What Is Phishing?

April 2024: The content of this blog post has been updated to reflect the most current information available regarding phishing attacks.

Phishing is one of the most nefarious and pervasive types of cyberattacks in the world today. It’s a type of social engineering attack that originated in the 1990s when the early World Wide Web introduced the concept of usernames and passwords to the masses.

While a phishing attack can be devastating to an individual, it can be even more costly to a business. A single compromised username and password can open the entire enterprise up to the attacker if that account has elevated access privileges.

Phishing attacks have steadily grown in prominence since they first appeared, with no signs of slowing down. In 2022, nearly 38 percent of all complaints received by the FBI’s Internet Crime Complaint Center (IC3) were related to phishing – by far the most common type of cybercrime IC3 tracks. The use of phishing to plant malware like ransomware in computer networks is increasingly popular with cyber gangs as phishing attacks evolve to become more sophisticated.

Given this rising threat, which experts believe will only get worse with the advances of artificial intelligence, learning how to recognize and prevent phishing attacks is an essential skill for individuals and organizations alike.

• What are the different types of phishing attacks?
• Why is phishing so difficult to stop?
• What are examples of phishing attacks?
• How are phishing attacks evolving?
• What role is AI playing in phishing attacks today?
• How can I prevent phishing attacks in my organization?
• How do I train employees to recognize phishing attacks?
• What to do if you click a phishing link
• How can organizations fight phishing attacks while improving the digital employee experience (DEX)?

What are the different types of phishing attacks?

Phishing comprises a wide array of attack types, with more emerging over time. Some of the most common include:

• Email phishing: Phishing emails are the most pervasive type of phishing attack. Here, an attacker (commonly a spam emailer) sends a message that’s designed to look legitimate, such as from a financial institution or a business the victim engages with. Fraudulent hyperlinks embedded in the email lead to a fake website that looks legitimate to trick users into entering their personal details, like bank account information, which the attacker captures. Email-based phishing attacks have long been and remain a primary attack vector.
• Spear phishing: A more personalized version of the email attack, spear phishing messages rely on information gleaned about the victim to enhance the legitimacy of the message and improve the odds of a successful attack. Spear phishing often targets high-value victims, such as CEOs and finance professionals, as the spoils of these attacks can be immense. “Whaling” is another term commonly used to describe the spear phishing of extremely high-value targets.
• Vishing: Voice phishing attacks take place over the phone, lending an air of added legitimacy and urgency to the attack. A visher will often tell a victim that their computer has been compromised and walk them through the steps needed to grant remote access to it or coax them to give personal information like passwords and credit card numbers.
• Smishing: SMS phishing takes place via text message but otherwise resembles email phishing tactics. Again, it takes advantage of lower consumer awareness about the risks of fraudulent texts.
• Social media phishing: Popular platforms like Facebook and Instagram have become lucrative avenues for attackers to find new phishing victims. Phishers often create phony profiles and befriend the victim by using the personal information people share about themselves on these sites.

Why is phishing so difficult to stop?

For attackers, phishing remains the preferred method because it is so lucrative. It’s one of the simplest types of attacks for scammers to engage in, as attackers need no significant amount of specialized knowledge to mount an attack. This has led to such a massive number of phishing attacks that the sheer volume of them overwhelms many organizations.

Humans, by nature, tend to trust what they’re told – particularly if it has some sense of urgency.

Phishing requires minimal energy and minimal cost, which on its own would be enough to sustain it. But even more of a driver is its high success rate compared to other types of attacks. This is largely because humans, by nature, tend to trust what they’re told – particularly if it has some sense of urgency. Notices that our various accounts have been canceled, that charges have been applied for purchases we didn’t make, or that we have unclaimed rewards waiting to be collected all sound like pressing issues that require further, immediate investigation. Phishing attacks are often designed to instill some level of panic or urgent enticement – “free TikTok followers” – further lowering the victim’s guard.

The bottom line is that phishing is designed to prey on the psychology of the victim, which makes it difficult to defend against.

[Read also: A wave of Ukraine crypto phishing scams may get workers fired, but there are ways to create a more vigilant workforce – here are three]

Meanwhile, phishers are getting better and better at luring victims, so even experienced users are finding themselves caught off guard by fraudulent emails and text messages that look quite real. For less experienced users, a lack of experience with these types of attacks puts them at even greater risk.

All of this continues to feed the phishing fire, which shows no signs of abating anytime soon.

What are examples of phishing attacks?

