been compromised, everyone in your business needs to know that more fraudulent messages might be on the way.
Create a backup of any sensitive information on your device. If you don’t know how to do this, ask your company’s IT professionals to help. Even if the scammers don’t extract the information they want, malware could still damage your device and cause irreparable harm to important files.
If you’ve clicked on a phishing link at home, you should immediately run a malware check on your computer if possible. Antivirus software installed on Windows and macOS computers tends to let you run a manual scan. Devices using Chrome OS such as Chrome Books will perform security checks automatically.
If you’ve opened a link from a phishing email on your phone, there should be an option to run a malware check in your settings.
Using a different device, change passwords and PINs to all your important accounts. These might include:
- Your bank account
- Your PayPal
- Any website that has your bank card associated with it
- Your computer’s login
- Your main email address
- Your work email address
- Any other work logins
Remember to create strong new passwords that have no similarities with your old passwords.
All banks have anti-fraud security teams. Call their hotline and explain the situation. Your bank will cancel your credit cards and let you know how to access your funds in the meantime. The sooner you do this, the more likely any stolen funds can be retrieved or refunded.
Is Phishing a Crime?
Phishing is defined under federal law as a type of computer and internet fraud. Orchestrating a phishing attack can result in fines of up to $10,000 and a 5-year jail sentence.
Cybercrime is often difficult to prosecute as gangs may operate internationally. This is another reason that phishing scams remain so popular among cybercriminals – the perpetrator rarely needs to be based in the same country as the target.
Recognizing common characteristics of fraud is the best way to prevent phishing attacks. These include:
- Suspicious domain. An email’s domain is the part after the “@” sign. This will usually be the company’s name. Phishing emails often switch the company’s name before the “@” to appear authentic.
- Grammatical errors. Many scam emails contain misspellings or poor grammar. This should be a warning sign, as major companies are unlikely to send out poorly-written email messages.
- Urgent tone. Most phishing emails are very keen for you to take action. This could be fixing a problem with your computer, claiming a prize, paying a debt, or taking action against bank fraud. If a message demands immediate action, always double-check it.
- It asks for sensitive information up-front. Messages from your bank never ask you to respond with your login or credit card information. Never put this data in an email.
Preventing Phishing at Your Business
Spear phishing aimed at businesses can cost millions in damages.
There are simple steps you should take to secure your business against attacks:
Emails targeting businesses often appear to come from within your organization. This may indicate that an employee’s account has already been compromised. It should be raised immediately.
You should always double-check an email with attachments if you don’t recognize the sender. Attachments tend to make more sense than link manipulation in spear-phishing attempts – even a Microsoft Office Document can contain malware.
Improving phishing awareness at your company helps employees to recognize potential threats. Performing routine exercises like sending simulated phishing emails can teach employees how easy it is to fall for a scam.
2-factor authentication requires users to pass a second security check before logging into a service. While this won’t prevent an employee from clicking a malicious link, it can protect the information that hackers are after.
Many companies don’t update their email client for years. Older clients are less likely to screen emails effectively and warn users of suspected phishing messages. Some outdated clients may even allow scripting, which means you can download malware just by opening an email. Robust email security is an absolute must to combat ever-evolving cyber threats.
Large businesses invest huge amounts into their security budgets to protect against phishing scams and other malware attacks.
Smaller businesses are even more at risk because they don’t have the capital to survive a phishing attack. Investing more in your IT security budget may seem costly, but it can save your business from a crippling attack.
Preventing Phishing on Your Home Computer
Anyone with an email address can fall victim to a phishing email – even children. Here’s how to protect your home devices against attacks.
Most phishing attacks that target private individuals are clones of messages from corporations. Opting out of marketing material reduces the volume of emails in your inbox and can make it easier to spot a scam message.
Reading technology blogs can help keep you updated on new types of attacks and how to prevent phishing attacks from happening.
Phishing education is an important part of IT literacy for children. Teaching your children how to recognize email scams is important. You should also ensure that they know about techniques like smishing and angler phishing on social media.
