What is phishing?
Often carried out over email -- although the scam has now spread beyond suspicious emails to phone calls (so-called 'vishing'), social media, SMS messaging services (aka 'smishing'), and apps -- a basic phishing attack attempts to trick the target into doing what the scammer wants.
Exactly what the scammer wants can vary wildly between attacks. It might be handing over passwords to make it easier to hack a company or person, or sending payments to fraudsters instead of the correct account. This information is often stolen by making requests that look entirely legitimate -- like an email from your boss, so you don't think twice about doing what is asked.
A successful phishing attack is one that can provide everything fraudsters need to ransack information from their targets' personal and work accounts, including usernames, passwords, financial information, and other sensitive data.
Phishing is also a popular method for cyber attackers to deliver malware by encouraging victims to download a weaponized document or visit a malicious link that will secretly install the malicious payload in attacks that could be distributing trojan malware, ransomware or all manner of damaging and disruptive attacks.
Why is phishing called phishing?
The overall term for these scams -- phishing -- is a modified version of 'fishing' except in this instance the one doing this fishing is the crook, and they're trying to catch you and reel you in with their sneaky email lure. In most cases, they will put out many of these lures. Most people will ignore these scam emails, but the crooks will send out enough that eventually someone bites.
It's also likely a reference to hacker history: some of the earliest hackers were known as 'phreaks' or 'phreakers' because they reverse engineered phones to make free calls.
Who is a target of phishing scams?
These scams can target anyone, anytime. The aim and the precise mechanics of phishing scams vary: for example, victims might be tricked into clicking a link through to a fake web page with the aim of persuading the user to enter personal information. In this case the 'lure' might be that you've won a prize, or a chance to grab a must-have special offer, or (oh the irony) a claim that your account has been hacked and you should login to take action.
More complex phishing schemes can involve a long game, with hackers using fake social media profiles, emails and more to build up a rapport with the victim over months or even years, especially in cases where specific individuals are targeted for data that they would only ever hand over to people they trust.
That data can range from your personal or corporate email address and password to financial data such as credit card details, online banking accounts and cryptocurrency wallets, or even personal data including your date of birth, address and a social security number.
In the hands of fraudsters, all of that information can be used to carry out scams such as identity theft or using stolen data to buy things or even selling your private information to other cyber criminals on the dark web, who can use it how they please. For example, phished usernames and passwords are regularly the starting point for ransomware attacks.
Not only that, but because phishing can be so effective, it's one of the most common techniques used by state-backed hacking groups for conducting espionage against other governments or other organisations of interest.
Ultimately, anyone can be a victim of a phishing attack, from high-ranking officials, to business leaders, to office professionals -- anyone who has an email or social media account could fall victim to a phishing attack.
How does a phishing attack work?
A basic phishing attack attempts to trick a user into giving away personal details or other confidential information, and email is the most common method of performing these attacks.
The sheer number of emails sent every single day means that it's an obvious attack vector for cyber criminals. Over 300 billion emails are sent every day -- and it's believed that at least three billion of these are malicious phishing emails.
Most people simply don't have the time to carefully analyse every message that lands in their inbox.
Some scammers are aiming at unwary consumers. Here, their email subject line will be designed to catch the victim's eye -- common phishing campaign techniques include offers of prizes won in fake competitions, such as lotteries or contests by retailers offering a 'winning voucher'.
In order to 'win' the prize, the victims are asked to enter their details such as name, date of birth, address, and bank details, as well as their username and password, in order to claim it. Obviously, there's no prize and all they've done is put their personal details into the hands of fraudsters.
Similar techniques are used in other scams in which attackers claim to be from a bank or other financial institution looking to verify details, online shops attempting to verify non-existent purchases or sometimes -- even more cheekily -- attackers will claim that there's been suspicious behavior on your account and you should login to check.
Sometimes they'll even claim to be representatives of tech or cybersecurity companies and that they need access to information in order to keep their customers safe.
Other scams, usually more sophisticated, aim at business users. Here attackers might also pose as someone from within the same organisation or one of its suppliers and will ask you to download an attachment that they claim contains information about a contract or deal.
Also: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened
Attackers will often use high-profile events as a lure in order to reach their end goals. For example, during the height of the coronavirus pandemic, cyber criminals extensively sent emails that supposedly contained information about coronavirus as a means of luring people into falling victim.
