What is phishing? How to protect yourself?

Phishing is the most common form of cybercrime. The goal of phishing is to make people reveal sensitive information, such as credit card details, or install malware by clicking on a fraudulent link. Phishing uses social engineering tactics to look like official communication from trustworthy senders.

Why is phishing such a popular cybercrime technique, and how to spot it before you become yet another victim of it? Read on to find the answers to these questions and more.

What’s in a name

The first known use of the word “phishing” can be traced back to January 2, 1996, in a Usenet newsgroup called AOHell. What is phishing? It’s a combination of two words: to fish, an analogy for luring prey with bait, and phreaking, the practice of manipulating telephone signaling to make free phone calls. The phreaks behind such phreaking exploits are considered to be the hackers of the pre-internet days.

How it all started

The practice of phishing began to gain widespread attention and recognition in the late 1990s and early 2000s. One notable incident that brought phishing to the forefront occurred on May 4, 2000, when a malicious email with the subject line “ILOVEYOU” infected millions of computers worldwide with the “Love Bug” malware. This incident marked an early major attack that used a phishing technique and highlighted the potential dangers of phishing to users’ privacy and security.

The prevalence of phishing attacks 

As of 2023, phishing remains a significant threat to cybersecurity, and its prevalence continues to increase. According to the 2023 Verizon Data Breach Investigations Report (DBIR), 36% of all data breaches involved phishing. Moreover, the report found that phishing is the most common attack vector for social engineering, representing 57% of all social engineering-related data breaches.

This trend is not confined to businesses: individuals are also facing an increasing number of phishing attempts in their personal lives. According to the Anti-Phishing Working Group’s (APWG) Phishing Activity Trends Report, there were 245,771 reported phishing attacks in the first quarter of 2023 alone, representing a 62.5% increase compared to Q1 of 2022. 

How phishing works

Phishing attacks come in all shapes and sizes but they all rely on the same mechanism: tricking users to provide their sensitive data. 

In the case of email phishing, illustrated below, you receive an email asking you to click a link. Once redirected to a malicious website, you are asked to log in. The login and password you fill in and other personal and financial information are collected by the hacker who monitors the page. The hacker then goes to the real website, using your login credentials, and takes a loan in your name or uses your credit card information to make purchases.

What’s in a phishing attack: the three main ingredients 

Why is phishing still so prevalent? Because it’s relatively cheap and easy to do. Most of all, it’s a low-risk activity as few hackers get caught, and even if they do, penalties associated with cybercrime are still less severe than those for non-computer fraud.

To launch a phishing attack, a hacker needs three main ingredients (or they can buy a phishkit instead). 

Basic understanding of human psychology

One of the key psychological aspects exploited by attackers is trust. Phishing emails often impersonate reputable organizations or individuals, using their logos, email addresses, or language to create a sense of familiarity and trustworthiness. This taps into the human tendency to trust information that appears to come from a reliable source. 

Additionally, phishing attacks often induce a sense of urgency or fear, compelling individuals to act quickly without thoroughly scrutinizing the authenticity of the request. By preying on emotions such as curiosity, fear, or empathy, attackers employ psychological manipulation to increase the likelihood of their targets falling victim to their scams.

An understanding of human psychology will help the criminal to craft an email or text message using social engineering tactics to lure the target into clicking on links or downloading attachments. 

Website spoofing skills

Creating malicious URLs involves replicating a legitimate website, often copying its design and contents. The hacker usually acquires a domain name or creates a subdomain similar to the legitimate website, making it harder for the target to differentiate. 

Link manipulation skills

The malicious link or attachment is often the most crucial element in a phishing attack, giving the attacker control over the target’s device or enabling them to steal sensitive data. The link often leads the user to another fake website that collects personal information or downloads malware onto the user’s device, creating a backdoor for the attacker. 

Ready-made phishing solutions

Incredible as it may sound, cybercriminals can run a phishing attack even if they don’t have any of the above skills. All that’s needed is bad intentions and an “off the shelf” phish kit or phishing kit with ready-to-deploy malicious websites. Depending on the level of complexity, these come at $50 to $900 each.

More incredibly yet, phishing-as-a-service (PhaaS) is a solution that helps optimize costs for hackers who regularly launch phishing attacks. We’ll take a closer look at this when discussing different types of phishing attacks.

Examples of successful phishing attacks 

We are all equal before phishing scams corporations as well as individuals can fall victim to phishing. That said, the potential gain from these groups is inversely proportional to the effort required. Individuals are easier to target, but their credit cards are not bottomless. Big companies are more lucrative, but a lot harder to scam and a lot riskier, too.

