Phishing meaning: What is phishing?
Phishing is a type of online fraud that involves tricking people into providing sensitive information, such as passwords or credit card numbers, by masquerading as a trustworthy source. Phishing can be done through email, social media or malicious websites.
How does phishing work?
Phishing works by sending messages that look like they are from a legitimate company or website. Phishing messages will usually contain a link that takes the user to a fake website that looks like the real thing. The user is then asked to enter personal information, such as their credit card number. This information is then used to steal the person’s identity or to make fraudulent charges on their credit card.
Phishing attack examples
Most phishing campaigns employ one of two primary methods:
Malicious attachments, which usually have enticing names, such as ‘INVOICE’, install malware on victims’
machines when opened.
Links to malicious websites
Malicious links point to websites that are often clones of legitimate ones, which download malware or whose login pages contain credential-harvesting scripts.
There are many types of email phishing scams, including:
Pharming/DNS cache poisoning
A pharming attack is a type of cyber attack that redirects a website’s traffic to a malicious imposter site. Pharming can be used to steal sensitive information, such as login credentials or financial information.
These spoof websites’ URLs look genuine but are subtly different from those they impersonate.
They aim to take advantage of typing mistakes when users enter URLs into their browser address bar.
For instance, they might:
- Use letters that are next to each other on the keyboard, such as ‘n’ in place of ‘m’;
- Swap two letters round; or
- Add an extra letter.
Attackers use multiple transparent layers to place malicious clickable content over legitimate buttons. For example, an online shopper might think they are clicking a button to make a purchase but will instead download malware.
Tabnabbing is a phishing technique that tricks users into entering their credentials on a fake website by having it resemble the original website. This technique takes advantage of the fact that most users do not pay attention to the URL of the website they are visiting.
Types of phishing attacks with examples
Most phishing emails are sent at random to large numbers of recipients and rely on the sheer weight of numbers for success. (The more emails are sent, the more likely they will find a victim who will open them.)
However, there are also many types of attacks – known as spear phishing – that target specific organisations or individuals. As with broader phishing campaigns, such emails might contain malicious links or attachments.
These types include:
Clone phishing is a type of phishing attack where an email that appears to be from a trusted sender is from a malicious actor. The email will often contain a link to a clone of the original website that the sender is impersonating. This clone website will then prompt the user to enter their login credentials, which the attacker steals.
CEO fraud is a type of scam in which a person poses as a CEO or another high-level executive to trick employees or others into providing them with confidential information or money. The scammer may contact victims via email, phone or social media, and use fake websites or other methods to make their scam appear legitimate.
BEC (business email compromise)
BEC is a type of cyber attack where attackers use email to trick employees into transferring money or sensitive company information to them. BEC attacks are often carried out by spoofing the email address of a senior executive or other trusted individual within an organisation to gain the victim’s trust.
How to identify phishing emails
The best way to avoid falling for a phishing email is to be aware of the common techniques that they use. Some of the most common techniques include:
- Asking for personal or sensitive information: Phishing emails will often try to trick you into revealing confidential information, such as your credit card number or account passwords. They may do this by asking you to verify your account information or by providing a ‘secure’ link that leads to a fake website.
- Creating a sense of urgency: Phishing emails will often try to create a sense of urgency by claiming that your account has been compromised or that you need to take immediate action to avoid a negative consequence.
- Using spoofed email addresses: Phishing emails will often use spoofed email addresses that appear to be from a legitimate source, such as your bank or credit card company. They may also use the logos and branding of the legitimate company to make their emails seem more credible.
- Including attachments or links: Phishing emails will often include attachments or links that lead to websites that are designed to steal your personal information. These websites may look identical to the legitimate website, but they will have a different URL.
If you receive an email that contains any of these elements, you should exercise caution before responding. You can also visit the website of the company that the email purports to be from to see if there are any announcements about phishing attempts. Finally, you can always contact the company directly to inquire about the email’s legitimacy.
View our phishing infographic for more information
How we can help you mitigate the threat of phishing
IT Governance is a leading provider of IT governance, risk management and compliance solutions. Browse our range of staff awareness e-learning courses and phishing solutions: