What Is Phishing? How to Recognize Attacks and Prevent Them

There is never a full stop in the battle against online fraud.

Malicious hackers are constantly looking for ways to exploit vulnerabilities and carry out phishing attacks. Phishing is an attempt to deceive a person into disclosing sensitive information that attackers use for identity theft or some other type of fraud. They come in various forms and might trick you with fake emails or phone calls, trying to steal your personal or financial data.

Cybercriminals mainly use phishing to steal information: bank details, credit card numbers, account logins, passwords, etc. The danger of such information being exploited is that it can lead to identity theft and financial loss.

Many organizations use email anti-spam software to protect their employees from being victims of phishing campaigns.

Essentially, the goal of a cybercriminal performing a phishing scam is for them to trick you, usually using email as their weapon, into giving them the information they want. Attackers trick recipients into opening malicious links, resulting in malware or ransomware infections.

Phishing attacks can be a part of a more significant data breach, such as advanced persistent threat (APT). Malicious hackers trick users with phishing attempts to access an organization's closed network and sensitive information. Businesses should train their workforce periodically to ensure employees and contractors know modern phishing techniques.

For example, a phishing email can encourage a recipient to click on a malicious link, open an image attachment, or download a file. It usually has an element of urgency, fear, or sometimes greed. You need to be careful with emails or phishing messages coming through a short message service (SMS) that stimulate any one of these emotions in you.

How phishing works

Typically, phishing attacks rely on various social networking methods applied to email or other communication methods, like text messages or instant messaging platforms. Phishers may also use social engineering to find out information about the victim, including where they work, their job title, hobbies, interests, activities, and so on.

Attackers use this information to compose a believable email message. These malicious emails typically start out with a link or an attachment for the opener to click on or open. In addition, the content is usually poorly written with improper grammar.

It goes like this: You're sent a message that appears to be from a person you know or an organization you recognize. Attackers weaponize this message with a malicious file attachment or link that houses phishing software. 

It prompts you to install malware on your device or redirect you to a fake website that tricks you into entering your personal information, such as passwords or credit card information.

Or, you'll receive an email from the CEO of your company, with the email address just slightly misspelled. The message reads, "Give me your number, I need you to complete a task for me." Since this is the CEO of your company (or so you think), you respond with your phone number, only to be sent a text asking you to complete a task that doesn't make sense, like ordering a bunch of Amazon gift cards. I'm not speaking from experience or anything.

Types of phishing attacks

Just like there are many fish in the sea, there are multiple types of phishing attempts that you could fall victim to.

• Spear phishing: Spear phishing is an email scam targeted towards an individual, a business, or an organization to steal personal data such as financial information or account credentials to trick the person into believing they have a real-world connection to the sender.
• Whaling attack: Whaling is similar to spear phishing, except on a much larger scale. These emails usually have a subject line about a "critical" business manner and are sent to someone high-up in the food chain within a specific business or organization. The objective of whaling attacks is to infect a computer with malware and obtain executives' business email credentials to make fraudulent wire transfers.
• CEO fraud: When a whaling attack is successful, CEO fraud occurs. Attackers successfully impersonate and abuse the CEO's email to approve wire transfers to a financial institution of their choice.
• Pharming: This method stems from a domain name system (DNS) cache manipulating. The internet uses DNS servers to convert website names to numeric IP addresses. The attacker then targets the DNS server and changes the IP address, allowing the attacker to redirect users to a malicious website, even if they type in the correct URL.
• Voice phishing: Also known as vishing, this is a form of phishing over voice communication media. Using speech synthesis software, an attacker will leave a voicemail notifying the victim of suspicious activity on their bank account or credit account and urges the victim to respond to verify their identity. This leads to identity theft, after which scammers use compromised credit card numbers for their malicious purposes.

How to spot a phishing attempt

It can be harder than you think to recognize a phishing email since they're typically sent from a well-known company or someone (you think) you know. Mainly if it includes the correct company logo, making it look legitimate. Attackers structure links to look as genuine as possible, with only one or two characters off. These are the warning signs you should keep an eye out for so you don't fall victim to a phishing attack.

