Definition of phishing
Phishing is a type of cyber-attack involving sending generic emails by cybercriminals pretending to be legitimate. These emails contain fraudulent links to steal user's private information. Phishing attacks are most effective when users are unaware this is happening.
Phishing is an attack method that has been around since the mid-1990s. It started when a group of young people engineered AOL’s chat room feature to impersonate AOL administrators. They stole credit card numbers from other users to ensure they would always have free AOL access.
AOL’s “new member chatroom” was designed for users to receive site access assistance. The hackers created what appeared to be valid AOL administrators’ screen names like “BillingAccounting,” and told users that there were issues with their account.
The user was asked to provide a card number to get the issues resolved. The criminals then used the card numbers to pay for their own accounts. While the term “phishing” was coined to describe this attack and others like it, it has now come to be associated primarily with email scams. Phishing scams continue to this day in abundance. According to the Verizon 2021 Data Breach Investigations Report (DBIR), 36% of breaches involved phishing.
Since phishing primarily relies on social engineering, it is critical for all users to understand how the attackers work to exploit human nature. First, social engineering is a con that hackers use to convince users to do something they wouldn’t normally do.
Social engineering could be as simple as someone with full hands asking that a door be opened. Similarly, a social engineering attack can start with someone dropping USB thumb drives labeled “family photos” in a parking lot. These USB thumb drives could contain malware that gets installed onto a computer, compromising security in some way. This is known as baiting.
Phishing is primarily used in reference to generic email attacks. This is when an attacker sends out emails to as many addresses as possible, using common services like PayPal or Bank of America.
The email states the account is compromised and prompts you to click on a link to verify that the account is legitimate. The link will usually do one of two things, or both:
Phishing has evolved throughout the years to include attacks that address different types of data. In addition to money, attacks can also target sensitive data or photos.
A phishing attack is the action or set of actions a hacker undertakes to exploit you. Email phishing schemes are often easy to spot due to grammar and/or spelling errors in the emails. Attackers are becoming technically sophisticated, however, and new attacks focus on exploiting human emotions to get you to engage, including fear, outrage, and curiosity.
The attack against RSA in 2011 was targeted at just four people within the organization. The email was not very sophisticated, but it was successful because it targeted the right people. The email, entitled “2011 Recruitment plan.xls” was designed to pique the interest of those individuals and would not necessarily be of interest to others in the organization.
There are many different types of phishing attacks. These include the classic email attack, social media attacks, and portmanteau-named attacks like smishing and vishing.
Explore this list in greater detail on our types of phishing report.
There are some very specific things you can do as an individual to protect yourself:
In addition to the recommendations above, an organization should do the following: