Phishing is an attack in which the threat actor poses as a trusted person or organization to trick potential victims into sharing sensitive information or sending them money. As with real fishing, there's more than one way to reel in a victim: Email phishing, smishing, and vishing are three common types. Some attackers take a targeted approach, as is the case with spear phishing or whale phishing (more on the types of phishing below).
How phishing attacks work
Phishing attacks begin with the threat actor sending a communication, acting as someone trusted or familiar. The sender asks the recipient to take an action, often implying an urgent need to do so. Victims who fall for the scam may give away sensitive information that could cost them. Here are more details on how phishing attacks work:
- The sender: In a phishing attack, the sender imitates (or “spoofs”) someone trustworthy that the recipient would likely know. Depending on the type of phishing attack, it could be an individual, like a family member of the recipient, the CEO of the company they work for, or even someone famous who is supposedly giving something away. Often phishing messages mimic emails from large companies like PayPal, Amazon, or Microsoft, and also banks or government offices.
- The message: Under the guise of someone trusted, the attacker will ask the recipient to click a link, download an attachment, or to send money. When the victim opens the message, they find a scary message meant to overcome their better judgement by filling them with fear. The message may demand that the victim go to a website and take immediate action or risk some sort of consequence.
- The destination: If users take the bait and click the link, they're sent to an imitation of a legitimate website. From here, they're asked to log in with their username and password credentials. If they are gullible enough to comply, the sign-on information goes to the attacker, who uses it to steal identities, pilfer bank accounts, and sell personal information on the black market.
Who is targeted by phishing?
Anyone can be targeted with a phishing attack, but some types of phishing are done to very specific people. Some threat actors will send out a general email to many people, hoping a few will take the bait based on a common trait. An example would be saying something is wrong with your Facebook or Amazon account, and you need to click this link right away to log in and fix it. The link would likely lead to a spoofed webpage where you might give away your login credentials.
Threat actors use more targeted phishing attacks if they are after something specific, like access to a certain company's network or data, or information from a politician or political candidate. This is called spear phishing. In this case, they may research information to make their attack sound familiar and credible, so the target is more likely to click a link or provide information. An example would be researching the name and communication style of a target company's CEO, then emailing or texting specific employees at that company pretending to be the CEO asking for something.
While threat actors often pretend to be CEOs in their phishing attacks, sometimes the target is the CEO themself. "Whale phishing" describes phishing attacks toward high-profile people like company executives, celebrities, or well-known wealthy individuals. Whether an attack is general or highly targeted, sent to one person or many people, anyone can become a phishing target, so it's important to
Types of phishing attacks
Despite their many varieties, the common denominator of all phishing attacks is their use of a fraudulent pretense to acquire valuables. Some major categories include:
Email phishing is one of the most common types of phishing. It has been widespread since the early days of e-mail. The attacker sends an email purporting to be someone trustworthy and familiar (online retailer, bank, social media company, etc.), and asks you to click a link to take an important action, or perhaps download an attachment.
Some specific examples of email phishing include:
- Business email compromise (BEC): A business email compromise (BEC) attack targets someone in the finance department of an organization, often the CFO, and attempts to deceive them into sending large sums of money. Attackers often use social engineering tactics to convince the recipient that sending the money is urgent and necessary.
- Clone phishing: In this attack, criminals make a copy—or clone—of previously delivered but legitimate emails that contain either a link or an attachment. Then, the phisher replaces the links or attached files with malicious substitutions disguised as the real thing. Unsuspecting users either click the link or open the attachment, which often allows their systems to be commandeered. Then the phisher can counterfeit the victim's identity in order to masquerade as a trusted sender to other victims in the same organization.
- 419/Nigerian scams: A verbose phishing email from someone claiming to be a Nigerian prince is one of the Internet's earliest and longest-running scams. This "prince" either offers you money, but says you need to send him a small amount first in order to claim it, or he says he is in trouble, and needs funds to resolve it. The number "419" is associated with this scam. It refers to the section of the Nigerian Criminal Code dealing with fraud, the charges, and penalties for offenders.