• The link includes a subdomain or a misspelled URL.
• It's sent from a Gmail account instead of a corporate or business email account.
• The message possesses a sense of urgency or fear.
• The message asks that you verify personal information, such as a password.
• It's written poorly with spelling and grammar errors.
• The message isn't addressed to you personally and instead reads "Dear Customer".
• The content is too good to be true, as in saying you've won an iPhone or a lavish prize.
• The message contains threats, implying dire circumstances will arise if you do not follow through.

In addition to knowing which red flags to watch out for, you can also go one step further by utilizing spam filters to scan email messages, content, and attachments for potential threats.

Phishing attack examples

Modern attackers understand how organizations protect their assets. Hackers devise new ways to gain access to systems by tricking these defenses, and possibly the easiest way is by tricking humans. Humans are the weakest link to any organization's cybersecurity. 

Below are some examples of phishing attacks that malicious hackers perform to access sensitive information.

• Attackers masquerade as a company's CEO or senior leadership team demanding urgent attention to a report or an attachment. Employees react to suspicious emails quickly out of fear or a sense of responsibility toward the company and its leadership.
• Password reset emails plummet into your inbox to remind you about an expiring password. 
• Malicious hackers pose as your peer and send emails about a sensitive document with your name lying in the printer tray. They might attach a make-believe picture that can deploy malware if downloaded.
• Sometimes, attackers may redirect you to a malicious page that looks exactly like the genuine one and force you to enter user credentials. On the other hand, attackers can exploit vulnerabilities and hijack session cookies through activated malicious scripts resulting in a reflected cross-site scripting (XSS) attack.

While phishing happens to everyday people, there have been some attacks that have made some serious waves in the mainstream media.

For example, the Federal Bureau of Investigation (FBI) released a warning on February 16, 2022 about US contractor networks being targeted to access sensitive defense data. The Cybersecurity and Infrastructure Security Agency (CISA) observed that threat actors used spear phishing, credential harvesting, and brute force attacks against weak networks and accounts. FBI added, "bad actors take unethical advantage of unsuspecting employees, unpatched systems, and simple passwords to gain initial access before moving laterally through the network to establish persistence and exfiltrate data."

How to prevent phishing attacks

In recent years, phishing has become a significant problem for businesses. As phishing emails become harder to identify, they're likely to slip through the cracks when sent to employees' inboxes. 

While spam and phishing attempts can be difficult to identify, some key differences can help you separate the real from the fake. Spam emails may look like legitimate company emails with official logos or wording that makes them seem trustworthy, but they will often have spelling errors in the headers or subject lines. Phishing emails are more formal in their language but include irregularities that look suspicious.

For example, an email asking for an urgent wire transfer would be pretty unusual if sent from a company's finance department. The email address used may also be very different.

It's a misconception that phishing usually happens to people who use the internet too much. This is not the case. Anyone can fall victim to phishing, even if you only use the internet on rare occasions. The best way to protect yourself from online fraud is to keep your computer safe and follow some basic steps when you're online.

Be aware of what links you click on

Ensure that the link you are about to click on goes directly to the website it claims to go to. Be wary of links that look like others, but have a strange domain name in the URL (domain name is the website's address). This can indicate a phishing scam.

Avoid giving out personal details

If someone calls or emails you and asks for personal information, make sure they prove their identity. It's easy for an imposter or hacker to pretend they're someone else, so never trust someone unless you know them personally or have made sure they are legit.

Use safe websites

When shopping online, make sure you're using a website with security features like a green bar at the bottom of the screen or https:// in front. HTTPS refers to Hypertext Transfer Protocol Secure that facilitates secure communication over a computer network. 

No one wants to be the bait

Especially when it comes to a phishing attack, it can happen to anyone, so make sure you're extra cautious before opening a mysterious email and clicking on a link. With the amount of personal information you can access online, it's more important than ever that you take the extra step to ensure you don't become the bait of a cyber attack.

Learn more about different types of cyber attacks and how to protect your business against them.