What Is Phishing?

Phishing is a type of cybersecurity threat that targets users directly through email, text, or direct messages. During one of these scams, the attacker will pose as a trusted contact to steal data like logins, account numbers, and credit card information.  Phishing is a type of social engineering attack where a cybercriminal uses email or other text-based messaging to steal sensitive information. By using a believable email address, an attacker aims to trick the target into trusting them enough to divulge personal data, such as login credentials, credit card numbers, or financial account info.

As an example, the scenario usually plays out as follows:

1. An individual receives an email from his or her bank (for example, Chase). 
2. The email appears to be sent from Chase, with the Chase logo embedded in the email.
3. The email explains how there is an urgent issue with the individual's account, instructing her to click on a link to address the matter right now.
4. Once the individual clicks on the link, she is brought to a webpage which mimics that of Chase. 
5. Unknowingly, the individual enters her username and password to enter the website.

In this scheme, the scammer has collected the individual's banking credentials. Further, by visiting the fraudulent banking site, the individual may have unknowingly downloaded malware to her computer, which will be tracking and collecting other data and sending it to the scammer. 

The motivations for such malicious behavior are usually financial. According to the 2020 Verizon Data Breach Investigations Report, 86% of the 3,950 breaches were financially motivated.

At the enterprise level, phishing can have greater consequences. By allowing just one scammer to gain entry to a corporate network, a data breach can occur, leaving the organization vulnerable to loss and theft.

While email remains the most critical communications tool for business, it also, unfortunately, makes it the top threat vector, with the volume and sophistication of attacks ever increasing. There is a continuing severity and cost of phishing campaigns as a problem, and it is imperative for organizations to understand this phishing in order to combat email security issues. 

For more information, download our Phishing Education Guide.

In a typical attack, the criminal gets the contact information of one or many targets and then starts sending phishing messages via email or text message. In most phishing campaigns, the attacker infuses their messaging with a sense of urgency, which motivates the victim to either reply with sensitive data or click on a link. If the victim clicks the link, they’re brought to a fake website specifically designed for identity theft or to enable the attacker to gain access to restricted data. The cybercriminal may use a combination of several factors to trick their targets:

• A realistic email address used by the attacker, such as one that appears to have the same or similar domain as a trusted company
• A website that looks like one belonging to a legitimate business
• A well-worded, grammatically clean email complete with realistic logos or other branding collateral 

For example, one of the most common phishing campaigns involves an attacker creating a website that looks almost exactly like that of a financial institution. After the victim clicks on a link, they have no idea they’re falling for a phishing scam, especially because the site looks so authentic.

With these kinds of phishing techniques, the victim enters their login credentials, which the attacker collects. The hacker then either uses the login credentials themselves or sells them to someone else. That’s why it’s crucial to keep an eye out for suspicious emails and to report anything that raises a flag to IT.

Phishing attempts can be diverse, as cyberattackers have become more sophisticated and creative with their techniques. What unites these attacks is their common purpose: identity theft or transferring malware. Below is a review of the different types of information attacks. 

Where general email attacks use spam-like tactics to blast thousands at a time, spear phishing attacks target specific individuals within an organization. In this type of scam, hackers customize their emails with the target’s name, title, work phone number, and other information in order to trick the recipient into believing that the sender somehow knows them personally or professionally. Spear phishing is for organizations with the resources to research and implement this more sophisticated form of attack.

Whaling is a variant of spear phishing that targets CEOs and other executives ("whales"). As such individuals typically have unfettered access to sensitive corporate data, the risk-reward is dramatically higher. Whaling is for advanced criminal organizations that have the resources to execute this form of attack.

Business Email Compromise (BEC) attacks are designed to impersonate senior executives and trick employees, customers, or vendors into wiring payments for goods or services to alternate bank accounts. According to the FBI's 2019 Internet Crime Report, BEC scams were the most damaging and effective type of cyber crime in 2019.

In this type of attack, the scammer creates an almost-identical replica of an authentic email, such as an alert one might receive from one's bank, in order to trick a victim into sharing valuable information. The attacker swaps out what appears to be an authentic link or attachment in the original email with a malicious one. The email is often sent from an address that resembles that of the original sender, making it harder to spot.

Also known as voice phishing, in vishing, the scammer fraudulently displays the real telephone number of a well-known, trusted organization, such as a bank or the IRS, on the victim’s caller ID in order to entice the recipient to answer the call. The scammer then impersonates an executive or official and uses social engineering or intimidation tactics to demand payment of money purportedly owed to that organization. Vishing can also include sending out voicemail messages that ask the victim to call back a number; when the victim does so, the victim is tricked into entering his or her personal information or account details.

In a snowshoeing scheme, attackers attempt to circumvent traditional email spam filters. They do this by pushing out messages via multiple domains and IP addresses, sending out such a low volume of messages that reputation- or volume-based spam filtering technologies can’t recognize and block malicious messages right away. Some of the messages make it to the email inboxes before the filters learn to block them.

Even though it may seem fairly simple to avoid an attack, the following stats reveal how prominent phishing is:

• 23.6% of phishing attacks impact the financial sector
• 14.6% of attacks take aim at the e-commerce industry
• There are currently 611,877 known phishing sites on the Internet built to trick users into divulging sensitive information.
• Brazil is the most-targeted country when it comes to phishing assaults.
• Of all the attack methods used to infiltrate healthcare organizations, phishing is the number one technique used by hackers.
• Phishing is one of the five cyber crimes highlighted on the United States government's Online Safety page. Other cyber crimes include data breaches, malware, internet auctions, and credit card fraud.

Below are some ways for your organization to protect its employees and its network from phishing attacks. While well-trained employees are an organization's best defense, there are still some preventative actions an organization can take.

This is perhaps the most basic defense an organization can take. Most email programs (e.g., Outlook, G Suite) include spam filters that can automatically detect known spammers.

Organizations should make sure that all of their security patches have been updated. This can detect and remove malware or viruses that may have accidentally entered an employee's PC via a phishing scheme. Further, security policies should be updated to include password expiration and complexity.

Multi-factor authentication requires multiple pieces of information for someone to be able to log in and gain access. This is important in the event a scammer already has stolen the credentials of some employees. With MFA in place, especially if it includes biometric authentication, scammers are blocked.

All data should be encrypted and backed up, which is critical in the event of a breach or compromise.

As described in the previous section, educate employees about how to spot questionable links and attachments, and instruct them to avoid clicking on or downloading something from a source they do not trust.

A web filter can be used to block access to malicious websites in the event an employee inadvertently clicks on a malicious link