Vishing (voice call phishing)
With phone-based phishing attempts, sometimes called voice phishing or “vishing,” the phisher calls claiming to represent your local bank, the police, or even the IRS. Next, they scare you with some sort of problem and insist you clear it up immediately by sharing your account information or paying a fine. They usually ask that you pay with a wire transfer or with prepaid cards, so they are impossible to track.
Smishing (SMS or text message phishing)
SMS phishing, or “smishing,” is vishing's evil twin, carrying out the same kind of scam (sometimes with an embedded malicious link to click) by means of SMS texting.
Catfishing or catphishing? Either way, it's phishing with a romantic twist. Check out our article Bad romance: catphishing explained. From the article:
Catfishing (spelled with an “f”) is a kind of online deception wherein a person creates a presence in social networks as a sock puppet or a fictional online persona for the purpose of luring someone into a relationship—usually a romantic one—in order to get money, gifts, or attention. Catphishing (spelled with a “ph”) is similar, but with the intent of gaining rapport and (consequently) access to information and/or resources that the unknowing target has rights to.
Phishing vs. spear phishing: While most phishing campaigns send mass emails to as many people as possible, spear phishing is targeted. Spear phishing attacks a specific person or organization, often with content that is tailor made for the victim or victims. It requires pre-attack reconnaissance to uncover names, job titles, email addresses, and the like. The hackers scour the Internet to match up this information with other researched knowledge about the target's colleagues, along with the names and professional relationships of key employees in their organizations. With this, the phisher crafts a believable email.
For instance, a fraudster might spear phish an employee whose responsibilities include the ability to authorize payments. The email purports to be from an executive in the organization, commanding the employee to send a substantial payment either to the exec or to a company vendor (when in fact, the malicious payment link sends it to the attacker).
“A verbose phishing email from someone claiming to be a Nigerian prince is one of the Internet's earliest and longest-running scams.”
Whale phishing is what it probably sounds like: Phishing that targets high-profile victims. This can include celebrities, politicians, and C-level businesspeople. Typically, the attacker is trying to trick these well-known targets into giving our their personal information and/or business credentials. Whaling attacks usually involve social engineering efforts to trick the victim into believing the deception.
How to identify a phishing attack
Recognizing a phishing attempt isn't always easy, but a few tips, a little discipline, and some common sense will go a long way. Look for something that's off or unusual. Ask yourself if the message passes the “smell test.” Trust your intuition, but don't let yourself get swept up by fear. Phishing attacks often use fear to cloud your judgement.
Here are a few more signs of a phishing attempt:
- The email makes an offer that sounds too good to be true. It might say you've won the lottery, an expensive prize, or some other over-the-top item.
- You recognize the sender, but it's someone you don't talk to. Even if the sender's name is known to you, be suspicious if it's someone you don't normally communicate with, especially if the email's content has nothing to do with your normal job responsibilities. Same goes if you're cc'd in an email to folks you don't even know, or perhaps a group of colleagues from unrelated business units.
- The message sounds scary. Beware if the email has charged or alarmist language to create a sense of urgency, exhorting you to click and “act now” before your account is terminated. Remember, responsible organizations do not ask for personal details over the Internet.
- The message contains unexpected or unusual attachments. These attachments may contain malware, ransomware, or another online threat.
- The message contains links that look a little off. Even if your spider sense is not tingling about any of the above, don't take any embedded hyperlinks at face value. Instead, hover your cursor over the link to see the actual URL. Be especially on the lookout for subtle misspellings in an otherwise familiar-looking website, because it indicates fakery. It's always better to directly type in the URL yourself rather than clicking on the embedded link.
Examples of phishing attempts
Here's an example of a phishing attempt that spoofs a notice from PayPal, asking the recipient to click on the “Confirm Now” button. Mousing over the button reveals the true URL destination in the red rectangle.
