Phishing is when attackers send malicious emails designed to trick people into falling for a scam. Typically, the intent is to get users to reveal financial information, system credentials or other sensitive data.
Phishing is an example of social engineering: a collection of techniques that scam artists use to manipulate human psychology. Social engineering techniques include forgery, misdirection and lying—all of which can play a part in phishing attacks. On a basic level, phishing emails use social engineering to encourage users to act without thinking things through.
How Phishing Works
Whether a phishing campaign is targeted or sent to as many victims as possible, it starts with a malicious email message. An attack is disguised as a message from a legitimate company. The more aspects of the message that mimic the real company, the more likely an attacker will be successful.
An attacker’s goals vary, but usually, the aim is to steal personal information or credentials. An attack is facilitated by communicating a sense of urgency in the message, which could threaten account suspension, money loss or loss of the targeted user’s job. Users tricked into an attacker’s demands don’t take the time to stop and think if demands seem reasonable. Only later do they recognise the warning signs and unreasonable demands.
Phishing continually evolves to bypass security and human detection, so organisations must continually train staff to recognise the latest phishing strategies. It only takes one person to fall for phishing to incite a severe data breach. That’s why it’s one of the most critical threats to mitigate and the most difficult since it requires human defences.
History of Phishing
The term “phishing” came about in the mid-1990s when hackers began using fraudulent emails to “fish for” information from unsuspecting users. Since these early hackers were often referred to as “phreaks,” the term became known as “phishing,” with a “ph.” Phishing emails lure people in and get them to take the bait. And, once they’re hooked, both user and organisation are in trouble.
Like many common threats, the history of phishing starts in the 1990s. When AOL was a popular content system with internet access, attackers used phishing and instant messaging to masquerade as AOL employees to trick users into divulging their credentials to hijack accounts.
In the 2000s, attackers turned to bank accounts. Phishing emails were used to trick users into divulging their bank account credentials. The emails contained a link to a malicious site that mirrored the official banking site, but the domain was a slight variation of the official domain name (e.g., paypai.com instead of paypal.com). Later, attackers pursued other accounts such as eBay and Google to hijack credentials, steal money, commit fraud or spam other users.
Why Is Phishing a Problem?
Cyber criminals use phishing emails because it’s easy, cheap and effective. Email addresses are easy to obtain, and emails are virtually free to send. With little effort and cost, attackers can quickly gain access to valuable data. Those who fall for phishing scams may end up with malware infections (including ransomware), identity theft and data loss.
The data that cybercriminals go after includes personal identifiable information (PII)—like financial account data, credit card numbers and tax and medical records—as well as sensitive business data, such as customer names and contact information, proprietary product secrets and confidential communications.
Cybercriminals also use phishing attacks to gain direct access to email, social media and other accounts or to obtain permissions to modify and compromise connected systems, like point-of-sale terminals and order processing systems. Many of the biggest data breaches, like the headline-grabbing 2013 Target breach, start with a phishing email. By using a seemingly innocent email, cybercriminals can gain a small foothold and build on it.
Attackers prey on fear and a sense of urgency. It’s common for attackers to tell users that their account is restricted or will be suspended if they don’t respond to the email. Fear makes targeted users ignore common warning signs and forget their phishing education. Even administrators and security experts fall for phishing occasionally.
Typically, a phishing email is sent to as many people as possible, so the greeting is generic. The following illustrates a common phishing email example.
In the above message, the user’s name is not mentioned, and the sense of urgency injects fear to trick users into opening the attachment.
The attachment could be a web page, a shell script (e.g., PowerShell), or a Microsoft Office document with a malicious macro. The macro and scripts can be used to download malware or trick users into divulging their account credentials.
Attackers register domains that look similar to the official one or occasionally use generic providers such as Gmail. Spoofed senders are possible with email protocols, but most recipient servers use email security that detects spoofed email headers. When users receive emails, the messages might use the official company logo, but the sender address would not include the official company domain. The sender address is not the only factor that determines message legitimacy.
How an attacker carries out a phishing campaign depends on their goals. For businesses, attackers may use fake invoices to trick the accounts payable department into sending money. In this attack, the sender is not important. Many vendors use personal email accounts to do business.
The button in this example opens a web page with a fraudulent Google authentication form. The page attempts to scam targeted victims into entering their Google credentials so that attackers can steal accounts.
Another method attackers use is to pretend they are internal technical support. The technical support email asks users to install a messaging system, an application with hidden malware or run a script that will download ransomware. Users should be on the lookout for these types of emails and report them to administrators.
Malicious Web Links
Links, also known as URLs, are common in emails, in general, but also in phishing emails. Malicious links take users to impostor websites or sites infected with malicious software, also known as malware. Malicious links can be disguised as trusted links and are embedded in logos and other images in an email.
