Table of Contents
Phishing is a common type of cyber attack that targets individuals through email, text messages, phone calls, and other forms of communication. A phishing attack aims to trick the recipient into falling for the attacker’s desired action, such as revealing financial information, system login credentials, or other sensitive information.
As a popular form of social engineering, phishing involves psychological manipulation and deception whereby threat actors masquerade as reputable entities to mislead users into performing specific actions. These actions often involve clicking links to fake websites, downloading and installing malicious files, and divulging private information, like bank account numbers or credit card information.
Since the mid-1990s, the term “phishing” has been used to identify hackers who use fraudulent emails to “fish for” information from unsuspecting users. However, phishing attacks have become increasingly sophisticated and are now broken down into different types, including email phishing, spear phishing, smishing, vishing, and whaling. Each type is characterized by specific channels and methods of execution – email, text, voice, social media, etc. – all with a similar underlying intention.
Cybersecurity Education and Training Begins Here
Here’s how your free trial works:
- Meet with our cybersecurity experts to assess your environment and identify your threat risk exposure
- Within 24 hours and minimal configuration, we’ll deploy our solutions for 30 days
- Experience our technology in action!
- Receive report outlining your security vulnerabilities to help you take immediate action against cybersecurity attacks
Fill out this form to request a meeting with our cybersecurity experts.
Thank you for your submission.
How Phishing Works
Whether a phishing campaign is hyper-targeted or sent to as many victims as possible, it starts with a malicious message. An attack is disguised as a message from a legitimate company. The more aspects of the message that mimic the real company, the more likely an attacker will be successful.
While attackers’ goals vary, the general aim is to steal personal information or credentials. An attack is facilitated by emphasizing a sense of urgency in the message, which could threaten account suspension, money loss, or loss of the targeted user’s job. Users tricked into an attacker’s demands don’t take the time to stop and think if the demands seem reasonable or if the source is legitimate.
Phishing continually evolves to bypass security filters and human detection, so organizations must continually train staff to recognize the latest phishing strategies. It only takes one person to fall for phishing to incite a severe data breach. That’s why it’s one of the most critical threats to mitigate and the most difficult as it requires human defenses.
Why Is Phishing a Problem?
Phishing is a significant problem because it is easy, cheap, and effective for cybercriminals to use. Phishing tactics, particularly email, require minimal cost and effort, making them widespread cyber-attacks. Victims of phishing scams may end up with malware infections (including ransomware), identity theft, and data loss.
The data that cybercriminals go after include personal identifiable information (PII)—like financial account data, credit card numbers, and tax and medical records—as well as sensitive business data, such as customer names and contact information, proprietary product secrets, and confidential communications.
Cybercriminals also use phishing attacks to gain direct access to email, social media and other accounts or to obtain permissions to modify and compromise connected systems, like point-of-sale terminals and order processing systems. Many of the biggest data breaches start with an innocent phishing email where cybercriminals gain a small foothold to build upon.
Attackers prey on fear and a sense of urgency, often using strategies that tell users their account has been restricted or will be suspended if they don’t respond to the email.
Because phishing attacks are typically sent to as many people as possible, the messaging is usually thin and generic. The following illustrates a common phishing email example.
In the above message, the user’s name is not mentioned, and the sense of urgency injects fear to trick users into opening the attachment.
The attachment could be a web page, a shell script (e.g., PowerShell), or a Microsoft Office document with a malicious macro. The macro and scripts can be used to download malware or trick users into divulging their account credentials.
In some email phishing tactics, attackers register domains that look similar to their official counterparts or they occasionally use generic email providers such as Gmail. When users receive emails, the messages might use the official company logo, but the sender’s address would not include the official company domain.How an attacker carries out a phishing campaign depends on their goals. In B2B for example, attackers may use fake invoices to trick the accounts payable department into sending money. In this attack, the sender is not important, as m. Many vendors use personal email accounts to do business.
The button in this example opens a web page with a fraudulent Google authentication form. The page attempts to scam targeted victims into entering their Google credentials so that attackers can steal accounts.
Cybercriminals use three primary phishing techniques to steal information: malicious web links, malicious attachments and fraudulent data-entry forms.
Malicious Web Links
Phishing links take users to impostor websites or sites infected with malicious software, also known as malware. Malicious links can be disguised as trusted links and are embedded in logos and other images in an email.
Here is an example of an email received by users at Cornell University, displaying “Help Desk” as the sender’s name. However, the email did not originate from the university’s help desk but rather from the @connect.ust.hk domain. The link embedded in the email points to a page that looks like the Office 365 login page attempting to steal user credentials.