Big company phishing

From 2013 through to 2015, a Lithuanian national named Evaldas Rimasauskas executed a spear phishing scam against two major tech giants: Google and Facebook. Rimasauskas defrauded these companies of approximately $100 million by impersonating a legitimate supplier and sending invoices for services rendered. The scam involved creating a fake company, fraudulent email accounts, and convincing documents, all designed to trick the companies into making payments to the scammer’s accounts. Rimasauskas was caught and sentenced to five years in prison.

Phishing for small fish

The Microsoft technical support pop-up phishing attack targeted users visiting a legitimate website. The message appeared to be from Microsoft support, warning the user that their computer was infected with viruses or malware. The pop-up instructed the user to immediately call the provided phone number to “resolve” the issue. When users called the provided number, they were connected to scammers who claimed to be Microsoft technicians. These scammers would then request remote access to their computers, install malware, or charge a fee of $150 to $499. 

Microsoft has gathered over 7,000 reports from victims in 16 different locations across 15 countries. 

Types of phishing attacks

Phishing attacks are all social engineering tricks but they vary in terms of the platform used, their level of sophistication, and target. Here’s a comprehensive breakdown of the most common types of phishing schemes. 

Email phishing attacks

Email phishing attacks are common and highly effective. Phishing emails are carefully crafted email messages that appear to be from legitimate sources, such as a bank, email provider, or social media platform, but are actually sent by cybercriminals with the intent to steal sensitive information or spread malware. Malicious emails can contain links to fraudulent websites that mimic real ones, aiming to get users to enter their login credentials or other personal information. Phishing emails can also have attachments infected with viruses or malware that can infect the user’s device. 

Spear phishing attacks

Spear phishing is a targeted phishing attack focused on specific individuals or organizations. In a spear phishing attack, cybercriminals gather information about their targets from various sources, such as social media, company websites, online forums, or people search sites. They then craft personalized and convincing emails that appear to come from trusted sources or individuals known to the target.

Whaling (CEO fraud)

Aptly named, whaling is a specialized spear phishing tactic aimed at senior executives or high-level employees. The attackers impersonate these individuals to trick employees into making financial transactions and sharing confidential data or personal details.

Business email compromise (BEC)

BEC attacks involve impersonating a trusted party, such as a company executive or vendor, to deceive recipients into taking harmful actions. The attackers often use social engineering techniques to convince victims to make unauthorized wire transfers or disclose sensitive information. BEC attacks can take various forms, including fake invoice scams, CEO fraud, and attorney impersonation scams. 

Content injection

In a content injection attack, the attacker takes advantage of a vulnerability within a web application to insert arbitrary or unauthorized content into a website. This injected content can include malicious scripts, HTML, or other types of code executed by the victim’s browser, potentially leading to unauthorized access, data theft, or malware infections.

Smishing (SMS phishing)

Smishing, short for SMS phishing, involves sending deceptive text messages to mobile device users. Smishing messages contain malicious links or attachments that redirect users to fake websites and trick them into divulging sensitive data. 

Vishing

Vishing is a term that comes from combining “voice” and “phishing” and refers to a type of social engineering attack in which scammers use phone calls or voice messages. In a voice phishing attack, scammers impersonate legitimate organizations, such as financial institutions, government agencies, or service providers, and use a sense of urgency and other techniques to persuade the victim to reveal information like bank card numbers, Social Security numbers, and other personal details.

Evil Twin WiFi

An Evil Twin WiFi attack is a type of WiFi eavesdropping technique in which a hacker creates a WiFi network in a public place that appears to be a legitimate hotspot offered by a reputable authority, like a hotel, café, or airport. Through this fake network, cybercriminals can steal credit card information, intercept credentials, and make users download malware.

Pharming

In a pharming attack, cybercriminals typically exploit vulnerabilities in the Domain Name System (DNS) or manipulate the host file on a user’s computer in order to redirect them to malicious websites, often imitating trusted ones.

Angler phishing 

The term “angler phishing” is derived from the angler fish, which uses a bioluminescent lure to attract its prey. Angler phishing occurs on social media platforms, where attackers impersonate legitimate profiles, lure victims into interactions, and potentially trick users into revealing personal information or downloading malware.

Watering hole

A watering hole phishing attack is a type of cyberattack where the attacker targets a specific group of individuals by infecting a website they commonly visit, such as a popular news site or a drive containing important information. The attacker can compromise the targeted website by injecting malicious code through browser exploits, backdoor programs, or other forms of malware.

Clone phishing

In a clone phishing attack, the cybercriminal aims to trick the recipient by sending an email that appears to be a copy of a legitimate email the recipient previously received, such as an invoice, account notification, or a security alert. The attacker then makes subtle changes or inserts malicious elements to deceive the recipient into taking a harmful action, such as clicking a malicious link.