One common technique is to deliver a Microsoft Office document that requires the user to enable macros to run. The message that comes with the document aims to trick the potential victim into enabling macros to allow the document to be viewed properly, but in this case it will allow the crooks to secretly deliver their malware payload.
What's the cost of phishing attacks?
It's hard to put a total cost on the fraud that flows from phishing scams, because losses can range from a few dollars for a phishing attack against one person, to successful phishing attacks against large organisations potentially costing millions of dollars.
One research paper suggests the cost of phishing for large companies is almost $15 million a year, whie the FBI suggests that the total cost of online attacks has cost US businesses over $43 billion in recent years.
Phishing scam examples
The 'spray and pray' is the least sophisticated type of phishing attack, whereby basic, generic messages are mass-mailed to millions of users.
These are the 'URGENT message from your bank' and 'You've won the lottery' messages that look to panic victims into making an error -- or blind them with greed. Some emails attempt to use fear, suggesting there's a warrant out for the victim's arrest and they'll be thrown in jail if they don't click through.
Schemes of this sort are so basic that there's often not even a fake web page involved -- victims are often just told to respond to the attacker via email. Sometimes emails might play on the pure curiosity of the victim, simply appearing as a blank message with a malicious attachment to download.
These attacks are mostly ineffective, but the sheer number of messages being sent out means that there will be people who fall for the scam and inadvertently send details to cyber attackers who'll exploit the information in any way they can. For cyber criminals, they take little time and effort to spam out -- the activity is often outsourced to bots -- which means that they're likely making a profit, even if it isn't much.
How can I spot a phishing attack?
At the core of phishing attacks, regardless of the technology or the particular target, is deception.
While many in the information security sector might raise an eyebrow when it comes to the lack of sophistication of some phishing campaigns, it's easy to forget that there are billions of internet users -- and every day there are people who are accessing the internet for the first time.
Also: Personally identifiable information (PII): What it is, how it's used, and how to protect it
Lots of internet users won't even be aware about the potential threat of phishing, let alone that they might be targeted by attackers using it. Why would they even suspect that the message in their inbox isn't actually from the organisation or friend it claims to be from?
But while some phishing campaigns are so sophisticated and specially crafted that the message looks totally authentic, there are some key give-aways in less advanced campaigns that can make it easy to spot an attempted attack.
Poor spelling and grammar
Many of the less professional phishing operators still make basic errors in their messages -- notably when it comes to spelling and grammar.
Official messages from any major organisation are unlikely to contain bad spelling or grammar, and certainly not repeated instances throughout the body. A poorly written message should act as an immediate warning that the communication might not be legitimate.
It's common for attackers to use a service like Google Translate to translate the text from their own first language, but despite the popularity of these services, they still struggle to make messages sound natural.
An unusual URL
It's very common for email phishing messages to coerce the victim into clicking through a link to a malicious or fake website.
Many phishing attacks will contain what looks like an official-looking URL. However, it's worth taking a second careful look.
In some instances, it can simply be a shortened URL, whereby the attackers hope the victim won't check the link and will just click through. In other instances, attackers will take a minor variation on a legitimate web address and hope the user doesn't notice.
Ultimately, if you are suspicious of a URL in an email, hover over it to examine the landing page address and, if it looks fake, don't click on it. And check that it is the correct URL and not one that looks very similar but slightly different to one that that you'd usually expect.
A strange or mismatched sender address
You receive a message that looks to be from an official company account. The message warns you that there's been some strange activity using your account and urges you to click the link provided to verify your login details and the actions that have taken place.
The message looks legitimate, with good spelling and grammar, the correct formatting and the right company logo, address and even contact email address in the body of the message. But what about the sender address?
Also: This cruel email-hacking gang aims to tug on your heartstrings and steal your cash
In many instances, the phisher can't fake a real address and just hopes that readers don't check. Often the sender address will just be listed as a string of characters rather than as sent from an official source.
Another trick is to make the sender address almost look exactly like the company -- for example, one campaign claiming to be from 'Microsoft's Security Team' urged customers to reply with personal details to ensure they weren't hacked. However, there isn't a division of Microsoft with that name -- and it probably wouldn't be based in Uzbekistan, where the email was sent from.
Keep an eye on the sender address to ensure that the message is legitimately from who it says it is.