One of the more challenging aspects of phishing is that every attack looks different, so it’s hard to create any kind of universal guide to defend against them. In general, these are some of the most common types of phishing attacks and how they work:

• Emails designed to look like legitimate corporate correspondence: Phishing emails are usually commercial and almost always contain an embedded link directing the victim to a malicious website that aims to harvest login credentials or financial information like account numbers or to install malware. Some of the most common types of phishing emails are phony invoices for products or services the victim did not purchase, notifications from banks or other service providers (usually alerting the victim to some kind of fraud, charge, or account cancellation that hasn’t really occurred), notifications that the victim is due funds, or messages from the victim’s employer (often spoofing human resources or executive email accounts) instructing them to take some kind of action.
• Messages that claim to be from the government: A common phishing attack pattern is to mimic a government agency with a scary message like “The IRS says you owe taxes” or “The police say an arrest warrant is out for you.” Another common attack claims that your Social Security number has been somehow “canceled.” All these phony statements attempt to frighten the user into taking action and providing personal data.
• Text messages from people who claim to know you: Phishing text chains can begin with something as simple as a “Hello” from an unknown phone number, after which they can take any number of avenues to route to some type of fraud.
• Messages designed to look like they’re from a colleague or loved one: Messages like these are often used in spear phishing attacks and can be delivered via email or text. They often ask the victim to take an action that’s financial in nature. “Can you make a wire transfer for the company?” or “I’m stuck and need money; can you send me cash via an online payment system?” These messages prey on victims who will naturally be more willing to help their boss or a relative – with those contacts’ identities often scraped from social media.
• Social media messages from hacked or spoofed accounts: Social media is now fertile ground for phishing attempts where phishers make contact via direct messages on social media apps. Many such phishing attacks begin with a simple request that a victim “follow” the phishing account, which helps to improve their appearance of legitimacy and long-term success rates.
• Phone calls with “urgent” information: Vishing attacks are more complex and costly to undertake, so vishers often get straight to the point. These attacks usually inform the victim that they have invoices (or taxes) due and offer to take an immediate payment over the phone, that a prize has been won and requires some kind of advance payment to receive it, or that – commonly – their computer has been compromised and requires a system update to repair it. These phony tech support operators invariably install malware onto and/or steal credentials directly from the victim’s device.

[Read also: What is business email compromise?]

How are phishing attacks evolving?

Phishing is evolving along with the rest of the technology industry, becoming more pervasive, easier to undertake, and more sophisticated. Some of the key advances in recent years include:

• Frequency: Phishing is everywhere. What was once restricted to email is now a universal problem across all communication platforms: text messages, phone calls, various types of documents, search engine results, other browser-based platforms, and even in-person media. Nowadays, phishing attacks are even commonly embedded in QR codes. Mobile device–based attacks have proven to be far more effective than email-based ones, so these types of attacks are likely to continue.
• Quantity: The amount of unprotected consumer data is exploding. Users are sharing more information online than ever, and very little of that is protected behind a corporate firewall. This is giving attackers more ways than ever to exploit their victims.
• Democratization: “Phishing-as-a-service” is giving criminals turnkey access to sophisticated attack technologies. Embarking on a career as a phisher no longer requires specialized knowledge. Subscription services now allow anyone to launch phishing campaigns by clicking a few buttons and paying the service operator less than $100 a month. These services are often hosted on legitimate cloud services, which makes them even harder to detect and stop.
• ROI: Nation-state attacks are becoming less of a threat; phishing is now dominated by those focused on monetary goals and return on investment. Like any smart business executive, cybercriminals are looking at ways to diversify and turn phishing attacks into a recurring revenue stream. The result: more-aggressive actions, such as extortion, proving that phishing is not only on the rise but continually evolving.
• Automation: AI tools help phishing attacks evade detection. We previously discussed the ways that AI is making phishing messages seem more natural and realistic, but AI is also having an impact when it comes to cybersecurity evasion, including the bypassing of spam filters and antivirus solutions. “Polymorphic” phishing technologies are also allowing phishing messages to adapt their look, language, and target URLs on the fly, making them even harder to detect. These technologies alter the sender’s name, email address, and even the body of the message so that each email is unique – and more likely to bypass anti-malware filters.

[Read also: How to free up IT staff to fight the new wave of automation-enhanced cyberattacks? Automate your own cyber risk scoring and risk management, says Forrester’s Renee Murphy

What role is AI playing in phishing attacks today?

Historically, phishing messages have been generated by unsophisticated attackers with poor writing and design skills, making their typo-ridden messages exceedingly easy to spot.

Those days are gone.

The standard phishing defense of skimming an email and looking for obvious spelling or grammar errors is no longer effective. With AI tools like ChatGPT now accessible to the masses, it’s easy for attackers to clean up their grammar and write with better clarity, both of which make their attacks much more difficult to detect.

