Phishing is a cybercrime in which cyber criminals send fraudulent emails to try to trick victims into revealing sensitive information (e.g. usernames & passwords, bank details), downloading malware (malicious software) or paying fake invoices. It comes under the category of social engineering where criminals use human interaction to achieve their goal(s).
Typically, phishing emails are sent posing to be from reputable companies, such as Amazon or Google, and are trekked out to look very similar to the real communications.
How victims are exploited #
While there are more ways than described below, the most common practices cyber criminals employ during a phishing attack are to;
- Steal sensitive data usually via a spoofed website,
- Get the victim to download malware,
- Get the victim to pay a fake invoice.
Visting a spoofed website #
Phishing emails that target sensitive data often try to direct users to a spoofed website (a fake website designed to look similar to the real one).
From there, the website will ask the victim to log in – capturing their username & password, or update certain information such as credit card details or other bank information.
Downloading malware #
These types of attacks will ask users to download and open an attachment, which will almost always be a form of malware designed to harm or exploit the device.
Paying a fake invoice #
The criminal will ask the victim to pay an invoice with their bank details displayed, opposed to the legitimate company’s ones.
Side note: when making bank transfers, it’s recommended to call the company first to clarify the bank details on a trusted phone number and not the one found within the email.
Paying a fake invoice is more common with spear phishing.
The craftiness of scammers #
Sadly, phishing emails have evolved over the years to become very hard differentiate from legitimate emails.
While there are great antivirus, spam filters and other security solutions, we feel the best defence is knowledge and awareness. Arming your staff and colleagues to spot and safely deal with phishing emails… Building your Human Firewall.
Other types of phishing #
There are other forms of phishing such as Smishing (via SMS messages) and Vishing (Voicemail or phone calls) which we’ll cover in separate dedicated articles, so stayed tuned!