Phishing

Phishing is a method of gathering sensitive information by deception. Often, this happens as a cyber-attack via email, but as a social engineering technique, it can happen over a variety of platforms or mediums.

Email phishing is the act of sending emails from what appear to be trusted sources to trick users into providing usernames and passwords, and often bank and credit card details.

How phishing works

The recipient of the email sees a message from a trusted source, perhaps one they regularly do business with or subscribe to, with a simple request to upgrade their details due to some form of maintenance or system updates.

By spoofing the business’s brand, email and creating a cloned copy of their website, the user will often see little difference to the real thing, and with that, details are entered, and the damage done.

There are also a great number of spoof emails that appear to be sent from businesses, banks, and promotions you’ve never had anything to do with. This should be an obvious sign that something isn’t right.

Another popular method is an email announcing a competition win and your entitlement to a superb prize or free gift. If it looks too good to be true—it probably is.

Types of phishing

  • Spear phishing
    In contrast to casting out a wide net to obtain as many details from a vast range of resources, spear phishing is a direct aim at a single specific individual.
  • Whale phishing
    Whale phishing—or whaling—is also an attempt aimed at one specific individual, but in this instance, the biggest fish. Their targets are the CEOs, board members, or high-value operatives whose information is considered the most valuable.
  • Social media phishing
    Private messaging over social media offers hackers similar opportunities as traditional email. Many attacks use more intensive probing, with hackers posing as a person you may or may not know, building a relationship before reaching out for the information they want.
  • SMS and mobile messaging phishing
    SMS phishing—or smishing—works just like email-based attacks, with fake links designed to lure you into providing your sensitive data.

How to spot a phishing attack

  • Check the email address
    The sender looks authentic, as a name you might recognize, but the email address will often come from a domain with nothing to do with the organization it’s supposedly sent by.
  • Check the recipient field
    If the email is sent to users you don’t recognize, or to a batch of recipients, then it’s likely fraudulent.
  • Check the URLs of the hyperlinks
    Hovering over links will allow you to see where they are taking you. If the URL looks anything other than authentic—delete, delete, delete.
  • Attachments
    Some phishing emails will include an executable file that launches on opening and installs malware on your computer. Don’t open them. Delete the email instead.
  • Content
    Is the content of the message out of the ordinary, and does it feature poor spelling and grammar? An authentic sender would never deliver a message that isn’t 100% professional and accurate.

What's the origin of the term "phishing"?

The term ‘phishing’ was introduced in the mid-1990s while hackers were tricking AOL users into surrendering their login information.

The whimsical spelling of ‘fishing’ describes just what the hackers were doing; throwing out bait to thousands of users, hoping for a few bites to provide the information they needed.