Calendar phishing attacks

Calendar phishing, also known as calendar spam and event phishing, refers to a type of phishing attack where cybercriminals exploit calendar applications or services to trick users into clicking on a malicious link or sharing information.

Search engine phishing

In this attack, cybercriminals inject malicious links or websites into search engine results so that they appear at the top of search listings. As a result, users may click on these links or enter their information into fake websites, which can lead to identity theft, financial fraud, and malware infections.

Ransomware phishing attacks

Ransomware phishing is a type of cyberattack in which attackers use phishing techniques to deliver ransomware to a victim’s computer. Ransomware is a form of malware that encrypts a victim’s computer files, leaving them inaccessible, and then demands payment from the victim for the decryption key.

Voice cloning phishing

Voice cloning phishing is a type of phishing attack that uses artificial intelligence (AI) and deep learning technology to create a digital replica or “clone” of a person’s voice. This cloned voice is then used to impersonate the victim and manipulate them into providing sensitive information or performing a specific action, such as making a wire transfer.

Phishing techniques 

Although the list of phishing types is very long, the phishing techniques cybercriminals use to get ahold of your personal and financial information boil down to just a few.

Malicious attachments

Malicious attachments are often disguised as innocent-looking files such as documents, PDFs, files, or voicemails. When users unknowingly open these malicious attachments, they can inadvertently execute or install malware onto their devices.

The malware embedded in these attachments can vary and be designed to perform various malicious activities. For example, some attachments may contain ransomware, which encrypts files on the victim’s computer and demands a ransom for their release. Other attachments may contain keyloggers that record keystrokes to capture sensitive data like passwords or banking details. Some attachments may even exploit vulnerabilities in software to gain unauthorized access or control over the victim’s system.

Malicious web links

Malicious web links in phishing messages deceive users into clicking on them, leading them to fraudulent or malicious websites. Phishers often disguise these links to make them appear legitimate, such as by using URL manipulation techniques or URL shorteners.

When users click on such a link, they are typically directed to a website that masquerades as a trusted entity, such as a bank or online service provider. 

Fraudulent data entry points

Fraudulent data entry points in phishing messages work by tricking users into entering sensitive information such as usernames, passwords, or credit card details into fake websites or forms. These fraudulent data entry forms appear almost identical to legitimate online forms of reputable companies but are hosted on phishing websites controlled by the attackers. 

Attackers will often use data entry forms as the primary attack point because they are typically password-protected, and access to them can be monetarily valuable and provide control over network traffic and IT environments.

Recognizing phishing attacks

Learn how to recognize phishing messages, spot suspicious emails, and other phishing attempts. It’s often surprisingly easy. The biggest challenge is not to lower your guard when stressed or tired—this is precisely what hackers count on. Below are some common phishing red flags.

Suspicious messages

Spotting a phishing attack by examining the email address is an essential skill in identifying phishing emails. Follow these steps for all suspicious emails you find in your inbox.

1. Hover over the sender name or the email address in the email header. This action usually triggers a small tooltip or pop-up that displays the full email address associated with the sender’s name. 

2. Examine the displayed email: carefully review the displayed email address to ensure it matches the expected sender. Look for suspicious or mismatched elements such as the domain name, unusual characters, and long and complex subdomains.

3. Examine the sender’s name and compare it to the email address. In some phishing attempts, the sender’s name may not match the actual email address.

4. Look at the “reply-to” address, where responses are directed. Some phishing emails use a different “reply-to” address than the sender’s address.

Legitimate organizations often use their company or organization name in their email addresses. If you receive an email from a supposed official source, verify the sender’s identity through other means, such as contacting the organization directly. Even if the address looks legitimate, if you weren’t expecting an email from this sender, be extra cautious.

Generic greetings 

One of the tell-tale signs of a phishing attempt is generic or vague messaging. Phishing campaigns are often sent in mass volumes, so attackers will use general greetings or salutations, such as “Dear valued customer” or “Dear user,” instead of addressing recipients by name. 

Urgent requests 

Phishing messages often include a sense of urgency or fear designed to make recipients act without thinking. If a phishing email, text, or pop-up calls for immediate action, it’s best to verify its contents with the organization that sent it before acting on it.

Misspelled words and poor grammar 

Another red flag in spotting a phishing attempt is misspelled words and poor grammar. Phishing messages are often sent by attackers who may not have a strong command of the language used in the targeted region. As a result, phishing websites and emails may contain spelling mistakes, grammatical errors, and awkward phrasing.