Here's another phishing attack image, this time claiming to be from Amazon. Note the threat to close the account if there's no response within 48 hours.
Clicking on the link leads you to this form, inviting you to give away what the phisher needs to plunder your valuables:
Phishing examples in the news
- Watch out for this bump in LinkedIn phishing
- Microsoft warns of phishy OAuth apps
- Phishers on the prowl with fake parking meter QR codes
- Intercepting 2FA: Over 1200 man-in-the-middle phishing toolkits detected
- Phishers target TikTok influencers with verification promises and copyright threats
- This Steam phish baits you with free Discord Nitro
- Microsoft warns about phishing campaign using open redirects
- How to spot a DocuSign phish and what to do about it
How do I protect myself against phishing?
As stated previously, phishing is an equal opportunity threat, capable of showing up on desktops, laptops, tablets, and smartphones. Most Internet browsers have ways to check if a link is safe, but the first line of defense against phishing is your judgement. Train yourself to recognize the signs of phishing and try to practice safe computing whenever you check your email, read Facebook posts, or play your favorite online game.
Once again from our own Adam Kujawa, here are a few of the most important practices to keep you safe:
- Don't open e-mails from senders you are not familiar with.
- Don't ever click on a link inside of an e-mail unless you know exactly where it is going.
- To layer that protection, if you get an e-mail from a source you are unsure of, navigate to the provided link manually by entering the legitimate website address into your browser.
- Lookout for the digital certificate of a website.
- If you are asked to provide sensitive information, check that the URL of the page starts with “HTTPS” instead of just “HTTP.” The “S” stands for “secure.”It's not a guarantee that a site is legitimate, but most legitimate sites use HTTPS because it's more secure. HTTP sites, even legitimate ones, are vulnerable to hackers.
- If you suspect an e-mail isn't legitimate, take a name or some text from the message and put it into a search engine to see if any known phishing attacks exist using the same methods.
- Mouseover the link to see if it's a legitimate link.
As always, we recommend using antivirus/anti-malware security software like Malwarebytes Premium. Most cybersecurity tools have the ability to detect when a link or an attachment isn't what it seems, so even if you fall for a clever phishing attempt, you won't end up sharing your info with the wrong people. You can even try Malwarebytes free before you buy.
So stay vigilant, take precautions, and look out for anything phishy.
Why is phishing effective?
Unlike other kinds of online threats, phishing does not require particularly sophisticated technical expertise. In fact, according to Adam Kujawa, Director of Malwarebytes Labs, “Phishing is the simplest kind of cyberattack, and at the same time, the most dangerous and effective. That is because it attacks the most vulnerable and powerful computer on the planet: the human mind.”
“Phishing is the simplest kind of cyberattack, and at the same time, the most dangerous and effective.”
Phishers are not trying to exploit a technical vulnerability in your device's operation system—they're using social engineering. From Windows and iPhones, to Macs and Androids, no operating system is completely safe from phishing, no matter how strong its security is. In fact, attackers often resort to phishing because they can't find any technical vulnerabilities. Why waste time cracking through layers of security when you can trick someone into handing you the key? More often than not, the weakest link in a security system isn't a glitch buried in computer code, it's a human being who doesn't double check where an email came from.
How does phishing affect my business?
The fact of the matter is this—cybercriminals are targeting your business. As reported in the Malwarebytes Labs Cybercrime Tactics and Techniques Report (CTNT), attacks on businesses went up 55 percent in the second half of 2018 with Trojans and ransomware proving to be the most popular types of attacks. Specifically, Trojan attacks on businesses rose 84 percent while ransomware attacks went up 88 percent. Phishing often plays an important role in Trojan and ransomware attacks, because cybercriminals rely on phishing emails to get victims to download the malware and initiate the attack.
The Emotet banking Trojan, for instance, that wreaked havoc throughout 2018 includes a spam module that scans contact lists on an infected computer and sends your friends, family, and coworkers phishing emails that link to a malware laden attachment or download. In an interesting twist, Emotet, once a banking Trojan in its own right, is now being used to deliver other malware, including ransomware.
