Phishing: What it Is and How it Works
What you need to know about phishing and other social engineering scams
The majority of cyberattacks and data breaches start with one thing: phishing.
As one of the biggest threats to companies worldwide, it’s imperative to understand exactly what constitutes phishing, who is routinely targeted and how, and what you can do to best protect yourself.
What Is Phishing?
Phishing is a cybercrime typically perpetrated through emails, phone calls, or texts made to look as though they’ve come from a legitimate institution in order to glean your personal information.
This often includes, but is by no means limited to, your Social Security number, bank information or credit card numbers, or important passwords. This information is then used for identity or financial theft or simply sold to the highest bidder on the black market.
The goal of any phishing attack is to get as much private information as possible. This allows attackers to do things like withdraw money from your bank account or apply for credit cards in your name.
Attackers also consistently use fear and intimidation to scare people into handing over this information (e.g. “We will deactivate your Social Security number if you do not call us back”), and add pressure by putting deadlines (e.g., “If we don’t hear from you in the next 24 hours, your account will be terminated”). This ensures that victims don’t have the time to properly think things through, and instead hand over the information in haste.
In addition to financial motives, phishing tactics can also be used for cyber espionage, targeting employees and high-level executives alike. The goal of this type of targeted phishing goes beyond stealing an individual’s credit card information; its aim is to compromise entire organizations through access to high-level employees (often called “privileged users”) and retrieve additional kinds of valuable information. These attempts can lead to significant data breaches.
Phishing Attack Techniques
Cybercriminals use many different techniques to phish their victims.
Some are broad-ranging (such as mass emails to thousands of targets) while some are much more targeted. These targeted attempts are generally collected under the term spear phishing: Spear phishing involves close research of individuals to ensure that the correspondence comes across as personal and genuine, and therefore has a much higher chance of duping the receiver.
Individual techniques are only limited by the scammer’s imagination, but these are some of the most popular methods that typically crop up:
Most phishing attempts are conducted over email. What started with the infamous Nigerian Prince scam has evolved into sophisticated, near-identical replicas to branded business correspondence, from Google asking for a password change to PayPal offering a free $5.
These emails will include links or attachments that come with malware or that prompt users to enter in personal data. Learning how to spot the difference is important; with some phishing attempts, it’s so close that it’s nearly impossible to discern between real and fake.
This “Bank of Americans” spoof email displayed to the left features a few of the more common signs present in many “spray-and-pray” phishing emails:
- A generic greeting in what would have the recipient’s name in a real banking email
- A “close-but-not-there” spoof of a major brand
- A fear-based call-to-action design to trigger quick, unthinking action on the part of the recipient
This spoof from a major social media platform that rhymes with “Placebook” invites users to click on a link, likely leading to a malware payload. Indications this email is not what it seems include:
- Misspellings of a major brand name
- Disguising as a regular update email (and therefore less suspicious)
- Invitations to click on multiple links to either review security “enhancements” or review your own privacy settings
This scammer might have been scraping the bottom of the barrel with this technique, but sometimes the simplest attempts are the ones that get overlooked and clicked on. The clues to this email’s true identity include:
- An unsolicited attachment, which should never be opened unless extra steps are taken to confirm the validity of the sender
- The overtly suspicious “From” address claiming to be from “google.co.uk”
- The too-good-to-be true announcement that the recipient has won an outrageous sum of money
To serve as a reminder of what a phishy email looks like, we've created a shareable infographic that details exactly what to look for.Download Infographic
Targeted Attacks (Spear Phishing)
Colloquially referred to as spear phishing, these are personalized versions of the same scam. The main motivations behind spear phishing are usually gaining access to business secrets, confidential information, or financial credentials.
Spear phishing attempts will often employ a tactic known as business email compromise (BEC), in which attackers will create email accounts that are near-identical to that of someone on a corporate network, and pose as them.
By impersonating a high-level employee, they can glean private information, request fund transfers, and deliver malware. BEC attacks involving high-level employees, such as members of a company’s c-suite, really have two victims: the compromised executive and the unwitting employee. These attacks stem from two main methods on the part of the cybercriminal.
One, a malicious hacker compromises an executive’s email account via phishing or some other means and sends emails to lower-level employees requesting financials or W-2 information. Two, a cybercriminal gleans enough information about a given executive via social media and other avenues to craft a convincing email from a spoofed email address.
In a 2019 report, the Better Business Bureau found that BEC scams have cost businesses more than $3 billion in the last three years alone.
Do you know spear phishing when you see it? Check out our on-demand webinar for the basics of spear phishing, common tactics, and how to avoid taking the bait.Learn More
Social Media Phishing
Few tools in the digital age are as impactful or pervasive as social media. And whether businesses like it or not, social media use spills into employee work time, making risks stemming from this communication method a factor for users both at home and at work.