In some cases, AI is even taking things a step further by allowing attackers to mimic the voice and style of a victim’s friends and colleagues. A victim’s manager can be imitated down to their distinctive use of slang, commonly used phrases, and shorthand – even emojis. Now, those polished phishing emails can be cleverly personalized, making it nearly impossible to tell the difference between a malicious attack and a genuine article.

Besides leveraging AI, cybercriminals are also leveraging our interest in AI. In the summer of 2023, cyber researchers detected an uptick in fake AI promotions on Facebook, in which cybercriminals created ads featuring fake profiles of marketing companies that claimed to offer AI packages and access to Meta AI. As businesses and individuals explore the best ways to use generative AI to handle corporate data, cybercriminals are also jumping on the bandwagon. This means savvy enterprise leaders must expect (and prepare for) newer and even more clever phishing attacks in the future.

How can I prevent phishing attacks in my organization?

It’s hard enough for individuals to keep phishing attacks at bay, but for organizations, the problem is compounded, meaning security operations teams have their hands full defending against the threat. Here are the most effective tactics to stop phishing attacks:

• It starts with training: The most proactive organizations have formal programs to educate users on how to spot phishing attacks and what to do if they receive one. These training sessions can be formal in-person sessions or online classes. The most progressive organizations may even “spot-check” employees by sending internally generated phishing messages to test whether they will click on a malicious link or report phishing as directed, thereby reinforcing the training lessons.

The goal of training is not to fault users for clicking on a phishing message but to give them the confidence they need to identify phishing scams proactively – or at least ask for help.

• Implement multi-factor authentication: Multi-factor authentication (MFA) requires employees to use a second (and possibly third) form of security – usually a passcode delivered via text message or through an authentication app – whenever they access network resources. If a phisher succeeds at compromising a username and password, they will still be unable to access the network without the additional security factors. (An important caveat: Phishers will also attempt to phish those added factors out of the victim.)

[Read also: Is multi-factor authentication (MFA) living up to its hype? The answer: Yeah, but be alert to three sneaky tactics hackers use to get around it]

• Ensure anti-malware software is installed and updated: These tools are critical for stopping damage if a malicious link is clicked or an attacker successfully delivers malware to a user’s PC. It’s essential that anti-malware tools be installed on all nodes in the organization’s network and that software is kept up to date. Remember, however, that software can only do so much, and multiple layers of anti-malware tools won’t provide increased protection over one well-managed tool.
• Block suspicious emails at the source: Anti-spam systems that prevent email messages with suspicious (or known spam) links in them are a huge help in keeping phishing attacks at bay.

How do I train employees to recognize phishing attacks?

In an enterprise setting, training your staff is a critical safeguard against phishing – the final line of defense if all other countermeasures have failed.

Phishing messages are more credible-looking than ever and require deeper analysis to spot fraud.

The goal of training is not to fault users for clicking on a phishing message that has made it through your corporate safeguards but to give them the confidence they need to identify phishing scams proactively – or at least ask for help if they think something might be amiss with a message. Users who fear punishment for making a mistake are less likely to report those mistakes when they (inevitably) happen.

Anyone organizing an enterprise’s training sessions should keep two major guidelines in mind:

1. Training sessions should be brief and fun. No one wants to spend hours out of their day in an anti-phishing seminar, but quick, 30-minute sessions that are interactive and entertaining can be incredibly effective, especially if they are undertaken regularly and feature new material each time. For Cybersecurity Awareness Month this past year, Dell produced an 18-minute audio story with the production values of a radio drama or podcast, describing a fictional – yet typical – phishing attack and its aftermath. (Take a listen by clicking here and scroll down to the link for “Audio story: A Modern Cyber Attack.)
2. Simulations can help reinforce lessons after formal training sessions end. Organizations can craft their own faux phishing emails and send them to staff periodically to test how many are reporting messages and identify any individuals who may need additional training – all done without judgment, of course.

The training strategy itself should include these key reminders of a smart cyber defense:

• Anything can be spoofed these days. A return email address that looks to be from a legitimate website is no guarantee that the email came from one. Attackers may buy lookalike domain names or use other methods to manipulate email addresses to make them appear to be sent from trusted domains. Phishing messages are more credible-looking than ever and require deeper analysis to spot fraud.
• Any request for credentials or financial information is likely a phishing scam. Your organization should make it a strict policy to never send credentials or financial data through email or text messages.
• Hovering over webpage links is still an effective and underused way to test for legitimacy. Most email programs allow you to hover the cursor over a link without clicking on it to see where it actually leads. If there’s a mismatch between the expected link and the actual one, it’s probably a scam. Teaching employees how to hover over to identify fraudulent links is a critical step that should be part of any training program.
• If you can only remember one thing, it’s this: Report before you click. “When in doubt, report” policies should be hammered home regularly. Teach users that there’s no harm in reporting a legitimate message if they have the slightest suspicion. Also, ensure security teams respond to suspicious message notifications quickly. Users who are waiting for security ops to respond may become frustrated and decide to take matters into their own hands.

