What Is Phishing?

Date First Published: 24th June 2022

Topic: Cybersecurity

Subtopic: Threats To Systems, Data & Information

Computer Terms & Definitions

Difficulty Level: 3/10

Learn more about what phishing is in this article.

Phishing is the practice of impersonating trusted companies to steal sensitive information from users. Phishing usually comes in the form of email, in which the phisher disguises the email as coming from a legitimate company. The user is then convinced to click on a link to a fake site, which tricks them into giving away their personal details, such as card numbers, usernames, and passwords. These details can then be sold to third parties or used to spend their money and buy items in the victim’s name. Phishing can also come in the form of other methods of private communication, such as text messages. This is known as smishing.

Phishers can use public sources of information to collect information about the victim's interests, name, activities, personal and work history, and contact information, such as email addresses and phone numbers to send an email that is designed to look like it has come from a legitimate company.

How To Spot A Phishing Email?

These signs below can indicate that a message is a phishing email.

• The message includes spelling or grammatical errors.
• The message uses suspicious URLs or subdomains.
• The message is intended to give a sense of urgency or fear.
• The recipient uses a public email address, such as Gmail, rather than a professional email address that ends with the name of a company.
• The message asks for personal information.

Example Of A Phishing Email

An example of a phishing email can be seen below. Note that these are not real links or email addresses.

Why Is This A Phishing Email?

This is a clear example of a phishing email that impersonates a trusted bank. It is a phishing email for the following reasons:

• First of all, banks will never ask customers to transfer their money to a safe account.
• The email address looks suspicious and like it has not come from a trusted bank, since it contains lots of random numbers and letters.
• The link looks suspicious as it does not look like an online banking website at all. The mix of random letters and numbers make this link look fake.
• Banks will never ask for a customer’s full PIN number or password.

Types Of Phishing Attacks

• Spear phishing - A method of phishing that targets a specific individual or company. People that engage in spear phishing know some information about the individual or the company. For example, if a phisher knows the victim’s name or physical address and sends an email with those details at the top, that would be spear phishing.
• Vishing - Also known as voice phishing, vishing is a type of phishing attack where an attacker impersonates a trusted company to steal sensitive information about user’s through a voice or telephone call.
• Smishing - Also known as SMS phishing, smishing is a type of phishing attack where an attacker impersonates a trusted company to steal sensitive information about user’s through mobile text messaging (SMS).
• Angler phishing - A type of phishing attack that is targeted towards individuals on social media. For example, an attacker contacting people on social media whilst pretending to be a customer service representative to reach a customer and steal their personal account credentials.
• Pharming - A combination of the words ‘phishing’ and ‘farming’. Pharming is a type of attack that involves hijacking the user’s browser settings or installing malicious software to forcibly redirect them to a fake website to steal their credentials. This is usually performed by modifying the hosts file on the user’s computer.
• Whaling phishing - Also known as CEO fraud, this type of attack is targeted at high-level executives of a company in order to steal sensitive information.

What To Do If I Have Received A Phishing Email?

If you have received a phishing email, you can follow these tips below.

• Never click on any of the links in the email or open any attachments. They may contain viruses or malicious code.
• Report the message as phishing in your email provider if they have that option.
• DO NOT reply to or email the sender as this could lead to more phishing messages or spam.

What To Do If I Have Fallen For A Phishing Scam?

If it is too late and you think that you have unintentionally fallen for a phishing scam, there are a few things you can do below.

• Get as many details of the attack as you can recall and change the passwords on any accounts that you have shared with the phisher as soon as possible.
• Confirm that you have two-factor authentication on any affected accounts.
• If the phishing scam has an effect on any work or school accounts, notify the IT department at your work or school of the phishing scam as soon as possible.

Note:

Unfortunately, if you have given a phisher your bank details and they have spent your money, it is unlikely that you will be able to recover any of your money.

History

The word ‘phishing’ is a variant of the word ‘fishing’ and is associated with the deception tactics used to ‘fish’ for user’s personal information. It was introduced around 1996 by phishers using deception tactics to steal AOL account usernames and passwords.

A clear example of a phishing attack that caused issues was the ‘ILOVEYOU’ virus. Victims were sent an email message with a message saying ‘ILOVEYOU’, which pointed to an attachment letter. The attachment contained a worm that would overwrite files on the victim’s hard drive and copy itself to the user’s contact list.