Malicious URLs

Attackers will often use links in phishing emails and texts that look like legitimate ones but actually point to a malicious website. To check whether a link is legitimate, hover over it with your mouse without clicking on it to see the URL it will take you to. If the link is suspicious or unfamiliar, do not click on it.

On a mobile device, long-press (tap and hold) the link within the email. This action will typically open a menu or context options.

HTTPS encryption

Before filling in any forms, inspect the domain name of the website to make sure it’s legitimate. Before entering any sensitive data online, verify that the site is SSL-encrypted by looking for the HTTPS prefix at the beginning of the URL or the padlock icon in the address bar of the browser.

Best practices to combat phishing 

Healthy reflexes such as the ones described above are critical in curbing the success rate of phishing scams. Each of us can prevent phishing attacks by following these best practices.

• Avoid clicking suspicious links. Consider every link to be malicious by default and examine it carefully. 
• Don’t trust or click on pop-ups, especially if they promise unrealistic rewards.
• Be very careful when providing credit card information. 
• Change passwords regularly. Use a password manager if there are too many of them to memorize. 

Anti-phishing tools

Fortunately, we can also rely on anti-malware software and filters to safeguard devices and organizations from phishing. 

Firewalls

Firewalls are network security systems that monitor and control incoming and outgoing network traffic. Firewalls can block traffic from known malicious sources and detect and prevent threats like malicious software and phishing attacks.

Anti-phishing email security

Anti-phishing email security solutions use machine learning and other advanced techniques to identify malicious emails and protect users from phishing scams. They analyze incoming emails to identify malicious URLs, attachments, and other suspicious content and might quarantine or delete them.

Spam filters

Spam filters play a role in protecting against phishing attacks by filtering out and blocking suspicious and malicious emails. Although the primary purpose of spam filters is to identify and block unwanted spam emails, they can also help mitigate phishing threats by detecting and diverting phishing emails to spam folders or stopping them altogether.

Two-factor authentication (2FA)

Two-factor authentication is an effective measure in preventing phishing attacks. With 2FA enabled, even if users unknowingly enter their password on a phishing website, the attackers would still be missing the second authentication factor, preventing them from accessing the account.

Phishing awareness training 

Employee awareness training provides employees with the knowledge and skills to recognize phishing attacks and other cyberthreats. The training should be backed by test phishing emails sent to employees regularly to keep them vigilant.

What to do if you’ve fallen victim to phishing

If you think you might have downloaded a malicious link or left your data on a phishing website, act immediately. 

1. Update your passwords. Start by updating your passwords. While you are having doubts and trying to understand what happened, criminals may already be using your credentials or credit card details.

2. Block your credit card. Some banks give you the option to deactivate your credit or debit card temporarily without canceling it, which is a great solution when in doubt. Otherwise, contact your bank to have your card replaced.

3. Contact the legitimate institution. Contact the website or service associated with the phishing message you received and tell them what happened. They will either reassure you or confirm your suspicions. 

4. Report internally or to a dedicated organization.

If the breach happened at work, report suspected phishing emails to the appropriate team in your company. If you don’t know which team this is, contact the HR department.

Otherwise, report it to the organization dealing with online fraud in your country. 

• In the US, go to https://www.usa.gov/where-report-scams website to find out which organization deals with the type of crime you wish to report.

• In the UK, head to this page to learn where to report cybercrime. You can also report online scams and fraud on the website of the National Fraud & Cyber Crime Reporting Centre. 
• In the EU, each country has its institution to tackle cybercrime. Go to this Europol page to find out where to report phishing, depending on where you live.
• To report online fraud internationally, visit econsumer.gov, which partners with 65 consumer agencies worldwide. 

5. Run a malware scan. If you have downloaded a malicious file, you should run a malware scan on your computer. You can use an antivirus program to do this. If the scan finds anything suspicious, remove it immediately.

6. Take preventive measures. 

If phishers got the better of you this time, chances are it will happen again. A phishing email finding its way to your mailbox means that your email address was in a data breach or can be easily found online. Worse still, if you were personally targeted by a spear phishing email, it means your details are also up for grabs.

To prevent this from happening again, take the time to remove your data from the internet using our detailed guide. Alternatively, sign up for a data removal service like Incogni and let them do the work for you.

The future of phishing 

As the cybersecurity landscape continues to evolve, so do the tactics and technologies used in phishing attacks. Attackers are constantly finding new ways to deceive and exploit individuals and organizations. Likely, we will soon be updating this article with information on deep fake voice and video phishing, Internet of Things phishing, and biometric data theft. 

Predictions for the cybersecurity landscape suggest an ongoing arms race between attackers and defenders, with technology playing a crucial role in the advantage of both. This is why individuals and organizations must constantly adapt and increase awareness to mitigate the risks.