While these may look like legitimate file attachments, they are actually infected with malware that can compromise computers and their files.
Here’s an example of a phishing email shared by international shipper FedEx on its website. This email encouraged recipients to print out a copy of an attached postal receipt and take it to a FedEx location to get a parcel that could not be delivered. Unfortunately, the attachment contained a virus that infected the recipients’ computers. Variations of these shipping scams are particularly common during the holiday shopping season.
Fraudulent Data Entry Forms
These techniques use fake forms that prompt users to fill in sensitive information—such as user IDs, passwords, credit card data, and phone numbers. Once users submit that information, it can be used by cybercriminals for various fraudulent activities, including identity theft.
Here’s an example of a fake landing page mimicking the gov.uk website. After clicking a link in a phishing email, users are routed to this fraudulent page that appears to be part of the HMRC tax collection agency. Users are told they are eligible for a refund but must complete the form.
Types of Phishing Attacks
Phishing has evolved into more than simple credential and data theft. How an attacker lays out a campaign depends on the type of phishing. Types of phishing include:
- Email phishing: the general term given to any malicious email message meant to trick users into divulging private information. Attackers generally aim to steal account credentials, personally identifiable information (PII) and corporate trade secrets. However, attackers targeting a specific business might have other motives.
- Spear phishing: these email messages are sent to specific people within an organization, usually high-privilege account holders, to trick them into divulging sensitive data, sending the attacker money or downloading malware.
- Link manipulation: messages contain a link to a malicious site that looks like the official business but takes recipients to an attacker-controlled server where they are persuaded to authenticate into a spoofed login page that sends credentials to an attacker.
- Whaling (CEO fraud): these messages are typically sent to high-profile employees of a company to trick them into believing the CEO or other executive has requested to transfer money. CEO fraud falls under the umbrella of phishing, but instead of an attacker spoofing a popular website, they spoof the CEO of the targeted corporation.
- Content injection: an attacker who can inject malicious content into an official site will trick users into accessing the site to show them a malicious popup or redirect them to a phishing website.
- Malware: users tricked into clicking a link or opening an attachment might download malware onto their devices. Ransomware, rootkits or keyloggers are common malware attachments that steal data and extort payments from targeted victims.
- Smishing: using SMS messages, attackers trick users into accessing malicious sites from their smartphones. Attackers send a text message to a targeted victim with a malicious link that promises discounts, rewards or free prizes.
- Vishing: attackers use voice-changing software to leave a message telling targeted victims that they must call a number where they can be scammed. Voice changers are also used when speaking with targeted victims to disguise an attacker’s accent or gender so that they can pretend to be a fraudulent person.
- “Evil Twin” Wi-Fi: spoofing free Wi-Fi, attackers trick users into connecting to a malicious hotspot to perform man-in-the-middle exploits.
- Pharming: pharming is a two-phase attack used to steal account credentials. The first phase installs malware on a targeted victim and redirects them to a browser and a spoofed website where they are tricked into divulging credentials. DNS poisoning is also used to redirect users to spoofed domains.
- Angler phishing: using social media, attackers reply to posts pretending to be an official organization and trick users into divulging account credentials and personal information.
- Watering hole: a compromised site provides endless opportunities, so an attacker identifies a site used by numerous targeted users, exploits a vulnerability on the site, and uses it to trick users into downloading malware. With malware installed on targeted user machines, an attacker can redirect users to spoofed websites or deliver a payload to the local network to steal data.
Free Phishing Awareness Kit
Engage and educate your users with our free Phishing Awareness Kit
- Online stores (ecommerce)
- Social media
- Banks and other financial institutes
- Payment systems (merchant card processors)
- IT companies
- Telecommunication companies
- Delivery companies
- Wells Fargo
- Bank of America
Preventing phishing attacks requires a combination of user training to recognize the warning signs and robust cybersecurity systems to stop payloads. Email filters are helpful with phishing, but human prevention is still necessary in cases of false negatives.
A few ways your organization can prevent being a victim of phishing:
- Train users to detect a phishing email: a sense of urgency and requests for personal data, including passwords, embedded links and attachments, are all warning signs. Users must be able to identify these warning signs to defend against phishing.
- Avoid clicking links: instead of clicking a link and authenticating into a web page directly from an embedded link, type the official domain into a browser and authenticate directly from the manually typed site.
- Use anti-phishing email security: artificial intelligence scans incoming messages, detects suspicious messages and quarantines them without allowing phishing messages to reach the recipient’s inbox.
- Change passwords regularly: users should be forced to change their passwords every 30-45 days to reduce an attacker’s window of opportunity. Leaving passwords active for too long gives an attacker indefinite access to a compromised account.