Social media naturally brings out behaviors like divulging personal details or clicking and sharing links; actions which can be a goldmine for cybercriminals. Ever adaptable, the bad guys have concocted myriad ways to phish unsuspecting users as they scroll through their feeds.
Be leery of any contest, deal, quiz, or giveaway—especially if it involves giving away your personal information. Even “liking” a fake link helps fraudsters.
If you’re not sure if the post is legitimate, navigate to the brand’s official social media site to verify its authenticity.
Phishing can occur in a direct message, either from strangers or from compromised social media accounts of your contacts.
Check for deceptive links and reach out to the sender directly (via a new message) to verify before clicking any links or revealing information.
Phishy Friend Requests
Fake accounts and friend requests are a common ways scammers begin their attacks. By “friending” you, they have access to your profile and can use personal details to create more convincing messages in the future.
Don’t “friend” people you don’t know, and be especially wary of friend requests by individuals who are already in your contact list.
Telephone and Text Messages
Cybercriminals have not limited themselves to email as an attack vector to collect sensitive data or deliver malware.
A popular telephone scam in 2019 posed as the Department of Social Security informing people via an automated message that their Social Security number was going to be suspended and asked for people to confirm their Social Security number and other personal information. This is called vishing, short for voice phishing. Just like with email phishing attempts, vishing attacks will often play on fears of fines or even jail time to threaten sensitive information out of victims.
The popularity of text messaging over the last decade has given rise to SMS phishing, or “smishing” for short. Popular smishing techniques involve threatening negative consequences if a specific action is not taken (sound familiar?) or simply including a link to click on.
The all-in-one capabilities of modern mobile devices means they’ve become just one more avenue for malware to enter a given network. Alternatively, smishing links will take another tactic from the phishing playbook and lead to a phony login page designed to collect sensitive credentials.
Who Is Most At-Risk from Phishing?
Phishing is a problem that affects everyone. Between scam emails, phone calls, text messages, and even social media posts, it’s close to impossible to avoid being on the receiving end of an attack. Everyone should be educated on what to look out for as these attempts, if successful, can lead to devastating consequences.
With spear phishing, it’s not only employees that are at risk for phishing schemes: it’s company executives who may be the most vulnerable. With the highest level of access to a company’s sensitive data, they’re the most likely to be targeted in a spear phishing attempt, in addition to whatever standard phishing emails and calls they may receive.
How Do I Combat Phishing Attacks?
With mass-sent phishing schemes, there are a variety of ways to prepare for potential attacks and help safeguard information.
Look out for the signs of a phishing attempt, especially over email (the most common form of phishing).
If an email appears to be coming from your bank, are you being addressed by your first name, or generically? Are there any spelling or grammatical errors in the text? When hovering your mouse over a link, does it indeed go to your bank, or is the address something long and suspicious?
If you’re unsure about the source of a call or email, double check before offering up valuable information.
If a phone call is suspicious, especially if it purports to be from a government agency, hang up and call back the official number listed on the agency’s website. If your bank emails you asking for your password, stop in your local branch or give them a call to make sure it’s legitimate.
Especially when it comes to spear phishing, proper education is key.
The more sophisticated these methods grow, the more difficult it is to catch phishing attempts (spear phishing emails will likely look and sound like they come from someone you know—no obvious spelling mistakes or generic addresses).
Since spear phishing targets people at companies who handle sensitive data, including high-level executives, a comprehensive approach to employee training will help to ensure that no attempt is successful.
Enable Two-Factor Authentication Across Important Accounts
Email addresses, bank accounts, and even social media accounts should have two-factor authentication enabled. That way, if someone tries to log in to any of your accounts from another device, you’ll receive a text message and/or an email notifying you—and you’ll likely be able to prevent them from gaining entry.
If You See Something, Say Something
Many companies have tools or procedures in place to report suspicious emails.
Either built into the email client itself or by simply forwarding a suspicious email to an IT staffer, make sure you follow your company’s protocol for reporting phishing attempts. This gives your IT team the ability to review and record phishing attempts and know what attacks might be coming their way.
Saying something when you see something is the first step.
From a Phishing Simulator to integrated awareness training, MediaPRO has the tools to help phish-proof your workforce.Find Out How
Watch this on-demand webinar to learn how to equip your employees with the knowledge to get and stay compliant with the CCPA and beyond.
Learn what the average U.S. employee knows about data privacy best practices with our 2019 Eye on Privacy Report.
Explore the current state of employee knowledge in cybersecurity and data privacy with our State of Privacy and Security Awareness Report.