What happens once malware like Emotet gets a foothold on your network via a phishing attack? Just ask the beleaguered city officials of Allentown. The 2018 attack on the Pennsylvania city required direct help from Microsoft’s incident response team to clean up and reportedly cost the city upwards of one million dollars to fix.
See all our reporting on phishing at Malwarebytes Labs.
History of phishing
The origin of the name “phishing” is easy enough to trace. The process of performing a phishing scam is much like actual, aquatic fishing. You assemble some bait designed to deceive your victim, then you cast it out and hope for a bite. As for the digraph “ph” replacing the “f,” it could be the result of a portmanteau of “fishing” and “phony,” but some sources point back to another possible origin.
In the 1970s, a subculture formed around the practice of using low-tech hacks to exploit the telephone system. These early hackers were called “phreaks”—a combination of “phone” and “freaks.” At a time when there weren't many networked computers to hack, phreaking was a common way to make free long-distance calls or reach unlisted numbers.
Even before the actual phishing term took hold, a phishing technique was described in detail in a paper and presentation delivered to the 1987 International HP Users Group, Interex.
The use of the name itself is first attributed to a notorious spammer and hacker in the mid-1990s, Khan C Smith. Also, according to Internet records, the first time that phishing was publicly used and recorded was on January 2, 1996. The mention occurred in a Usenet newsgroup called AOHell. At the time, America Online (AOL) was the number one provider of Internet access, with millions of log-ons daily.
Naturally, AOL's popularity made it a target for fraudsters. Hackers and software pirates used it to communicate with one another, as well as to conduct phishing attacks on legitimate users. When AOL took steps to shut down AOHell, the attackers turned to other techniques. They sent messages to AOL users claiming to be AOL employees and asked people to verify their accounts and hand over billing information. Eventually, the problem grew so bad that AOL added warnings on all email and instant messenger clients stating "no one working at AOL will ask for your password or billing information."
“Social networking sites became a prime phishing target.”
Going into the 2000s, phishing turned its attention to exploiting online payment systems. It became common for phishers to target bank and online payment service customers, some of whom—according to subsequent research—might have even been accurately identified and matched to the actual bank they used. Likewise, social networking sites became a prime phishing target, attractive to fraudsters since personal details on such sites are useful for identity theft.
Criminals registered dozens of domains that spoofed eBay and PayPal well enough that they passed for the real thing if you weren't paying close enough attention. PayPal customers then received phishing emails (containing links to the fake website), asking them to update their credit card numbers and other personally identifiable information. The first known phishing attack against a bank was reported by The Banker (a publication owned by The Financial Times Ltd.) in September 2003.
By the mid-2000s, turnkey phishing software was readily available on the black market. At the same time, groups of hackers began to organize in order to orchestrate sophisticated phishing campaigns. Estimated losses due to successful phishing during this time vary, with a 2007 report from Gartner stating that as many as 3.6 million adults lost $3.2 billion between August 2006 and August 2007.
“In 2013, 110 million customer and credit card records were stolen from Target customers.”
In 2011, phishing found state sponsors when a suspected Chinese phishing campaign targeted Gmail accounts of highly ranked officials of the United States and South Korean governments and militaries, as well as Chinese political activists.
In perhaps the most famous event, in 2013, 110 million customer and credit card records were stolen from Target customers, through a phished subcontractor account.
Even more infamous was the phishing campaign launched by Fancy Bear (a cyber espionage group associated with the Russian military intelligence agency GRU) against email addresses associated with the Democratic National Committee in the first quarter of 2016. In particular, Hillary Clinton's campaign manager for the 2016 presidential election, John Podesta, had his Gmail hacked and subsequently leaked after falling for the oldest trick in the book—a phishing attack claiming that his email password had been compromised (so click here to change it).
In 2017, a massive phishing scam tricked Google and Facebook accounting departments into wiring money, a total of over $100 million, to overseas bank accounts under the control of a hacker.