What is phishing?
Phishing is a type of social engineering attack where the criminal behind it impersonates a person or organization in an attempt to gain something valuable from you, whether it be money or things like credential they can use to log into accounts to steal information or perform additional criminal actions.
Origins and evolution of phishing
The term "phishing" is derived from the word "fishing." In particular, the idea of dangling a tempting lure on a hook in front of a fish. When the fish bites, it swallows the bait and gets hooked. The same idea applies to the victim who responds to the email. The "ph" at the beginning of the word is intentional, and taken from "phreaking," the term used to describe the techniques used to hack and intrude into telephone networks dating back to the 1970s.
Early phishing techniques
Just as with fishing, a phishing attack attempts to lure the victim, with a message. The exact type can vary wildly, ranging from pretending to be a gift card from an online gaming service, a notification that your work email account is out of disk space, a message from your bank to approve a transaction, an urgent message from a company's owner, a bill or invoice that must be quickly paid, or anything else that entices the victim to enter their credentials into a website, call someone to give them their credit card number, a PDF file with an invoice, and so forth.
Modern phishing strategies
It is important to understand that while some may consider phishing a new or novel form of attack, it is fundamentally a form of social engineering. Conmen and trickers have been using deception and pretext for centuries before computers and networks were invented. What the home computer revolution of the late 1970s, followed by the internet revolution of the mid-1990s did were to make it far simpler and less expensive to commit these types of crimes.
Real-world phishing examples and case studies
Historical phishing scams
While working at McAfee Associates in 1990, we received our first advance fee fraud scam. More popularly known now as Nigerian 419 scams these days after that country’s penal code, the criminal promises to provide the recipient with a large sum of money, in exchange for a smaller sum to set up the funds transfer.
This particular scam did not come via email or fax, but arrived in the postal mail, in an airmail envelope festooned with stamps containing several thin sheets of onionskin paper with faint typewriting on them explaining how we would become the recipient of millions of dollars if we just helped a minister move funds out of a state-owned petrochemical company in Lagos.
None of us had ever seen, or even heard, of such a thing before, and we passed it around the office. Finally, Mr. McAfee grabbed it, took it into his office to read, and came out about 5-10 minutes later, explaining that whoever sent it was trying to con him into wiring them money, at which point he would never see any of it again.
Now, to accomplish all of that, the scammer had to type out that letter (it was either typed by hand or printed on a daisy-wheel printer), then take it to the post office and mail it, all in the hope that the victim would be gullible and greedy enough to take them up on their offer.
Recent notable incidents
Compare and contrast that with how a modern Nigerian 419 scamming operation works some 30+ years later:
In 2024, police across five continents seized $3M in assets and arrested 300 suspects who were members of a Nigerian-based trans-national criminal enterprise known as the Black Axe.
Now, not all of their criminal activities were advance fee fraud scams; they also engaged in counterfeiting, extortion, kidnapping, human trafficking, money laundering, narcotics, and prostitution, but cybercrime is the most profitable form of crime for the organization, which is estimated to have 30,000 members worldwide and steal $5B yearly, according to reporting from the Africa Center for Strategic Studies.
About a tenth of that is from sophisticated phishing scams targeting North American businesses. That’s a far cry from the letter in the postal mail promising riches.
Common phishing methods
Email-based phishing
Phishing via email and the web took off in the late 1990s-2000s as internet connectivity soared. The first phishing emails and websites were often notable for being obvious forgeries, with company logos in wrong colors and fonts, as well as poor spelling and grammar. Today's phishing emails and documents may appear identical to legitimate ones as they have been copied from the original source and modified, as can websites.
This is due to increased experience by the criminal gangs involved, as well as tools for the cloning—creating perfect copies—of websites. Likewise, spelling and grammar checkers have improved the quality of the text so that they may no longer be immediately obvious.
SMS phishing (smishing)
Probably the most widely-used method of phishing is email, but phishing messages are also sent via SMS, forms hosted on social media, and messaging applications.