This message looks too strange or too good to be true
Congratulations! You've just won the lottery/free airline tickets/a voucher to spend in our store -- now just provide us with all of your personal information, including your bank details, to claim the prize. As is the case with many things in life, if it seems too good to be true, it probably is.
In many cases, phishing emails with the aim of distributing malware will be sent in a blank message containing an attachment -- never clicking on mysterious, unsolicited attachments is a very good tactic when it comes to not falling victim.
Even if the message is more detailed and looks as if it came from someone within your organisation, if you think the message might not be legitimate, contact someone else in the company -- over the phone or in person rather than over email if necessary -- to ensure that they really did send it.
How can you protect against phishing attacks?
Training, training and more training. It might seem like a simple idea, but training is effective. Teaching staff what to look out for when it comes to a phishing email can go a long way to protecting your organisation from malicious attacks.
Exercises allow staff to make errors -- and crucially learn from them -- in a protected environment. It's important not to punish people who fall victim to phishing exercises, because if they think they'll be humiliated for reporting a real phishing attack, they may not report it, which would be bad for everyone. Being able to talk about phishing makes protecting against it easier in the long run.
At a technical level, disabling macros from being run on computers in your network can play a big part in protecting employees from attacks. Macros aren't designed to be malicious -- they're designed to help users perform repetitive tasks with keyboard shortcuts.
However, the same processes can be exploited by attackers in order to help them execute malicious code and drop malware payloads.
Most newer versions of Office automatically disable macros, but it's worth checking to ensure that this is the case for all the computers on your network -- it can act as a major barrier to phishing emails attempting to deliver a malicious payload.
Multi-factor authentication (MFA) also provides a strong barrier against phishing attacks because it requires an extra step for cyber criminals to overcome in order to conduct a successful attack. According to Microsoft, using MFA blocks 99.9% of attempted account hacks. If applying MFA to accounts is possible, it should be applied.
When did phishing begin?
The consensus is that the first example of the word phishing occurred in the mid-1990s with the use of software tools like AOHell that attempted to steal AOL user names and passwords.
These early attacks were successful because it was a new type of attack, something users hadn't seen before. AOL provided warnings to users about the risks, but phishing remained successful and it's still here over 20 years on. In many ways, it has remained the same for one simple reason -- because it works.
How did phishing evolve?
While the fundamental concept of phishing hasn't changed much, there have been tweaks and experimentations across two decades as technology and how we access the internet has changed. Following the initial AOL attacks, email became the most appealing attack vector for phishing scams, as home internet use took off and a personal email address started to become more common.
Many early phishing scams came with telltale signs that they weren't legitimate -- including strange spelling, weird formatting, low-res images, and messages that often didn't make complete sense. Nonetheless, in the early days of the internet, people knew even less about potential threats and that meant these attacks still found success -- and are still effective today.
Some phishing campaigns remain really, really obvious to spot -- like the prince who wants to leave his fortune to you, his one long-lost relative, but others have become to be so advanced that it's virtually impossible to tell them apart from authentic messages. Some might even look like they come from your friends, family, colleagues, or even your boss.
What is spear phishing?
Spear phishing is more advanced than a regular phishing attack, with the aim of compromising a specific organisation, group or even specific individuals. Instead of vague messages being sent, criminals design them to target anything from a specific organisation, to a department within that organisation, or even an individual in order to ensure the greatest chance that the email is read and the scam is a success.
It's these sorts of specially crafted messages that have often been the entry point for a number of high-profile cyberattacks and hacking incidents. Both cyber-criminal gangs and nation-state-backed attackers continue to use this as means of beginning espionage campaigns.
Also: A security researcher easily found my passwords and more: How my digital footprints left me surprisingly over-exposed
The message might be designed to look like an update from your bank, it could say you've ordered something online, it could relate to any one of your online accounts.
Hackers have even been known to seek out victims of data breaches and pose as customer service teams or security professionals warning victims of compromise -- and that targets should ensure their account is still secure by entering their account details into this handy link.
While spear phishing does target consumers and individual internet users, it's much more effective for cyber criminals to use it as a means of infiltrating the network of a target organisation as it can produce a far more lucrative bounty.