Here is an example of an email received by users at Cornell University, an American college. It’s a simple message that displayed “Help Desk” as the sender's name (though the email did not originate from the university’s help desk but rather from the @connect.ust.hk domain). According to Cornell’s IT team, the link embedded in the email took clickers to a page that looked like the Office 365 login page. This phishing email attempted to steal user credentials.
While these may look like legitimate file attachments, they are actually infected with malware that can compromise computers and their files. In the case of ransomware—a type of malware—all of the files on a PC could become locked and inaccessible. Or a keystroke logger could be installed to track everything a user types, including passwords. It’s also important to realise that ransomware and malware infections can spread from one PC to other networked devices, such as external hard drives, servers, and even cloud systems.
Here’s an example of a phishing email text shared by international shipper FedEx on its website. This email encouraged recipients to print out a copy of an attached postal receipt and take it to a FedEx location to get a parcel that could not be delivered. Unfortunately, the attachment contained a virus that infected the recipients’ computers. Variations of these shipping scams are particularly common during the holiday shopping season, though they’re seen year-round.
Fraudulent Data Entry Forms
These emails prompt users to fill in sensitive information—such as user IDs, passwords, credit card data, and phone numbers. Once users submit that information, it can be used by cybercriminals for personal gain.
Here’s an example of a fake landing page shared on the gov.uk website. After clicking on a link in a phishing email, users are routed to this fraudulent page that appears to be part of the HMRC tax collection agency. Users are told they are eligible for a refund but must complete the form. This type of personal information can be used by cybercriminals for several fraudulent activities, including identity theft.
Common Phishing Subject Lines
An email’s subject line can prompt the user to open the message. In a phishing attack, a subject line will play on user fears and a sense of urgency.
It’s common for attackers to use messages involving problems with accounts, shipments, bank details and financial transactions. Shipping messages are common during the holidays because most people expect a delivery. If a user doesn’t notice the domain in the sender address is not legitimate, they could be tricked into clicking the link and divulging sensitive data.
Types of Phishing Attacks
Phishing has evolved into more than simple credential and data theft. How an attacker lays out a campaign depends on the type of phishing. Types of phishing include:
- Email phishing: the general term given to any malicious email message meant to trick users into divulging private information. Attackers generally aim to steal account credentials, personally identifiable information (PII) and corporate trade secrets. However, attackers targeting a specific business might have other motives.
- Spear phishing: these email messages are sent to specific people within an organisation, usually high-privilege account holders, to trick them into divulging sensitive data, sending the attacker money or downloading malware.
- Link manipulation: messages contain a link to a malicious site that looks like the official business but takes recipients to an attacker-controlled server where they are persuaded to authenticate into a spoofed login page that sends credentials to an attacker.
- Whaling (CEO fraud): these messages are typically sent to high-profile employees of a company to trick them into believing the CEO or other executive has requested to transfer money. CEO fraud falls under the umbrella of phishing, but instead of an attacker spoofing a popular website, they spoof the CEO of the targeted corporation.
- Content injection: an attacker who can inject malicious content into an official site will trick users into accessing the site to show them a malicious popup or redirect them to a phishing website.
- Malware: users tricked into clicking a link or opening an attachment might download malware onto their devices. Ransomware, rootkits or keyloggers are common malware attachments that steal data and extort payments from targeted victims.
- Smishing: using SMS messages, attackers trick users into accessing malicious sites from their smartphones. Attackers send a text message to a targeted victim with a malicious link that promises discounts, rewards or free prizes.
- Vishing: attackers use voice-changing software to leave a message telling targeted victims that they must call a number where they can be scammed. Voice changers are also used when speaking with targeted victims to disguise an attacker’s accent or gender so that they can pretend to be a fraudulent person.
- “Evil Twin” Wi-Fi: spoofing free Wi-Fi, attackers trick users into connecting to a malicious hotspot to perform man-in-the-middle exploits.
- Pharming: pharming is a two-phase attack used to steal account credentials. The first phase installs malware on a targeted victim and redirects them to a browser and a spoofed website where they are tricked into divulging credentials. DNS poisoning is also used to redirect users to spoofed domains.
- Angler phishing: using social media, attackers reply to posts pretending to be an official organisation and trick users into divulging account credentials and personal information.
- Watering hole: a compromised site provides endless opportunities, so an attacker identifies a site used by numerous targeted users, exploits a vulnerability on the site, and uses it to trick users into downloading malware. With malware installed on targeted user machines, an attacker can redirect users to spoofed websites or deliver a payload to the local network to steal data.
What Is a Phishing Kit?
Because phishing is effective, attackers use phishing kits (or phishkits) to simplify the setup. The kit comprises the backend components of a phishing campaign, including the web server, elements of the website (e.g., images and layout of the official website) and storage used to collect user credentials. Another component is registered domains. Criminals register dozens of domains to use with phishing email messages to switch quickly when spam filters detect them as malicious. By having dozens of domains, criminals can change the domain in the phishing URL and resend messages to additional targets.
