All you need to know about Phishing

What is Phishing?

Phishing is a form of social engineering attack that targets victims' psychological behaviors and impulses rather than logic. These attacks typically trick victims into revealing personal information -- such as credit card numbers, bank information, or passwords -- on websites that pretend to be legitimate.

Cybercriminals pose as reputable companies, friends, or acquaintances in a fake email or message that contains a link to a phishing website to mislead the victims into slipping on a scam. Some phishing emails go far beyond automatically and unknowingly installing malignant software to extract personal information and security protocols from the system.

Since the 2000s, phishing has been the most extensive cyberattack contributing to BEC and ransomware.

How Does Phishing Work?

Phishing attacks target human psychological states of mind like curiosity, sense of urgency, greed, and FOMO. The most convenient way for a phishing attack is through email. A phishing email contains one or all of the following:

  1. Text that indicates the urgency of a matter. For example, an email from a supplier asking for immediate invoice payment
  2. A fraudulent link leading to a site that seems legitimate but is not.
  3. An attachment (pdf) to download disguised by a malicious file to steal your information

Accessing any of the above will grant the cybercriminal access to sensitive data, such as login credentials, credit card numbers, important PINs, and even your online activity. In cases of an employee, it takes only one to trap the whole organization into the scam.

Why is Phishing a Problem?

Phishing is dangerous because it is successful 99% of the time. Not only does one lose data and information, but additionally they must face the consequences of the loss. It is dangerous as it does not just end with one person. By impersonating the target, the attackers gain access to their friends, family, and co-workers, and the chain goes on. Once they get what they need, the cybercriminals use the stolen information to their advantage - changing account passwords, withdrawing or transferring money, luring money from trusted partners, and more!

If the targeted victim is from a business, the email they are phished with serves as the hook for all the others in the company (think data breach). The damage done by phishing emails is extensive, leading to crimes like blocking access to the entire organization's network and demanding a ransom payment. On top of this, there can be identity theft of several customers, partners, and business secrets and agreements - enough to spoil years of reputation and bring down a company.

Types of Phishing Attacks

  • Email Phishing: Attackers typically register fake domain names that mimic real organizations and send thousands of common requests to victims. For fake domains, attackers may add or replace just one or two characters to trick the human eye (e.g., instead of and also use tricky subdomains.
  • Spear Phishing: This is a targeted phishing attack where the attacker researches the victim's interests and uses that information to create a personalized message. For example, the attacker may use the victim's social media activity and other social engineering techniques to gain their trust and craft a tailored note.
  • Whaling: This is a type of spear phishing attack that targets high-level executives or employees in an organization. The attacker creates a personalized message that appears to be from a senior executive and asks for sensitive information or money transfers.
  • Vishing: This phishing attack uses voice messages or phone calls to trick victims into revealing sensitive information. The attacker may pretend to be a bank representative or a government official and use social engineering tactics to gain the victim's trust.
  • Smishing: In this attack, the cybercriminal uses SMS or text messages to trick victims into clicking on malicious links that promise exciting deals and limited offers appearing to be from a trusted brand retailer.
  • Angler Phishing: Angler phishing, also known as "angler phishing kits," uses automated tools to create and distribute phishing websites. "Angler" refers to a fake website as bait to lure victims into entering their personal information.

Phishing Techniques

With the growth of technology, cybercriminals have become wiser and more sophisticated in fabricating crimes that escape the attention of even experienced security personnel.

However, fabrication can only happen if there is engagement with the said phishing email. Here are some ways through which that happen:

  1. Redirection: The most common of all. The victim will receive a link within the email instructing them to verify themselves or to renew their account due to technical issues. Once the victim enters their credentials, the page might return a "process successful" message to evade any suspicions. But at the back end, this fake site accumulates all the victims' data in a database for later use.
  2. Forced downloads: These emails sent in bulk force the victim to download the attached file (malware disguised as instruction pdf or invoice notice). Once downloaded, it installs into the system recording every keystroke (Keystroke malware).

Common Phishing Subject Lines

Phishing emails often use crafty subject lines to entice the recipient to open the email and act immediately without thinking twice or verifying the authenticity of an email. Here are some common phishing subject lines:

  • Urgent action required
  • Account verification
  • Payment confirmation or your order has shipped (related to a recent purchase or payment, which can create a sense of confusion or concern)
  • Important security update

To tackle intelligent phishing scams, businesses must educate their employees and invest in a smart email security solution.