This particular type of phishing message can come in a number of forms including a false customer query, a false invoice from a contractor or partner company, a false request to look at a document from a colleague, or even in some cases, a message that looks as if it comes directly from the CEO or another executive.
Rather than being a random message, the idea is to make it look as if it has come from a trusted source, and coax the target into either installing malware or handing over confidential credentials or information. These scams take more effort but there's a bigger potential payback for crooks, too.
It's quite possible for hackers to compromise the account of one user and use that as a stepping stone for further attacks. These 'conversation hijacking' attacks take advantage of using a real person's account to send additional phishing emails to their real contacts -- and because the email comes from a trusted source, the intended victim is more likely to click.
What is business email compromise?
Recent years have seen the rise of a supremely successful form of targeted phishing attack that sees hackers pose as legitimate sources -- such as management, a colleague or a supplier -- and trick victims into sending large financial transfers into their accounts. This is often known as business email compromise (BEC).
According to the FBI, common BEC scams include: cyber criminals posing as a vendor your company regularly deals with that sends an invoice with a (fake) updated mailing address; a company CEO asking an employee to buy gift cards to send out as rewards -- and to send the gift card codes over immediately; or a homebuyer receiving an email about transferring a down-payment.
Business email compromise examples
In each instance, the attacker will rely heavily on social engineering, often attempting to generate a sense of urgency that the money transfer needs to be made right now -- and in secret.
For example, attackers have been known to compromise the email account for a supplier that they'll use to send an 'urgent' invoice that needs paying to the victim.
Cyber criminals also engage in CEO Fraud, a subset of BEC attack, where the attackers pose as a board member or manager, asking an employee to transfer funds to a specific account -- often claiming it as a matter of secrecy and urgency.
In each of these cases, the attackers direct the funds into bank accounts they control, then make off with the money. By the time anyone notices anything is wrong, the attackers are long gone. According to the FBI, it's estimated that BEC attacks cost a combined total of billions of dollars a year.
The growth of remote working in recent years has arguably made it easier for criminals to conduct BEC scams and other phishing attacks, because people working from home can't as easily talk to one of their colleagues to check if the email is legitimate.
What other types of phishing attacks are there?
While email still remains a large focus of attackers carrying out phishing campaigns, the world is very different to how it was when phishing first started. No longer is email the only means of targeting a victim and the rise of mobile devices, social media, and more have provided attackers with a wider variety of vectors.
What is social media phishing?
With billions of people around the world using social media services such as Facebook, LinkedIn, and Twitter, attackers are no longer restricted to use one means of sending messages to potential victims.
Some attacks are simple and easy to spot: a Twitter bot might send you a private message containing a shortened URL that leads to something bad, such as malware or maybe even a fake request for payment details. Some of these are slightly more advanced, claiming to be a potential new friend and only sending a link after a few messages back and forth.
Also: Hacking the metaverse: Why Meta wants you to find the flaws in its newest headsets
But there are other attacks that play a longer game. A common tactic used by phishers is to pose as a person using photos ripped from the internet, stock imagery or someone's public profile. Often these are just harvesting Facebook 'friends' for some future mission and don't actually interact with the target.
However, sometimes plain old catfishing also comes into play, with the attacker establishing a dialogue with the target -- all while posing as a fake persona.
After a certain amount of time -- it could be days, it could be months -- the attacker might concoct a false story and ask the victim for details of some kind such as bank details, information, even login credentials, before disappearing into the ether with their info.
One campaign of this nature targeted individuals in organisations in the financial, oil and technology sectors, with advanced social engineering based around a single, prolific social media persona that was absolutely fake.
Those behind 'Mia Ash' are thought to have been working on behalf of the Iranian government and tricked victims into handing over login credentials and private documents.
What is LinkedIn phishing?
Like it or not, LinkedIn has become a major part of the online lives of hundreds of millions of white-collar workers. We use it to show off our achievements, chat with professional contacts, and look for new jobs. Our LinkedIn profiles can also display a lot of public-facing information, letting anyone out there know who we are, our professional interests, who we work for -- and who our colleagues are.
For cyber criminals, that means, if exploited, LinkedIn is a useful too for helping to conduct phishing attacks to steal passwords and other sensitive corporate information. For example, a fraudster could browse your LinkedIn profile to find out who you work and regularly interact with.
