What is phishing? Examples, types, and techniques
It’s the cyber pest that will not die.
Three decades after phishing first emerged from the swamps of the dark web, it remains a global plague. An average of 31,000 phishing attacks were sent out per day in 2023, according to a report by SlashNext. It’s a costly scourge: an IBM study estimated the average organization spent $4.91 million responding to phishing-related data breaches in 2021.
Here’s a primer on how phishing works, how it originated in the 1990s, and how to prevent it.
Phishing definition
Phishing is a cyber-attack that uses email and social engineering to trick a target into taking actions that will compromise their security, such as providing sensitive information or downloading malware.
In a common phishing attack, the target receives an email from a source pretending to be legitimate, such as their bank, coworker, friend, or workplace IT department. The email typically asks the recipient to provide login credentials for their bank, credit card or other account by 1) replying directly to the email, or 2) clicking on a link that takes them to a website or login page. But it’s all fake, designed to scam the recipient into giving away access to sensitive accounts or networks.
Alternatively, a phishing email encourages a target to click on a link or attachment that’s actually designed to download malware, spyware or ransomware to their device or network.
Phishing remains the primary initial attack vector for cybersecurity incidents, according to a 2023 report from Cloudflare. More recently, Zimperium Labs found that four out of five phishing attacks target mobile devices specifically.
How phishing attacks work
Hackers use several methods to con their targets. Their messages often sport logos and fonts identical to those used by the brands and organizations they impersonate. Fraudsters may also use link-shortening services like Bitly to mask the URLs of malicious links in their phishing messages.
Email spoofing, another popular phishing technique, involves sending messages from scam email addresses that are deliberately similar to authentic ones.
“Cyber actors set up spoofed domains with slightly altered characteristics of legitimate domains. A spoofed domain may feature an alternate spelling of a word (‘electon’ instead of ‘election’) or use an alternative top-level domain such as a ‘.com’ version of a legitimate ‘.gov’ website,” the FBI warned in a 2020 alert.
Here’s how often some of the most common phishing techniques were deployed in 2023, according to a report by Cloudflare Inc.
- Malicious link: 35.6%
- identity deception: 14.2%
- credential harvester: 5.9%
- brand impersonation: 5.4% (Microsoft was the most impersonated brand)
- malicious attachment: 1.9%
The dark web is littered with phishing kits, ready-made bundles of key technical components needed to launch an email attack. These kits commonly include cloned versions of popular websites and fake login pages designed to steal credentials.
Phishing attack examples
Although phishing is deployed through digital means, it preys on very human emotions like fear, anxiety and compassion. Ironically, the following example taps into the desire of conscientious recipients to protect their DocuSign accounts from cyber threats:
Christine Wong
Some phishing attacks target very specific niches. This email was distributed to employees of the International Committee of the Red Cross:
Christine Wong
Shrewd hackers often launch phishing attacks to exploit events unfolding in real life. This fraudulent email appeal for charitable donations circulated less than 24 hours after earthquakes hit Turkey and Syria in 2023:
Christine Wong
Types of phishing attacks
Phishing has evolved into different formats and techniques over the past three decades, including the following. For more on these and other types of attacks, see “9 types of phishing attacks and how to identify them.”
Spear phishing
Spear phishing targets one specific individual, often someone with access to an organization’s sensitive assets, such as an accountant or IT help desk employee. These emails usually contain personal information stolen from the dark web or gleaned from the target’s own social media posts.
A 2015 spear-phishing attack temporarily knocked out Ukraine’s power grid. Hackers targeted certain employees of the utility with emails containing malicious attachments; that malware gave the hackers access to the grid’s IT network.
Business email compromise (BEC)
Business email compromise (BEC) takes phishing to the next level. With BEC, the hacker impersonates a CEO or other top executive at a company, and then dupes an employee at that company into transferring corporate funds to a fake bank account. Sixty-eight percent of all phishing emails in 2022 were BEC attacks, according to SlashNext’s report. Per the FBI, global losses from BEC incidents reported between 2013 and 2022 totaled $50.8 billion.
Always keen to capitalize on current events, cyber crooks hijacked virtual meeting platforms during the pandemic, co-opting them for BEC attacks.
“Criminals … [are] compromising an employer or financial director’s email, such as a CEO or CFO, and requesting employees to participate in a virtual meeting platform,” the FBI warned in a 2022 alert.
“The criminal will insert a still picture of the CEO with no audio, or deep fake audio, and claim their video/audio is not properly working. They then proceed to instruct employees to initiate transfers of funds via the virtual meeting platform chat or in a follow-up email.”
An elaborate BEC hoax collectively cost Facebook and Google an eye-watering $100 million. Between 2013 and 2015, a scammer impersonated a board member from a real Taiwanese company. He sent phishing emails to Facebook and Google employees who regularly deal with large fund transactions, convincing them to ‘pay’ fake invoices to a fraudulent bank account.
