What is phishing?
Phishing is a form of attack that depends on tricking or fooling a victim into doing what the attacker wants. The attack begins with the attacker sending a message to the victim. It is this technique of using a message as bait to lure the victim that gives the attack its name.
The attack is a success if the victim reacts to the message. For instance, the victim may click a link or open an attachment that triggers some kind of threat. Other examples, the victim could respond to the message and start communication with the attacker, or they could simply stay on the phone and speak with the caller.
In the case of communication between attacker and victim, the attacker will attempt to manipulate the victim using social norms and expectations to convince them to do what they want. Some examples are when an attacker:
- Asks the victim to do a quick errand that they haven’t time to get to
- Calls on behalf of their horrible boss, relying on the victim to help so that the attacker doesn’t get in trouble
- Informs the victim about a (fake) issue with their account and offers to help fix it.
Types of phishing
The most common types of phishing are:
- Phishing refers to email messages
- Smishing refers to text messages (SMS) and takes advantage of the fact that it is difficult to validate messages and web links in text messages.
- Vishing is bait left on someone’s voicemail.
Spear phishing, which can happen via email, text or voicemail, is where the attacker researches their specific victim and crafts a personalized message just for them. The large wealth of information available on the Internet makes it possible for attackers to craft spear phishing messages for just about any victim. For example, an attacker will impersonate the victim’s boss to encourage the victim to respond.
Tech support scam, which typically starts with a phone call or a live chat message, is a scam where an attacker offers to help solve a problem with your account or computer by doing a remote support session with you. This gives the attacker access to your computer so that they can then access your bank or encrypt the computer with ransomware.
Why is phishing a problem for individuals and organizations?
- Prevalence: More than 90% of compromised accounts or hacks start with a phishing attack.
- Speed: More than 60% of victims of a phishing attack “bite” in the first hour, so it is difficult for organizations to react in time to stop the attack.
- Cost: Business email compromise cost organizations $4.1 billion USD in 2020 (up from $1.77 billion in 2019) along with recovery operations and reputational damage.
- Impact: Individuals suffer from phishing, both through workplace shame and cleanup effort, and personal repercussions like identity theft and credit rating damage.