A phishing kit is also designed to avoid detection. The backend scripts block large chunks of IP addresses belonging to security researchers and antivirus organisations such as McAfee, Google, Symantec and Kaspersky so they cannot find phishing domains. Domains used in phishing look like legitimate harmless sites to security researchers but display phishing content to targeted users.
Where It Happens
It’s important to recognise the consequences of falling for a phishing attack at home or work. Phishing campaigns often target businesses for larger payouts, but many also cast a wide net to trap individuals across the globe. Individuals are usually targeted for identity theft, but financial theft is also possible. Businesses are targets for financial theft, data theft, or theft of trade secrets. Here are just a few of the problems that can arise from falling for a phishing email:
In Your Personal Life
- Money stolen from bank accounts
- Fraudulent charges on credit cards
- Tax returns filed in a person’s name
- Loans and mortgages opened in a person’s name
- Lost access to photos, videos, files, and other important documents
- Fake social media posts made on a person’s accounts
- Wire transfers to an attacker’s account
- Ransomware to extort money from victims
- Loss of corporate funds
- Exposed personal information of customers and co-workers
- Outsiders can access confidential communications, files, and systems
- Files become locked and inaccessible
- Damage to employer's reputation
- Financial fines from compliance violations
- Decreased company value
- Reduced investor confidence
- Interruption of revenue-impacting productivity
- Ransomware to extort large amounts of money from businesses
Phishing & Remote Working
The pandemic shifted the way most organisations and employees work. Remote work is the standard, so corporate and personal devices exist at the user’s workplace. This change in the work environment gives attackers an advantage. Users don’t have enterprise-level cybersecurity at home, so email security is less effective, giving attackers a higher chance of a successful phishing campaign.
Because employees now work from home, it’s more important for organisations to train them in phishing awareness. Impersonation of executives and official vendors increased after the pandemic. Since employees still need access to corporate systems, an attacker can target any at-home employee to gain remote access to the environment. Administrators were forced to quickly set up remote access, so cybersecurity of the environment was pushed aside to allow convenience. This forced urgency created vulnerabilities that could be exploited, many of which were human errors.
Poor cybersecurity combined with connected personal devices gave attackers numerous advantages. Phishing increased globally, and several large data breaches occurred, including ransomware. Google reported a 350% surge in phishing websites at the beginning of 2020 after pandemic lockdowns.
Most Targeted Industries
The goal of most phishing is financial gain, so attackers mainly target specific industries that store credit card data or have the funds to pay large sums of money. The target could be the entire organisation or its individual users. The top targeted industries include:
- Online stores (ecommerce)
- Social media
- Banks and other financial institutes
- Payment systems (merchant card processors)
- IT companies
- Telecommunication companies
- Delivery companies
Most Impersonated Brands
To trick as many people as possible, attackers use well-known brands. Well-known brands instil trust in recipients, increasing attacker success. Any common brand can be used in phishing, but a few standard ones are:
- Wells Fargo
- Bank of America
Preventing phishing attacks requires a combination of user training to recognise the warning signs and robust cybersecurity systems to stop payloads. Email filters are helpful with phishing, but human prevention is still necessary in cases of false negatives.
A few ways your organisation can prevent being a victim of phishing:
- Train users to detect a phishing email: a sense of urgency and requests for personal data, including passwords, embedded links and attachments, are all warning signs. Users must be able to identify these warning signs to defend against phishing.
- Avoid clicking links: instead of clicking a link and authenticating into a web page directly from an embedded link, type the official domain into a browser and authenticate directly from the manually typed site.
- Use anti-phishing email security: artificial intelligence scans incoming messages, detects suspicious messages and quarantines them without allowing phishing messages to reach the recipient’s inbox.
- Change passwords regularly: users should be forced to change their passwords every 30-45 days to reduce an attacker’s window of opportunity. Leaving passwords active for too long gives an attacker indefinite access to a compromised account.
- Keep software and firmware up-to-date: software and firmware developers release updates to remediate bugs and security issues. Always install these updates to ensure known vulnerabilities are no longer present in your infrastructure.
- Install firewalls: firewalls control inbound and outbound traffic. Malware installed from phishing silently eavesdrops and sends private data to an attacker, but a firewall blocks malicious outgoing requests and logs them for further review.
- Avoid clicking on popups: attackers change the location of the X button on a popup window to trick users into opening a malicious site or downloading malware. Popup blockers stop many popups, but false negatives are still possible.
- Be cautious giving out credit card data: unless you know the site is completely trustworthy, never give credit card data to a website you don’t recognise. Any site promising gifts or money back should be used with caution.