Also: LinkedIn has massively cut the time it takes to detect security threats. Here's how it did it
Then there are cyber criminals who are more direct, attempting to use LinkedIn itself as part of the attack chain. A common tactic is to claim the recipient is being headhunted for a job, before the attacker sends them an attachment featuring the job description -- a fake document for a fake job that contains very real malware.
Other attackers play a longer game, starting conversations with potential targets on LinkedIn before asking them to move to another platform like email or mobile messaging -- and it's through this platform that the phishing attack containing the malicious link or malware is distributed.
What is SMS and mobile phishing?
The rise of mobile-messaging services -- Facebook Messenger and WhatsApp in particular -- have provided phishers with a new method of attack.
Attackers don't even need to use emails or instant-messaging apps to meet the end goal of distributing malware or stealing credentials -- the internet-connected nature of modern communications means text messages are also an effective attack vector.
SMS phishing -- or smishing -- attacks work in much the same way as an email attack; presenting the victim with a fraudulent offer or fake warning as an incentive to click through to a malicious URL.
The nature of text messaging means the smishing message is short and designed to grab the attention of the victim, often with the aim of panicking them into clicking on the phishing URL.
A common attack by smishers is to pose as a bank and fraudulently warn that the victim's account has been closed, had cash withdrawn or is otherwise compromised.
The truncated nature of the message often doesn't provide the victim with enough information to analyse whether the message is fraudulent, especially when text messages don't contain telltale signs, such as a sender address.
One form of mobile-phishing attack that has become increasingly common in recent times is fraudulent missed delivery messages. The SMS phishing message claims that you have a delivery on the way -- or that you've missed one -- and that you need to click a link to reschedule or pay for it.
Once the victim has clicked on the link, the attack works in the same way as a regular phishing attack, with the victim duped into handing over their information and credentials to the perpetrator.
What is cryptocurrency phishing?
As the popularity -- and value -- of cryptocurrencies like Bitcoin, Monero, and others have fluctuated over time, attackers want a piece of the pie too. Some hackers use cryptojacking malware, which secretly harnesses the power of a compromised machine to mine for cryptocurrency.
However, unless the attacker has a large network of PCs, servers or IoT devices doing their bidding, making money from this kind of campaign can be an arduous task that involves waiting months. Another option for crooks is to use phishing to steal cryptocurrency directly from the wallets of legitimate owners -- and that's a lucrative business for cyber criminals.
In a prominent example of cryptocurrency phishing, one criminal group conducted a campaign that copied the front of Ethereum wallet website MyEtherWallet and encouraged users to enter their login details and private keys.
Once this information had been gathered, an automatic script created the fund transfer by pressing the buttons like a legitimate user would, but all while the activity remained hidden from the individual until it was too late.
The theft of cryptocurrency in phishing campaigns like this and other attacks is costing crypto exchanges and their users hundreds of millions of dollars, as accounts and whole platforms get hacked and cyber criminals take the money for themselves.
What is the future of phishing?
It might have been around for almost 20 years, but phishing remains a threat for two reasons -- it's simple to carry out -- even by one-person operations -- and it works, because there's still plenty of people on the internet who aren't aware of the threats they face. And even the most sophisticated users can be caught out from time to time.
For seasoned security personnel or technologically savvy people, it might seem strange that there are people out there who can easily fall for a scam claiming 'You've won the lottery' or 'We're your bank, please enter your details here'.
On top of this, the low cost of phishing campaigns and the extremely low chances of scammers getting caught means they remain a very attractive option for fraudsters.
As new technologies emerge, it's inevitable that cyber criminals will look to abuse them for profit. Cyber scammers have already used deepfake technology to successfully use phone calls to trick victims into believing they're talking to their boss making a request for a financial transfer.
And as deepfake technology evolves, there's also the potential for cyber criminals to exploit it on video calls, using the deep-learning tech to make themselves look and sound like someone the victim trusts, only to trick them into doing what they want.
Meanwhile, cybersecurity researchers warn that cyber criminals are already looking at the ChatGPT AI chat bot and the potential it has for helping to conduct campaigns. It's possible that crooks could use AI to write convincing phishing messages.
Because of all of this, phishing will continue as cyber criminals look to profit from stealing data and dropping malware in the easiest way possible. But it can be stopped -- and by knowing what to look for and by employing training when necessary, you can try to ensure that your organisation doesn't become a victim.