Voice phishing (vishing)
Phishing can even occur over telephone calls and faxes. Sometimes security practitioners describe these by different names such as smishing for SMS and vishing for telephone calls, but they are all forms of phishing.
Some phishing documents, emails, and websites still contain noticeable grammar mistakes. While this seems counterintuitive and likely to be ignored by a native speaker of whatever language the phishing materials are in, it helps the criminals target victims who are not fluent in the language being used and may be more likely to be scammed by them. For example, a criminal may be pretending to be a non-native English speaker in one country, and targeting a business in another, hoping that a poorly-written message will look more legitimate to the victim.
Spearphishing and whaling
Phishing attacks range from being relatively unsophisticated, where the criminals may only have the victim's name, email address or phone number as the result of a data breach to more targeted attacks where the criminals have gathered information about the victim using social media like Facebook and LinkedIn in order to create a more realistic-looking phishing attack.
These types of attacks are colloquially known as spearphishing. If the individual being targeted by a spearphishing campaign has a high net worth, or has access to large amounts of funds, they may be referred to as a whale by the attackers, who call such attacks whaling. This is because of the large sums that can be gained from phishing attacks on them.
Business email compromise (BEC)
The most sophisticated spearphishing involves what is known as Business Email Compromise (BEC), a sophisticated phishing/social engineering campaign targeted at specific roles, such as company executives or employees in accounting or finance. The attackers monitor the targeted company's news, and PR for announcements such as events that executives are going to speaking at, as well as social media like LinkedIn for new hires announcing their new jobs on LinkedIn, and so forth.
The attackers may break into a business partner of the company's email service or set up a nearly-identical looking domain to send email from when the time is right. Then, when the executive goes to speak at conference, the criminals spring the trap, impersonating the executive and requesting the new hire in finance to perform a large wire transfer to fund a secret merger or acquisition.
The attackers may use compromised or fraudulent email accounts to send the request, or even use a telephone and videoconferencing call that is being manipulated by AI to generate deepfakes in order to impersonate the executive.
If that sounds like the stuff of science fiction, it’s not, as it has already happened: In 2024, an employee of a Hong Kong-based company was tricked into wiring $25M after a video conference call with the company CFO and several colleagues, all of whom were puppets created using deepfake video technology, according to CNN.
Defending against BECs can be difficult because oftentimes people will unquestioningly perform a request from a company executive, but training employees to recognize out of the ordinary requests, confirm the request using a different method of communication then the one it was initially made from, and setting up code words or passphrases to accompany transactions.
Homoglyph and typosquatting attacks
While phishing campaigns may use random domains that have been compromised to host the phishing website or use a webhosting provider that offers a free service tier (or an account purchased with stolen credit card data), some criminals rely on using domain names that appear similar to the organization they are impersonating.
Sometimes called homoglyph or typosquatting attacks, these rely on using similar-appearing characters, like the number one (“1”) and a lower-case letter L (“l”), or the number zero (“0”) and an upper-case letter O (“O”) in the domain name, making common spelling mistakes, or transposing the order of frequently-mistyped characters in domain names in the hope that the recipient of the phish will not realize they have received a phish.
It’s not child’s play: Phishing attacks targeting gaming platforms
As an example of deceptively-spelled domains, these were all identified on an online chat service popular with people aged from pre-teen into their twenties. These domain names were shared in phishing messages meant to steal credentials for customers of Valve Corp.’s Steam gaming platform. The legitimate domain for that platform is steamcommunity[.]com.
| sceanmcommnunmnlty[.]com | sceanmcommnunmnlty[.]com | sdeamccmmunnlty[.]com | sltreanmcommnunlty[.]com |
| staemcomunnuity[.]com | steambonus-card[.]com | steamconmumiity[.]com | steamconmuntity[.]com |
| steamecomrmunity[.]com | steamnscommnunity[.]com | steamuconmmunity[.]com | steancommunitv[.]com |
| steanmrcommunity[.]com | steanmucommunity[.]com | stearnconmumity[.]com | stenmcommnunnity[.]com |
| tickets-steampowered[.]com |
The victims are usually enticed to enter their credentials by the offer of a free gift card, or a free copy of a new or popular game. Doing so does not get them a gift card or a game, but rather a compromised account. While it may seem obvious that no one is going to randomly give away gift cards or free copies of games, it should be noted that these particular phishing URLs were shared in chats targeting pre-teens and teenagers.
