What Is Phishing? (Without the Fish)
Updated · Jul 19, 2022
So, what is phishing?
Phishing happens to be one of the most dangerous cyber threats out there.
Actually, there’s a pretty good chance that you or someone you know has already encountered such a threat in the past.
Read on to understand what it is exactly and how to safeguard yourself and your loved ones from this type of attack.
What Exactly Is Phishing?
Phishing is what we call it when cybercriminals use deception to steal your sensitive information and/or to trick you into paying them outright.
In a business setting, phishing attackers (or more commonly referred to as ‘phishers’) use deceptive tactics to infiltrate an organization’s network to get any valuable information.
Phishers are master manipulators of our vulnerabilities and experienced exploiters of human error and ignorance.
Usually, they employ the art of social engineering to do their dirty deeds. Social engineers aim to gain your trust under false pretenses tricking you into divulging confidential information and influencing your decisions.
Anybody can be a victim of phishing. But businesses tend to be at a greater risk.
More than three-fourths of organizations across the world reportedly experienced phishing.
Moreover, cybersecurity experts suspected phishers to be responsible for one of the biggest data breaches in history. The result was the leak of over 145 million eBay customers’ personal information.
There has been a fivefold increase in cyber scams since the start of the COVID-19 pandemic. This indicates that large-scale phishing attacks are likely to become more frequent in the future. For this reason, enhancing your online data safety has proven more important than ever before.
To avoid becoming a statistic, ask yourself these two questions:
- What is a phishing attack?
- What should I watch out for?
To answer them, let’s have a look at how phishing manifests itself and what red flags to look out for.
Cybercriminals can launch an attack in different ways using ever-evolving phishing techniques. That’s why their moves can be hard to detect, let alone predict.
Phishing types aren’t mutually exclusive. Usually, phishers use multiple methods in tandem to spin an elaborate web of deception successfully.
Phishing sites (or spoofed websites) imitate legit ones to appear credible in the eyes of unsuspecting visitors. A phony site may lull you into a false sense of security. It can make you feel safe to type in your login details and disclose other confidential information.
So basically, a website phisher adopts an organization’s identity first before ripping its visitors off.
Website phishing is one of the oldest tricks in the book. Attackers have been using this sort of phishing for so long that it was the subject of the first lawsuit of its kind.
How could you end up on a phishing website? A couple of ways are by:
- Clicking on a malicious link in an email or on a search engine results page.
- Mistyping the address of the site you intend to visit.
It is essential to know what email phishing entails to avoid becoming a victim of it. Many scammers send electronic messages in the hope of eliciting a specific action from their targets.
The usual goal of a phishing email is to get recipients to click on a link leading them to a shady website. The target of the phishing email is then manipulated into downloading a malicious file.
Culprits may impersonate trustworthy individuals like a loved one or a legal entity, e.g. your bank. Typically, email phishers play on their victims’ emotions. They craft their communications in a way that compels recipients to act without thinking.
Often, this scam comes in the form of fraudulent “spray and pray” schemes. But not all scammers send bulk email blasts.
Here are email phishing’s other subtypes:
- Spear phishing. Some prefer preying on (or spearing) specific individuals rather than casting a wide net. Spear phishers go after certain organizations and then target the more vulnerable employees.
With this approach, the thief can personalize phishing emails and make their fabrications more believable.
- Whaling. Instead of taking rank-and-file members for a ride, phishers can choose to con senior managers because of their security clearance. By gunning for the big fish, a cybercriminal may be able to heist top-secret business information more easily.
- CEO fraud. Another name for business email compromise, this technique is about hacking a C-level exec’s credentials. Masquerading as the CEO or the CFO, the impostor could secure funds using illegitimate invoices or fake wire transfers.
- Clone phishing. If you receive similar emails within a short period, you may be dealing with a clone phisher. A clone phishing email is a replica of the original, except that its hyperlinks and attachments are malicious.