Anti-Phishing Training Suite
Training employees to detect phishing is a critical component of phishing awareness and education to ensure that your organisation does not become the next victim. It only takes one employee to fall for a phishing campaign to become the next reported data breach.
Phishing simulation is the latest in employee training. The practical application to an active phishing attack gives employees experience in how an attack is carried out. Most simulations involve social engineering because attackers often combine the two for a more effective campaign. Simulations mirror real-world phishing scenarios, but employee activity is monitored and tracked.
Reporting and analytics inform administrators where the organisation can improve by discovering which phishing attacks tricked employees. Simulations including links tie into reporting by tracking who clicks a malicious link, which employees enter their credentials on a malicious site, and any email messages that trigger spam filters. Results can be used to configure spam filters and reinforce training and education across the organisation.
Proofpoint customers have used Anti-Phishing Training Suite and Continuous Training Methodology to reduce successful phishing attacks and malware infections by up to 90%. This unique, four-step Assess, Educate, Reinforce, and Measure approach can be the foundation of any organisation's phishing awareness training program.
Phishing protection is an important security measure companies can take to prevent phishing attacks on their employees and organisation. Security awareness training and education around red flags when an email looks or feels suspicious definitely helps to reduce successful compromises. However, since user behaviour is not predictable, typically, security solution-driven phishing detection is critical.
Education through real-world examples and exercises will help users identify phishing. It’s common for organisations to work with experts to send simulated phishing emails to employees and track who opened the email and clicked the link. These employees can be trained further to prevent the same mistake in future attacks.
Some email gateway reputation-based solutions can catch and classify phishing emails based on the known bad reputation of the embedded URLs. However, these solutions often miss the well-crafted phishing messages with URLs from compromised legitimate websites that don’t have a bad reputation at the time of email delivery. Some systems are better than others.
The most effective systems identify suspicious emails based on anomalytics, which looks for unusual patterns in traffic to identify suspicious emails, then rewrites the embedded URL and maintains a constant watch on the URL for in-page exploits and downloads. These monitoring tools quarantine suspicious email messages so administrators can research ongoing phishing attacks. If a high number of phishing emails are detected, administrators can alert employees and reduce the chance of a successful targeted phishing campaign.
The cybersecurity landscape continually evolves, especially in the world of phishing. It’s critical for corporations to always communicate to employees and educate them on the latest phishing and social engineering techniques. Keeping employees aware of the latest threats reduces risk and generates a culture of cybersecurity within the organisation.
Phishing poses a huge threat to individuals and businesses. The following phishing statistics offer some sense of the prevalence and seriousness of phishing attacks:
What to Do If You’ve Fallen Victim
After you’ve sent your information to an attacker, it will likely be disclosed to other scammers. You’ll probably receive vishing and smishing messages, new phishing emails, and voice calls. Always stay on alert for suspicious messages asking for your information or financial details.
The Federal Trade Commission has a website dedicated to identity theft to help you mitigate damages and monitor your credit score. If you clicked on a link or opened a suspicious attachment, your computer could have malware installed. To detect and remove the malware, ensure your antivirus software is up-to-date and has the latest patches installed.
How to Report Phishing Emails
If you think you’re the target of a phishing campaign, the first step is to report it to the appropriate people. On a corporate network, it’s best to report it to IT staff to review the message and determine if it’s a targeted campaign. For individuals, you can report fraud and phishing to the FTC.
What Is Trap Phishing?
Phishing has many forms, but one effective way to trick people into falling for fraud is to pretend to be a sender from a legitimate organisation. A phishing trap lures users to a malicious website using familiar business references and the same logo, designs, and interface as a bank, ecommerce, or other recognisable popular brands. This is also known as a Watering Hole attack.
What Is Barrel Phishing?
To avoid filters, an attacker might send an initial benign-looking email to establish trust first, and then send a second email with a link or request for sensitive information. Barrel phishing takes more effort from the attacker, but the effect can be more damaging as targeted users feel they can trust the email sender.
How to Spot a Phishing Email
The main goal of phishing is to steal credentials (credential phishing), sensitive information, or trick individuals into sending money. Always be wary of messages that ask for sensitive information or provide a link where you immediately need to authenticate.
The Ponemon 2021 Cost of Phishing Study
The financial effects of phishing attacks have soared as organisations shift to remote and hybrid work. Read the 2021 Ponemon Cost of Phishing Study to learn more.
New Ponemon Study Finds the Annual Cost of Phishing Scams Has More Than Tripled Since 2015
According to a study from Ponemon, the cost of phishing scams has tripled since 2015. Learn the contributing factors, annual costs, how to prevent them, and more.
What to Do After Responding to a Phishing Email
Falling victim to phishing scams may result in detrimental effects in a home setup or at the office. Learn what to do if you’ve responded to a phishing scam.