Phishing
Phishing is a social-engineering cyber attack when criminals pose as institutions, authoritative figures to lure out people’s credentials, passwords, and financial information via emails, phone calls (vishing), social media, fake websites (and site redirections called pharming) or SMS messages (smishing).
Phishing simplified
Imagine you receive an email from Google.com saying, “Urgent: Your password security is at a critical condition.” The contents of this email inform you that your password was found among recent data breaches. The email then gives you a link to a site and asks you to change your password. You click on the link, and it takes you to a site that looks exactly like the Google login page. You type in your credentials, and nothing happens. So you go back to the email and read it again, only to find out that it’s not been sent by Google, but by someone else posing as Google with a fake website to lure information from you. This is called phishing. It is one of the favorites among cybercriminals because it gives them information with high success rates without using many resources. It preys on people’s susceptibility to authority and urgency. It is by far the most popular and successful cyberattack that can also be automated.
Phishing can be done via emails (email phishing, spam phishing, business email compromise), SMS messages (smishing), fake websites (URL phishing, SEO phishing), personalized messages (spear phishing, whaling, social media phishing), voice calls (vishing), and website redirects (pharming, tabnabbing).
Types of phishing
Spam phishing
Scammers use spam phishing to create phishing emails and send them out to millions of people worldwide. These phishing attempts are not personalized and usually yield poor success results. However, they bank on quantity over quality.
Spear phishing
Spear phishing is a phishing scam attempt to tailor emails or messages to that person specifically. Someone might find out you like shopping and will target you with fake exclusive deals to get you to click on a link or share your personal information.
Whaling
Whaling is a spear phishing attack explicitly aimed at top-level executives with a lot of reach and power. Such attacks aim at high-level employees, hoping they reveal confidential information attackers can later use for money extraction or extortion.
URL phishing
URL phishing is a form of phishing that’s carried out by spoofing domain names or hiding them under legitimate-looking links. The most common cases of this kind of URL spoofing are confusing letters like “r” and “n” with “m,” “.co” with “.com,” and so on.
Tabnabbing
Tabnabbing preys on people who have many tabs open at the same time. During the attack, the phishing website imitates a legitimate site and opens a new tab in a user’s browser (e.g., Gmail), prompting them to log in by using their credentials. Attackers use this method to steal their victims’ credentials.
Pharming
Pharming uses malicious code or software to redirect their victims’ web traffic from a legitimate site to a fake one. Here, just like with tabnabbing, the user is asked to provide their personal or financial information.
Social media phishing
Social media phishing, otherwise known as angler phishing, happens on sites like Twitter, Instagram, or Facebook. Hackers use fake brand accounts to respond to users’ comments or complaints, often fishing for personal information and credentials they can later use to cheat or blackmail the individual.
Smishing
SMS phishing, or smishing, is a phishing attempt over a text message. You may have encountered such scams asking to click certain URLs (You’ve won a prize!) or otherwise asking you for money or personal information.
Vishing
Vishing, or voice phishing, is similar to smishing, but is done over a phone call. The person calling you might pretend they are from an authoritative institution, a loan company, or lie about your family member being hospitalized or in trouble.
Tips to prevent phishing
Check the domain
Inspect the website’s domain name for typos and misleading brand naming. Hackers often spoof the website’s names to make them appear legit at the first glance.
Check for mistakes
Look for typos and mistakes in the text. Legitimate websites and services have expert writers to ensure the quality of their content. If you see mistakes or broken English - it’s a scam.
Check for urgency
Scammers love urgent headlines with power words like “Critical”, “Important”, or “Urgent.” These words make us drop caution and dive head-first into it without thinking.
Check for unknown senders
How often do strangers contact one another for random acts of kindness? There are no faces involved on the internet, so it’s best to stay away from strangers.
Be wary of financial topics
Be extra careful if the message is finance-related. Money is usually the scammers’ primary goal and anything related to it should be approached with caution.
Double-check the address
If the sender is someone you know but sounds suspicious, always check if the email address is correct. Often, people will spoof or fake emails to make them look legit.
Double-check hyperlinks
Links can be easily manipulated in several different ways. Hover your mouse over them to see where they actually lead or check them with VirusTotal.
Be wary of emails
Don’t open suspicious emails, attachments, or URLs, especially from unknown senders. If you’re thinking of opening any links or files, check them on websites like VirusTotal first.
Phishing crime stats
According to the FBI Internet Crime Reports, here's how devastating phishing attacks were from 2015 to 2022:
Average losses and victim count
year over year
Phishing attack cases have reached record numbers with 324K yearly victims (around 888 victims per day) in 2021.
Victims have reported the highest average financial loss to phishing attacks in 2018 ($1.8K per victim).
During the 2020 COVID-19 pandemic, the number of phishing cases grew by 110%, but the average financial loss fell by 55% (from $504 to $225) per victim compared to 2019.
Despite the increasing awareness of online crimes, daily financial losses to phishing attacks have grown around six times from 2015 ($22.4K per day) to 2022 ($142.7K per day).
