What is Phishing?
Phishing is a form of cyberattack that uses deception to trick a victim into handing over sensitive information or revealing a password or other access credentials. Attackers can then use these to breach a company’s system and steal data, or download malware onto the victim’s device.
Attackers can carry out phishing campaigns by harvesting email addresses from large search engines, using scripts to capture a list of individuals within an organization, or even targeting specific individuals via spear phishing. Once attackers have a target’s email address, they can send a message via various channels such as a letter, phone call or email, or even through social media platforms such as Facebook and Twitter.
Once an attacker has a potential victim’s email address, the next step is to create a malicious message to trick them into divulging sensitive information. One of the most classic examples is an email that is tailored to look like a message from a bank, and asks the recipient to click on a link which takes them to a malicious site designed to resemble the bank’s website, where they are asked to enter their username and password.
Attackers also use the fear, curiosity or greed of victims to coax them into handing over information, by implying that their computer has been compromised or their account has been hacked. Misspellings and grammatical errors can also be a giveaway that an email is phishing. The NCSC encourages all organisations to sign up for DMARC and to ask their contacts to do so too, as this will reduce the amount of phishing emails that get through.