What is phishing?

Phishing is a malicious attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising as a trustworthy entity in electronic communications. Phishing can also tempt you to download and install malware.

Understanding phishing is the first step in protecting yourself and your organization.

The most common attack

Phishing is consistently ranked as the most common attack experienced by individuals and organizations.

While phishing has been traditionally associated with email scams, today it takes place across a wide variety of mediums: email, but also SMS, messaging apps, social media platforms, and phone calls.

What do attackers try to obtain?

  • Passwords: Attackers seek to steal passwords and login credentials to access victims' online accounts. With this information, they can commit fraud, steal data, or blackmail victims by threatening to expose sensitive information.

  • Money: Financial gain is a key motive for phishing. Attackers impersonate legitimate organizations to trick victims into providing credit card details or making payments, often through fake invoices or donation requests.

  • Confidential information: Phishing targets confidential information like Social Security numbers and business data. This information can be used for identity theft, sold on the dark web, or exploited for corporate espionage.

  • For victims to install malware: Phishers may trick victims into downloading malware through malicious links or attachments. Once installed, malware can steal personal information, monitor activity, or take control of devices, leading to serious data breaches.

Why does phishing work?

Phishers capitalize on our:

  • Urge to be polite: People often feel compelled to respond to messages from authority figures or trusted sources. Phishers exploit this by using polite language, making recipients more likely to comply with requests for sensitive information without questioning the message's legitimacy.

  • Urge to be helpful: Many of us naturally want to assist others. Phishers create scenarios that prompt recipients to help, such as claiming a colleague or relative is in trouble. This manipulation can lead individuals to provide personal information, believing they are being supportive.

  • Fear of being embarrassed: Phishers instill fear by suggesting the recipient has made a mistake, like missing a payment. This fear can push individuals to act quickly, often without verifying the message's source, leading to compromised security.

  • Panic about urgent messages: Urgency is a strong motivator. Phishers craft messages that create a false sense of urgency, claiming accounts will be suspended or payments are overdue. This panic can cloud judgment, causing individuals to overlook warning signs and act impulsively.

Phishing attacks can lead to severe consequences

  • Identity Theft: Cybercriminals can use your personal information to impersonate you.

  • Financial Loss: Unauthorized transactions can drain your accounts.

  • Data Breaches: Sensitive company information can be exposed, leading to reputational damage.

  • Operational Disruption: Phishing can result in downtime and loss of productivity.

How phishing works

Phishing attacks often involve the following steps:

  1. Deceptive Communication: Attackers send messages that appear to come from legitimate sources, such as banks, online services, or even colleagues.

  2. Urgent Call to Action: The message usually contains a sense of urgency, prompting the recipient to act quickly—such as clicking a link or providing personal information.

  3. Fake Websites: If the victim clicks on a link, they are often directed to a fraudulent website that looks similar to the legitimate one. Here, they may be asked to enter sensitive information such as their password or banking information.

  4. Data Theft: Once the victim provides their information, attackers can use it for identity theft, financial fraud, or other malicious purposes.