- Keep software and firmware up-to-date: software and firmware developers release updates to remediate bugs and security issues. Always install these updates to ensure known vulnerabilities are no longer present in your infrastructure.
- Install firewalls: firewalls control inbound and outbound traffic. Malware installed from phishing silently eavesdrops and sends private data to an attacker, but a firewall blocks malicious outgoing requests and logs them for further review.
- Avoid clicking on popups: attackers change the location of the X button on a popup window to trick users into opening a malicious site or downloading malware. Popup blockers stop many popups, but false negatives are still possible.
- Be cautious about giving out credit card data: unless you know the site is completely trustworthy, never give credit card data to a website you don’t recognize. Any site promising gifts or money back should be used with caution.
Anti-Phishing Training Suite
Training employees to detect phishing is a critical component of phishing awareness and education to ensure that your organization does not become the next victim. It only takes one employee to fall for a phishing campaign to become the next reported data breach.
Phishing simulation is the latest in employee training. The practical application to an active phishing attack gives employees experience in how an attack is carried out. Most simulations involve social engineering because attackers often combine the two for a more effective campaign. Simulations mirror real-world phishing scenarios, but employee activity is monitored and tracked.
Reporting and analytics inform administrators where the organization can improve by discovering which phishing attacks tricked employees. Simulations including links tie into reporting by tracking who clicks a malicious link, which employees enter their credentials on a malicious site, and any email messages that trigger spam filters. Results can be used to configure spam filters and reinforce training and education across the organization.
Proofpoint customers have used Anti-Phishing Training Suite and Continuous Training Methodology to reduce successful phishing attacks and malware infections by up to 90%. This unique, four-step Assess, Educate, Reinforce, and Measure approach can be the foundation of any organization’s phishing awareness training program.
Phishing protection involves the security measures organizations can take to mitigate phishing attacks on their employees and systems. Security awareness training and education through real-world examples and exercises will help users identify phishing. It’s common for organizations to work with experts to send simulated phishing emails to employees and track who opened the email and clicked the link.
Some email gateway solutions can catch and classify phishing emails based on the known bad reputation of the embedded URLs. However, these solutions are not always reliable in detecting well-crafted phishing messages from compromised legitimate websites.
The most effective systems identify suspicious emails based on anomalytics. They look for unusual patterns in traffic to identify suspicious emails, rewrite the embedded URL, and maintain a constant watch on the URL for in-page exploits and downloads. These monitoring tools quarantine suspicious email messages so administrators can research ongoing phishing attacks. If a high number of phishing emails are detected, administrators can alert employees and reduce the chance of a successful targeted phishing campaign.
With user-based awareness training the most critical line of defense, it’s critical for organizations to communicate to employees and educate them on the latest phishing and social engineering techniques. Keeping employees aware of the latest threats reduces risk and generates a culture of cybersecurity within the organization.
What to Do If You’ve Fallen Victim
After you’ve sent your information to an attacker, it will likely be disclosed to other scammers. You’ll probably receive vishing and smishing messages, new phishing emails, and voice calls. Always stay on alert for suspicious messages asking for your information or financial details.
The Federal Trade Commission has a website dedicated to identity theft to help you mitigate damages and monitor your credit score. If you clicked on a link or opened a suspicious attachment, your computer could have malware installed. To detect and remove the malware, ensure your antivirus software is up-to-date and has the latest patches installed.
How to Report Phishing Emails
If you think you’re the target of a phishing campaign, the first step is to report it to the appropriate people. On a corporate network, it’s best to report it to IT staff to review the message and determine if it’s a targeted campaign. For individuals, you can report fraud and phishing to the FTC.
What Is Trap Phishing?
Phishing has many forms, but one effective way to trick people into falling for fraud is to pretend to be a sender from a legitimate organization. A phishing trap lures users to a malicious website using familiar business references and the same logo, designs, and interface as a bank, ecommerce, or other recognizable popular brands. This is also known as a Watering Hole attack.
What Is Barrel Phishing?
To avoid filters, an attacker might send an initial benign-looking email to establish trust first, and then send a second email with a link or request for sensitive information. Barrel phishing takes more effort from the attacker, but the effect can be more damaging as targeted users feel they can trust the email sender.
How to Spot a Phishing Email
The main goal of phishing is to steal credentials (credential phishing), sensitive information, or trick individuals into sending money. Always be wary of messages that ask for sensitive information or provide a link where you immediately need to authenticate.
Related Phishing Resources
Subscribe to the Proofpoint Blog