Whale phishing
Whale phishing targets a ‘big fish’ like a corporate CEO in order to steal a company’s funds, trade secrets or intellectual property.
Smishing
Smishing is phishing via SMS text message. Thirty-nine percent of all mobile phishing attacks in 2022 involved smishing, according to the SlashNext report. For more on smishing, see “Smishing and vishing: How these cyber attacks work and how to prevent them.”
Quishing
Quishing is phishing by QR code. The code is usually sent by email to dupe the target into downloading malware or visiting a fraudulent login page. A relatively newer form of phishing, quishing has been on the rise dramatically, thanks in part to the use of zero-trust policies and multifactor authentication in reducing the effectiveness of phishing campaigns.
Vishing
Vishing is phishing by phone call or voicemail. It often employs VoIP to thwart caller ID or wardialing to deliver thousands of automated voice messages.
Despite constant innovations in cybersecurity technology, some of the largest corporations on the planet have been fooled by low-tech phishing schemes. A vishing expedition shut down MGM Resorts (and its lucrative Las Vegas casinos) for more than a week in 2023.
Cybercriminals monitored an MGM employee’s LinkedIn account for personal details, then used that info to impersonate him in a phone call to MGM’s help desk. The hackers persuaded help desk staff to reset the employee’s password. Ransomware was deployed, guest data were stolen, and that sham phone call cost MGM $100 million.
AI and phishing
Hackers have added artificial intelligence to their phishing arsenal. Generative AI chatbots can quickly scrape millions of data points from the internet to craft phishing emails with no factual errors, convincingly mimicking the writing style of real individuals and organizations. Singapore’s cybersecurity agency reported that, in pen testing, phishing emails produced by ChatGPT “matched or exceeded the effectiveness” of those created by humans.
The number of phishing emails skyrocketed by 1,265 percent in the 12 months following ChatGPT’s general availability, prompting SlashNext CEO Patrick Harr to suggest it was “not a coincidence.”
Moreover, the IBM X-Force research team reported in October 2023 that, with only five simple prompts, it was able to trick a generative AI model into developing “highly convincing” phishing emails almost on par with those created by skilled humans in just five minutes, potentially saving nearly two days of work for attackers.
Vishing scammers can harvest samples of people’s voices from social media video clips, and then clone their voices using generative AI. A Canadian grandma lost $7,000 (CDN) when fraudsters used AI to impersonate her grandson over the phone. AI vishing has even penetrated the C-suite. The CEO of a UK energy firm received three phone calls from the firm’s parent company, asking him to transfer $243,000 (USD) to a supplier. He dutifully sent the funds, but the voice was actually an AI replication.
How to prevent phishing
For individuals:
- If you think an email could be phishing, don’t reply, click on any links or attachments, or provide any sensitive information. Phone the organization or verify their email domain or URL by finding their website online.
- If an email requests a password or other sensitive information, or pressures you to take urgent action, pause and verify as noted above.
- Don’t post personal information on social media about your bank, birthdate, middle name, pets’ names or vacation plans.
For organizations:
- Ensure all software and applications are set to update and patch automatically.
- Implement multifactor authentication and strong password policies.
- Deploy tools such as Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM).
- Regularly conduct pen testing.
- Continuously educate everyone in your organization about the latest phishing hazards using resources from organizations such as the SANS Institute.
For a deeper look at how to defend your organization against phishing attacks, see “9 tips to prevent phishing” and “6 reasons why your anti-phishing strategy isn’t working.”
See also “10 top anti-phishing tools and services” to read about technologies that can aid you in hardening your phishing defenses.
The history of phishing
Hackers may have adopted the term phishing because it sounds like fishing, a play on their goal of trawling for unsuspecting victims. The “ph” is part of a tradition of whimsical hacker spelling, and was probably influenced by the term “phreaking,” short for “phone phreaking,” an early form of hacking that involved playing sound tones into telephone handsets to get free phone calls.
Some tech historians believe the term phishing dates to the 1990s when hackers used the characters — <>< — (resembling a fish) to disguise conversations about fraudulent activity in AOL chat logs.Others trace the word phishing back to 1996 when it was first mentioned by a hacker news group.
Some of the first phishing took place in the early 1990s when hackers used fake screen names to pose as AOL administrators and steal sensitive information via AOL Instant Messenger. Phishing really blew up in 2000, when an email with the subject line “ILOVEYOU” duped millions of people into clicking on an attachment loaded with a virulent computer worm.
In the early 2000s, hackers started impersonating sites such as PayPal by registering similar domain names for use in phishing emails. Circa the late 2000s, hackers began weaponizing personal information posted on social media sites, using it to make phishing emails seem more authentic. In the 2010s, bad actors began using malicious email attachments to spread ransomware like Cryptolocker and WannaCry.
More on phishing:
- 9 types of phishing attacks and how to identify them
- 10 top anti-phishing tools and services
- 9 tips to prevent phishing
- 6 reasons why your anti-phishing strategy isn’t working
- 5 best practices for conducting ethical and effective phishing tests