Smishing (SMS phishing) shares many similarities with its email equivalent. Since text messaging is fundamentally different from email, smishing content can be also different.
So, what exactly is a phishing text message?
It could be a faux marketing communication with a malicious link disguised as a coupon code promising discounts or freebies. Or, it could be a fabricated story meant to lure you into giving money or sensitive information.
Vishing (voice phishing) is like smishing in the sense that it uses a phone as an attack vehicle. A visher may call you and concoct an issue with your insurance company, bank account, or credit card. They may also use an automated voice message to peddle the made-up claim to you more convincingly.
Social Media Phishing
A social media-based phishing attack usually involves the creation of fake accounts representing real people or entities.
For example, with a devious Facebook, Twitter, or Instagram profile, they can mislead users who try to contact a well-known brand’s help desk.
Also, these individuals may claim to be someone you’re familiar with in order to gain your trust and eventually scam you in one way or another.
Search Engine Phishing
Let’s have a look at how this subtype of phishing works.
As a subtype of website phishing, it involves dubious pages indexed on major search engines. In general, they feature unbelievably cheap products with the goal of obtaining the personal data of visitors upon checkout.
Perhaps this is the most effective and common phishing method for identity thieves. It’s so appealing because they don’t have to get their hands dirty hacking servers for email addresses and/or credit card details. They just need to outsmart Google and get high rankings for popular keywords.
Short for phishing and farming, pharming is all about manipulating the mechanics of web browsing. They corrupt DNS (Domain Name System) servers in order to divert internet users to phishing sites.
Evil Twin Phishing
Also known as Wi-phishing, it involves a hacker (the evil twin) setting a trap using a dodgy wireless network. If you connect to it, you may unwittingly share your data with the attacker when asked to register.
Since your traffic goes through a phisher-controlled server, you don’t have any privacy until you switch to a secure network.
Cyberattacks based on social engineering range from simple to sophisticated. Despite their varying levels of complexity, they all rely on one or more phishing techniques to be successful.
The most notable of these are as follows:
Use of Malware
Phishers have various malware types at their disposal to exploit the vulnerability of operating systems and apps infecting the user’s devices.
They can use keyloggers to track keystrokes or Trojans to gain backdoor access to system files by executing several potentially damaging processes.
Likewise, they can use pop-up phishing images to install harmful content onto your device by using what is called malvertisements.
Most, if not all, phishers are spammers.
As discussed earlier, they can send unsolicited messages with ill intent through different mediums. Plus, they can impersonate communications from legitimate senders to ultimately swindle their unknowing targets.
To appear reputable, many phishers slightly tweak the content on a reputable site’s page. They hope that you take the phishing message at face value and disclose your personal information without a second thought.
If you can’t distinguish between an authentic and a deceptive email, you’ll likely click a phishing link when persuaded into doing so.
Here are some useful pointers to help you learn how to detect a phishing email.
Phishers engaging in this can take over your ongoing internet session totally unnoticed. They can steal your session key by cross-site scripting and malware infection, among others.
Basically, session hijacking is a form of indentity theft. This makes it impossible for the site to detect the perpetrator since it thinks that they are you.
What is the most advanced phishing attack technique? Arguably, this is the most sophisticated.
Using this technique, phishers can covertly intercept your details when doing a transaction on a legitimate site. After tracing your info, they may use it to raid your bank account or sell it on the dark web.
How To Spot Phishing
So, what is an indicator of phishing?
Spam emails, text messages, phone calls, web pages, and ads don’t always have the same alarm bells. But looking out for the following signs can help you identify them and put you on the right path to phishing prevention:
Grammatical, Punctuation, and Spelling Errors
Anyone doing business in good faith is unlikely to have poor grammar, make punctuation mistakes, or misspell words.
For the most part, they’re professional enough to proofread their communications before sending them out. They know that flawed messages would reflect negatively on them.