As digital natives, they have been exposed to online advertising and marketing campaigns throughout their lives. While some of them have become hyper-aware of such scams and will automatically avoid them, there are some of them who are unable to discriminate between legitimate activities and phishing campaigns that trick them into giving away their credentials. Once that happens, fraudulent purchases can be made, and valuable DLC can be stolen, sometimes for hundreds or thousands of dollars.
This also shows some of the difficulty in protecting against such phishing campaigns.
Analyzing suspicious URLs
Despite being filled with spelling errors, these domain names superficially look legitimate, and that may be enough to get them quickly clicked on without much forethought. Once that web page opens, the victim is going to be focused on the steps they next need to take to get their gift card or free game and not carefully inspecting the website’s domain name in the web browser’s address bar.
How to recognize phishing attempts
Common red flags in phishing messages
Another way that phishing messages can often be identified is because they ask for information that a legitimate business would not normally ask for, especially from an existing customer, such as a tax or social security identification number, or pictures of legal identification documents. The point of collecting these is usually to commit identity theft, which can lead to everything from credit cards and loans being taken out in the victim’s name to fraudulent tax refund filings.
In other cases, the goal is simply to get into the victim’s bank account. These can start with a phishing email showing up claiming to be a receipt for a large expenditure, but with no website mentioned at all. The scam is that these phishes claim a large purchase was made using the victim’s credit card or PayPal account from Apple, Amazon, Best Buy or some other business, and the victim is being asked to verify the charge by calling a phone number that just happens to be prominently displayed in the message.
Once the victim calls, they are tricked into giving their credit card details in order to “cancel” the order. Of course, once they have done so, the victim’s credit card is used by the scammers to make purchases, often ones that can be quickly resold, such as gift cards.
Protecting against phishing attacks
Because phishing attacks are fundamentally not a technology issue but a social engineering one protecting against them is difficult. But there are steps that can be taken to block them and limit their effectiveness:
1. Educate employees about common phishing schemes. Phishing messages often begin with an alarming-sounding message as a pretext to trick the victim into responding immediately instead of thinking logically about it. Teaching employees to recognize general patterns like this, as opposed to specific scams, can help build an organization’s resilience to phishing.
Also make sure that employees know they should report phishes to the IT or internal security departments, and that if they have clicked on a link in or called a phone number in a phishing message that they can report it without being penalized or embarrassed.
That’s not to say that technological mechanisms aren’t equally important; protection against phishing requires a combination of user education and technical means.
2. Configure your mail server to identify which emails are internal and which are external, and add a warning label to all emails which came from outside the organization notifying the recipient as to its origins.
3. Make sure your mail servers and endpoints are protected against phishing emails. The antiphishing component may be a subset of the antispam component, or it may be its own separate category.
4. Ask users to limit what sort of information they share about work on their social media profiles, such as being hired or promoted, to close friends and not with the general public. Have public relations avoid naming the executive(s) appearing at events until right before the event to limit attackers' ability to successfully execute a spearphishing or BEC campaign.
5. Providing all employees with cybersecurity awareness training which includes education on how to identify, avoid and report phishing attempts is your defense against social engineering attacks on your organization.
6. Reporting undetected phishes to your antiphishing provider. If you found the phish to be notable in some way, report it to law enforcement as well.
Wrapping it all up
As you have read, there’s no one kind of phishing. Some phishers rely on decades-old scams that have evolved as new technologies to spread them appear. Others start on new platforms as those gain popularity, betting that the platform’s newness and rapid growth means it will be unable to effectively monitor for such abuse.
Some of the phishes might be to get into someone’s gaming account in order to steal a few hundreds of dollars, while some may steal millions of dollars from businesses. Regardless of how the phishing message is delivered, what it says, or how much money is at stake, both technological and educational measures are required to combat them.
