What is Phishing?
Phishing is a broad term that refers to any form of social engineering attack that seeks to trick recipients into handing over confidential information or installing malware. This information can be as simple as the first few digits of someone’s credit card number or as complex as passwords to corporate systems and personal emails.
Email phishing is by far the most common attack vector. Attackers use a range of techniques to make messages look more authentic, often using the same phrasing as the spoofed organization or even replicating their logo and signature. They may also ask users to enable macros, which allows the malicious Microsoft Office document they have attached to secretly deliver its payload. Attackers also use high-profile events as lures, such as during the coronavirus pandemic when attackers widely sent messages claiming that they would help with virus removal and requesting personal information.
More advanced attacks include vishing and smishing, which take the form of phone calls or text messages. In these, criminals typically pretend to be an employee at the company they target or a trusted friend. This can include posing as a new contact, with photos ripped from the Internet or stock imagery and a persona constructed using publicly available data from a social media account.
Another more targeted approach is known as spear phishing. In these, attackers identify a particular group or individual, such as a CEO or other high-level executive, and then coax them into clicking a link or downloading malware. The payback can be huge, with fraudsters able to ransack their victims’ accounts and make significant transfers into their own.