What is Phishing? Attack Techniques & Prevention Tips

Learn how to defend against malicious emails and other phishing threats

Speak to an expert

Contact us today to discuss how to mitigate the threat of phishing.

Share on social

Phishing meaning: What is phishing?

Phishing is a type of online fraud that involves tricking people into providing sensitive information, such as passwords or credit card numbers, by masquerading as a trustworthy source. Phishing can be done through email, social media or malicious websites.

How does phishing work?

Phishing works by sending messages that look like they are from a legitimate company or website. Phishing messages will usually contain a link that takes the user to a fake website that looks like the real thing. The user is then asked to enter personal information, such as their credit card number. This information is then used to steal the person’s identity or to make fraudulent charges on their credit card.

Phishing attack examples

Most phishing campaigns employ one of two primary methods:

Phishing Staff Awareness Course

Malicious attachments

Malicious attachments, which usually have enticing names, such as ‘INVOICE’, install malware on victims’
machines when opened.

Phishing Staff Awareness Course

Links to malicious websites

Malicious links point to websites that are often clones of legitimate ones, which download malware or whose login pages contain credential-harvesting scripts.

Phishing techniques

There are many types of email phishing scams, including:

Pharming/DNS cache poisoning

A pharming attack is a type of cyber attack that redirects a website’s traffic to a malicious imposter site. Pharming can be used to steal sensitive information, such as login credentials or financial information.

Typosquatting/URL hijacking

These spoof websites’ URLs look genuine but are subtly different from those they impersonate.

They aim to take advantage of typing mistakes when users enter URLs into their browser address bar.

For instance, they might:

  • Use letters that are next to each other on the keyboard, such as ‘n’ in place of ‘m’;
  • Swap two letters round; or
  • Add an extra letter.

Clickjacking

Attackers use multiple transparent layers to place malicious clickable content over legitimate buttons. For example, an online shopper might think they are clicking a button to make a purchase but will instead download malware.

Tabnabbing

Tabnabbing is a phishing technique that tricks users into entering their credentials on a fake website by having it resemble the original website. This technique takes advantage of the fact that most users do not pay attention to the URL of the website they are visiting.

Types of phishing attacks with examples

Most phishing emails are sent at random to large numbers of recipients and rely on the sheer weight of numbers for success. (The more emails are sent, the more likely they will find a victim who will open them.)

However, there are also many types of attacks – known as spear phishing – that target specific organisations or individuals. As with broader phishing campaigns, such emails might contain malicious links or attachments.

These types include: 

Clone phishing

Clone phishing is a type of phishing attack where an email that appears to be from a trusted sender is from a malicious actor. The email will often contain a link to a clone of the original website that the sender is impersonating. This clone website will then prompt the user to enter their login credentials, which the attacker steals.

CEO fraud

CEO fraud is a type of scam in which a person poses as a CEO or another high-level executive to trick employees or others into providing them with confidential information or money. The scammer may contact victims via email, phone or social media, and use fake websites or other methods to make their scam appear legitimate.

BEC (business email compromise)

BEC is a type of cyber attack where attackers use email to trick employees into transferring money or sensitive company information to them. BEC attacks are often carried out by spoofing the email address of a senior executive or other trusted individual within an organisation to gain the victim’s trust.

How to identify phishing emails

The best way to avoid falling for a phishing email is to be aware of the common techniques that they use. Some of the most common techniques include:

  1. Asking for personal or sensitive information: Phishing emails will often try to trick you into revealing confidential information, such as your credit card number or account passwords. They may do this by asking you to verify your account information or by providing a ‘secure’ link that leads to a fake website.
  2. Creating a sense of urgency: Phishing emails will often try to create a sense of urgency by claiming that your account has been compromised or that you need to take immediate action to avoid a negative consequence.
  3. Using spoofed email addresses: Phishing emails will often use spoofed email addresses that appear to be from a legitimate source, such as your bank or credit card company. They may also use the logos and branding of the legitimate company to make their emails seem more credible.
  4. Including attachments or links: Phishing emails will often include attachments or links that lead to websites that are designed to steal your personal information. These websites may look identical to the legitimate website, but they will have a different URL.

If you receive an email that contains any of these elements, you should exercise caution before responding. You can also visit the website of the company that the email purports to be from to see if there are any announcements about phishing attempts. Finally, you can always contact the company directly to inquire about the email’s legitimacy.

View our phishing infographic for more information

How to prevent phishing attacks

  • Implement appropriate technical measures

    Use robust cyber security practices to prevent as many phishing attempts as possible from getting through your defences and ensure that, if they are successful, they don’t get much further.

  • Build a positive security culture

    Recognise that social engineering is successful because its perpetrators are good at manipulation. Don’t punish staff for falling victim but encourage them to report incidents. If there is a culture of blame, your employees will not admit to what is perceived as a mistake, putting your organisation at far greater risk.

  • Learn the psychological triggers

    All social engineering attacks exploit human psychology to get past victims’ natural wariness, such as:

    • Creating a false sense of urgency and heightened emotion to confuse their victims;
    • Exploiting the human propensity for reciprocation by creating a sense of indebtedness; or
    • Relying on conditioned responses to authority by seeming to issue orders from senior figures.
  • Train your staff

    Any staff member might succumb to a phishing attack, so all employees need to be aware of the threat they face.

    Regular staff awareness training will help everyone understand the signs of a phishing attack and its potential consequences. They will then be able to report potential phishing emails, according to company policy.

  • Test the effectiveness of the training

    Simulated phishing attacks will help you determine the effectiveness of the staff awareness training and which employees might need further education.

How we can help you mitigate the threat of phishing

IT Governance is a leading provider of IT governance, risk management and compliance solutions. Browse our range of staff awareness e-learning courses and phishing solutions:

NCSAM:
Save 15%
here