Obviously, phishers have lower editorial standards. Although they have become better at eliminating typos and sounding more natural over time.
If you receive a message at a late hour, a phisher might be trying to engage with you. This is probably the case if your boss or your colleagues don’t normally contact you after office hours.
Unrecognizable or Unusual Senders
Phishing messages may not only reach you unannounced, they can also come from someone you don’t know or from peers that you don’t regularly correspond with.
You should also watch out for getting an email, text, or phone call out of nowhere - the odds are it’s probably a phishing scam.
Random Mixes of Recipients
Being cc’d on an email sent to a group of people without rhyme or reason requires some skepticism.
If the list includes unrelated or unfamiliar email addresses, be even more suspicious of the sender’s intentions.
Calls for Immediate Action
It’s not uncommon for phishing emails to have a subject in all caps with exclamation points.
Their authors do this by design to make the text jump off the screen and express a sense of urgency. This way, they can pique your interest immediately.
Furthermore, phishers may try to make you believe that you have to act sooner rather than later.
They often like to trigger your fear of missing out, so email phishing scams may use limited-time promotions to draw you in.
Pressuring you into making careless decisions is yet another favorite of theirs like giving ultimatums such as suspending your account if you don’t update your information, etc.
An impersonal salutation can be a sign that the sender is a stranger or has distributed the message to individuals en masse.
Having said that, those engaging in spear phishing, whaling, CEO fraud, and/or clone phishing do tend to add personal touches to their messaging.
No self-respecting organization or indivudual would ask you to provide sensitive information over the phone, via email or text. Only someone looking to exploit you would attempt such a thing.
“Too Good to Be True” News
If the message you receive sounds too good to be true… then it probably is!.
Nobody suddenly wins the lottery without buying a ticket. You really only have a one-in-a-million (If even that…) chance of receiving an inheritance from some distant and mysterious relative.
Such links look legit at first. But they can’t hide the shady pages that they direct you to. The truth is in their web addresses. The domain names of malicious sites are subtly modified versions of the ones they’re copying.
If you hover over a phishing link, you may discover the misspelling of a legit address. Swapping the letter “m” with an “r” and an “n” is among the most common masking tactics to avoid suspicion.
Any and all items attached to an email that reeks of internet phishing are almost certainly malicious.
This is particularly true if the attachments make zero sense. Files with meaningless names are sure to be filled with hostile intentions.
How To Prevent Phishing Attacks
To remain oblivious to phishing is to be a sitting duck for all breeds of social engineers.
Although phishing scams can be completely different from one another, there are universal ways to insulate yourself from them.
Put Spam Filters to Work
Spam filtering is the most effective way to neutralize email phishing attacks. Your email service’s filter guards your inbox, keeping messages from unwanted sources out. With no exposure to spammy and potentially malicious content, there’s little chance for you and phishers to cross paths.
How do spam filters figure out which traffic to keep from reaching you?
Some analyze the content of the message and look for elements characteristic of phishing fraud.
Others check the email’s header to see whether the sender’s IP (internet protocol) address is one spammers like to use. The header can also reveal if the sender simultaneously sent the email to a random group of recipients.
Likewise, some spam filters prevent phisihing emails by tossing out messages coming from a sender included in a blacklist of known spammers. Then there’s the kind that filters out emails written in languages you don’t understand and aren’t fluent in.
More advanced filters have adjustable settings, enabling you to establish rules for blocking phishing emails.
The most intelligent ones use machine learning. These rules-based filters have fluid standards, which keep redefining what spam messages are based on the kinds of correspondence you filter.
Spam filters are imperfect, inadvertently stopping messages from senders you don’t want to block. Occasionally, it pays to check your spam folder, especially when you don’t receive emails you think you should be getting.
Delete Phishing Messages
Filters can fail to target all phishing email senders since spammers switch domains all the time. Inevitably, some malicious messages will slip through the cracks.