What to do if you click a phishing link

Despite all your best efforts, it’s almost inevitable that a phishing attack will make it through your defenses. When this happens, you need to act fast, utilizing an incident response playbook to help manage what happens next.

Some of the best incident response practices for phishing attacks and many other security incidents include:

• Releasing a timely and complete disclosure. If a user knows they’ve been attacked, it’s important that they come forward quickly, as time is of the essence in the aftermath of an attack. As noted earlier, this means building a guilt-free reporting process that rewards users for disclosures rather than punishing them. Find out in detail what happened leading up to the attack before you jump into action.
• Quarantining known impacted systems before malware can spread. Immediately change any exposed passwords and passwords to any potentially connected bank accounts. Report and cancel credit card numbers that may have been revealed.

• Running a full malware and intrusion detection sweep to uncover any malware that might have made its way onto the network. By preserving the source of the phishing attack, security operations can better determine the nature of any threats that might have been introduced. Logs should be scanned for suspicious logins, URLs, IPs, and other traffic going in and out of the network during the time since the attack.
• Taking regular backups and testing for integrity. In a worst-case scenario, data can be restored to a time before the attack was initiated.
• Performing tabletop exercises to help security teams prepare for a speedy and effective response. By simulating real-world scenarios, teams can practice their response to phishing threats in a controlled environment.
• Reinforcing training by reviewing employee mistakes. There’s no need to “make an example” of the specific individual who may have clicked the link. In fact, that’s likely to be counterproductive in the long term. But it can be invaluable to show users what a successful phishing attack looks like—and the damage it can cause.

How can organizations fight phishing attacks while improving the digital employee experience (DEX)?

Balancing security with a positive user experience isn’t easy. Many users become frustrated with onerous security requirements, which can drive them to look for ways to bypass these measures that can potentially introduce additional vulnerabilities and even higher security risks.

Organizations that work to improve the overall digital employee experience for users will likely find their employees more engaged and observant when it comes to email security and computer security in general.

The key to taking proactive measures against phishing techniques (and all other security measures) is that they need to make every effort to avoid interrupting and disrupting the user’s workflow. Email clients outfitted with a one-button “Report this message” function or, at the very least, a dedicated anti-phishing email address where suspicious messages can be forwarded are an excellent first step. The fewer hoops a user must jump through to report an attack, the more likely they are to report. Keeping attacks to a minimum is best – no user wants to spend their day filing reports. Eventually, alert fatigue will set in, and bad habits may develop.

Stepping back, organizations that work to improve the overall digital employee experience for users will likely find their employees more engaged and observant when it comes to email security and computer security in general. Users who are less stressed out due to their day-to-day working environment will likely be more understanding of the need for security and anti-phishing measures and more willing to work toward the common goals of preventing attacks, protecting the organization, and participating as a cohesive team. Like a smart DEX program, good security hygiene benefits everyone.

[Read also: Worker distraction is on the rise – here’s how digital employee experience (DEX) platforms can help]

Enforcing strong password policies, MFA, and providing training sessions can all disrupt users’ workflow to some extent, and they may well push back against them. However, your training messaging needs to stress that the present disruption will be far less painful than a future disruption caused by a successful phishing attack. A little pain now is better than a massive disruption later.

---

Phishing attacks are a pervasive threat that requires constant vigilance and proactive measures to protect against them. By leveraging Tanium’s Digital Employee Experience solution as part of their overall endpoint management efforts, organizations can gain visibility into the performance of their endpoint devices to quickly identify and remediate issues, maximize employee productivity by ensuring users have a seamless experience, and can more easily gain an understanding of employee sentiment to ensure users have the tools and knowledge necessary to identify, secure against, and avoid successful phishing attempts.

Additionally, our vision for autonomous endpoint management (AEM) takes this a step further, aiming to create a self-defending network that can detect and respond to threats in real time. Act now to fortify your defenses with Tanium’s cutting-edge technology. Together, we can outsmart the phishers and safeguard our digital future. Request a free, personalized demo or register for a Converge World Tour event near you to see it in action.