Phishing

Joran Hofman
April 4, 2021

What is Phishing?

Phishing is a cyber attack that uses disguised email as a weapon. The goal is to trick the email recipient into believing that the message is something they want or need — a request from their bank, for instance, or a note from someone in their company — and click a link or download an attachment.

What are the Types of Phishing?

Phishing attacks can have a great range of targets depending on the attacker. They could be the generic email phishing that is looking for anyone who has a PayPal account. These are probably recognizable as phishing. Phishing can go to the other extreme where the email is targeted at literally one person. The attacker will spend time and take great care to craft an email for one person, usually because of the access that they have. If the email is at this end of the spectrum, it is very difficult for even the most paranoid not to fall prey to it.

  • Spear phishing targets a specific group or type of individuals, such as the company’s system administrators. If you are going fishing with a spear, you pick a specific fish to go after, hence the name. The targets are just that, targets.
  • Whaling is an even more targeted type of phishing than just spear phishing as it goes after the whales, the BIG fish. These attacks target the CEO, CFO, or any big name within the industry or even a specific business. A whaling email might state that their company is getting sued, and they need to click on the link to get more info. The link then takes them to a page where they enter all of the critical data about their company, such as Tax ID# and bank account #s.
  • Smishing is an attack that uses text messaging or SMS (short message service) to get attention. A message that comes into your cell phone through SMS that contains a link to click through or a phone number to call would result in a smishing attack.
  • Vishing carries the same theme as all of these phishing attacks; the attackers are still after the user’s personal information or sensitive corporate info. This attack is made  through a Voice call. Hence the “v” rather than “ph” on the name.
  • Email phishing is probably the most common type of phishing that has been seen since the ’90s. These are the emails that are sent to any and all email addresses that a hacker can obtain. The email usually tells the recipient that there has been a compromise in their account. They need to respond immediately by clicking on this link.
  • Search engine phishing, also known as SEO poisoning or SEO Trojans, is where the hackers work to become the top hit on a search using google or other engines. If they are successful and can get someone to click on their link, it takes them to their (hacker) website.

Why does Phishing work?

Users often fall victim to phishing attacks not because they’re uneducated or lazy—quite the opposite. Most already know about phishing but are focused on being productive; they’re not expecting to be phished. It’s estimated that over 150 million phishing emails are sent every day, so even if someone successfully avoids one phishing scam, another will soon be on its way.

“We can't expect users to remain vigilant all the time…” says Kate R of the National Cyber Security Center. “Being aware of the threat from phishes while at your desk is hard enough. But phishing can happen anywhere and anytime. People respond to emails on their phones and tablets and outside core hours. Clicks happen.”

What are Examples of Phishing?

Here are some examples of common phishing tactics

  • Emails: Phishing emails still comprise a large portion of the world’s yearly slate of devastating data breaches. Phishing emails are designed to appear to come from a legitimate source, like Amazon customer support, a bank, PayPal, or another recognized organization. Cybercriminals hide their presence in little details like the sender’s URL, an email attachment link, and more.
  • Spear Phishing: This more targeted phishing email attack relies on data that a cybercriminal has previously collected about the victim or the victim’s employer. Typically spear phishing emails use urgent and familiar language to encourage the victim to act immediately.
  • Link Manipulation: Relying on carefully worded phishing emails, this type of attack includes a link to a popular. This link takes victims to a spoofed version of the popular website, designed to look like the real one, and asks them to confirm or update their account credentials.

Explore more glossaries