If you stumble upon a suspicious email, don’t open it. However, you shouldn’t just ignore it either.
Instead, delete the message immediately or mark it as spam to tell your filter to block this type of email in the future.
To find out whether the email you flagged as spam indeed came from a phisher, verify it. If there’s allegedly a problem with your bank account, log into it to confirm whether the issue is actually true.
Leave Suspicious Links and Attachments Untouched
If you accidentally open a malicious message, avoid clicking on anything. There’s no telling what its links and/or attachments could do to your device. So, it’s best not to touch them at all.
Use Malware, Ad, and Tracker Blockers
To keep phishing images from popping up, use apps with built-in malware-, ad-, and tracker-blocking capabilities. Many secure browsers and VPN (virtual private network) clients and extensions have this functionality.
Generate Unique Passwords
Not reusing the same login details is a simple habit that can boost your phishing security.
Identical passwords are like key duplicates that can unlock multiple accounts. The more diverse your credentials are, the more secure you are.
By using original logins, most of your accounts will remain safe from getting scammed. This can be done easily with a password manager which will keep your information accessible only by you.
Such solutions have tools for generating unique passwords, gauging their strengths, and securely saving them in a vault. The best ones have extraordinary features like multi-factor authentication and data leakage monitoring.
Plus, some passwords managers double as encryption programs that can obscure your other files and lock your apps and drives if triggered.
No encryption software can single-handedly prevent phishing, but at least it can render your data unreadable and therefore unsuitable for sale on the black market.
Subscribe to a Robust Antivirus Protection
These social engineers could strike in many ways and at any time. So, you must adopt a multi-layered security approach to block all possible cyber phishing attempts.
However, not all antivirus programs are strong enough to patch up the vulnerabilities of your devices and neutralize phishing threats.
That’s why you should only choose from the best premium products. Top antivirus solutions have advanced anti-phishing capabilities that free apps will never be able to match.
How To Report Phishing
Other than your government, the Anti-Phishing Working Group (APWG) is the best entity to report any phishing scam you encounter.
Established in 2003, the APWG is the global leader in phishing attack prevention.
This international coalition collects and analyzes suspicious emails in order to stay up-to-date with the latest cybercrime trends. It works closely with government agencies and non-government organizations from across the globe to help raise awareness of phishing security.
If you share potentially malicious emails with the APWG, you’ll be playing your part in the fight against phishers.
To report a phishing message to the APWG for analysis, do any of the following:
- Forward the suspicious email to firstname.lastname@example.org.
- Use the “Forward as Attachment” option to provide the APWG with further information to work with when they analyze the scam.
No matter how you feel about it, phishing is something you have to live with. The more profitable it becomes for social engineers, the harder it is to stop them.
Although you may have learned a lot about phishing scams today, don’t stop there.
Phishers are constantly thinking up new ways to outwit you. So, be aware of their latest techniques to keep them from getting the better of you.
What Are the Four Types of Phishing?
The four major types of phishing by medium are:
- Website phishing
- Email phishing
- Smishing (SMS phishing)
- Vishing (voice phishing)
What Are Examples of Phishing?
Phishing can manifest itself in the form of a fake website designed to lure you into sharing your sensitive information.
Also, a phisher may use emails or text messages to infect your device with malware using deceptive links and attachments.
They may try calling you and pretending to be your loved one is another classic phishing strategy.
How Do You Stop Phishing Email Attacks?
Spam filters, password managers, and antivirus programs are the main tools at your disposal to prevent and/or neutralize phishing emails.
However, your best phishing protection remains actually knowing what phishing is, and staying vigilant about scams
Romj is a veteran copywriter who used to be a Jack of all trades. Now, he's trying to be a master of one: technology. He jumps down the rabbit hole to size the latest innovations up. As a content contributor for TechJury, he hopes to help you keep up in our fast-paced world with his discoveries.
Latest from Author
Your email address will not be published.