Try to keep a private computer that your children don’t have access to. Use this device for:
- Online shopping
This means that vital details are less likely to be compromised if a family member falls victim to a scam.
2-factor authentication for all purchases on your credit card reduces the risk that someone else can use your information online. You should also use this for services like PayPal and your work email login.
Modern email clients filter spam quite effectively. However, you can also choose a client with a specialist focus on filtering spam. This is a good idea if you have small children who use email.
The fewer phishing emails you’re presented with, the less chance you have of clicking on one.
Free antivirus software can protect you against most threats online. An advantage of paid services is that they tend to offer more warnings about a potential phishing attack than free services, which act “silently”.
You might not feel you need the additional protection. However, if you have younger children, regular warnings can deter them from clicking links that they’re not supposed to. This also teaches them to be safety-conscious online.
7. What about phishing testing?
Phishing testing verifies the accuracy and effectiveness of an organization’s email security controls.
This includes testing both inbound and outbound email filtering controls to ensure that any malicious emails are properly identified and blocked from reaching users and that legitimate emails are not being incorrectly flagged and quarantined.
Organizations will often engage third-party vendors to conduct phishing tests on their behalf, as these vendors have the necessary tools and experience to carry out comprehensive tests with minimal disruptions to normal business operations.
Some common features of phishing test platforms include the ability to customize email templates, incorporating user feedback loop mechanisms, and providing detailed reports of test results.
Understanding Phishing Attacks
The best protection against all types of phishing is to know:
- What attackers want from you
- What phishing emails look like
- How to store information securely
- Why you should never click a link without double-checking first.
Doing your due diligence on emails, SMS communications, and even social media posts can protect you from a devastating attack. It’s always worth taking the extra 20 seconds.
What Is Phishing FAQ’s
Why it is called phishing?
The term “phishing” was coined by a hacker known as “Da Chronic” on America Online in the 1990s.
A community of hackers on AOL would trick users into parting with sensitive information by posing as AOL staff members. They called this “fishing”.
When “Da Chronic” developed a program called AOHell that automated the process, he renamed it “phishing”.
What are 2 types of phishing?
Most attacks either use:
A dubious link or attachment in an email. This urges the user to click it and redirects the user to a website that downloads malware onto their device.
URL or interface alterations on a website. These trick users into clicking on a suspicious link.
Which email has the best spam protection?
Clients like SpamTitan and Spambrella are purpose-built to filter spam effectively. Mainstream clients like Gmail and Outlook tend to filter spam reasonably well.
What is phishing (and example)?
Phishing is the act of stealing information by luring an unsuspecting party into sharing important details. An example is when Ubiquiti Networks lost almost $47m to a CEO fraud phishing operation.
Does Gmail protect against phishing?
Gmail has an effective spam filter. This means that fewer phishing emails get through to users. It also flags emails when it can’t verify the sender (occasionally incorrectly).
Gmail is among the better mainstream email clients for protecting against phishing. It’s best to use it in conjunction with antivirus software that helps identify fraudulent emails.
What are 4 types of phishing?
Perhaps the most common types are:
• Spear phishing
• Email phishing
There are subtle differences between different types of phishing. It’s worth keeping up-to-date with news about phishing techniques, as hackers are constantly developing new strategies.
What Is knowbe4 phishing simulation?
A knowbe4 phishing simulation is a great way to test your employees’ awareness of phishing scams. By sending out simulated phishing emails, you can see who falls for the scams and who is able to identify them.
This can help you to train your employees on how to spot phishing emails, and it can also help you to identify potential security risks within your company.
If you are considering conducting a knowbe4 phishing simulation, there are a few things to keep in mind. First, make sure that you create realistic emails that would fool even the savviest user.
Second, don’t forget to track the results of your simulations so that you can identify trends and improve your training program over time.
What is the difference between phishing and pharming?
Phishing is an attempt to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.
Pharming is a type of cyber attack that uses malicious code to redirect a website’s traffic to a fake site. The goal of pharming is to steal users’ personal information, such as user IDs and passwords. Phishing vs pharming is an often queried topic amongst those interested in cybersecurity.
What Is Phishing Bibliography: