What is Phishing?

Phishing is an online scam where the cybercriminal impersonates a trustworthy entity in order to obtain the victim’s sensitive data.

5 min read

5 min read

What is phishing?

Have you ever received an email or electronic communication – seemingly coming from a bank or other trustworthy source – that requested you “confirm” your account credentials or other sensitive information?

If so, you already know one of the most common definitions of phishing.

Origin of the term

The concept was first described in a 1987 conference paper by Jerry Felix and Chris Hauck called “System Security: A Hacker’s Perspective” (1987 Interex Proceedings 1:6). It discussed the technique of an attacker imitating a reputable entity or service. The word itself is a homophone of “fishing” for targets – as it uses the same “bait-catch” logic. The “ph-” at the beginning is a reference to “phreaks”, a group of hackers who experimented with, and illegally explored the borders of, telecommunication systems in the 1990s.

Types of phishing scams

Phishing has been around for years and in that time, attackers have developed a wide array of methods to target victims.

The most common phishing technique is to impersonate a bank or financial institution via email, to lure the victim either into completing a fake form in - or attached to - the email message, or to visit a webpage requesting entry of account details or login credentials.

 

Similar attacks can also be performed via phone calls (vishing) as well as SMS messages (smishing).

In the past, misspelled or misleading domain names were often used for this purpose. Today, attackers incorporate more sophisticated methods, making the links and fake pages closely resemble their legitimate counterparts.

Information stolen from the victims is usually misused to empty their bank accounts or is sold online.

Spearfishing

A more advanced phishing method whereby seemingly authentic phishing messages land in the inboxes of specific groups, organizations or even individuals. Authors of spearphishing emails perform detailed research on their target(s) in advance, making it difficult to identify the content as fraudulent.

Attacks focused on specific, mostly high-profile business individuals – such as top managers or owners – are labeled as “whaling”, due to the size of the potential pay-off (the bad guys going after “the big fish”).

Smishing

A form of phishing, smishing is when someone tries to trick you into giving them your private information via a text or SMS message. Smishing has now become an emerging and growing threat in the world of cyber security. This form of phishing is particularly alarming because people tend to be more inclined to trust a text message than an email.

Deceptive phishing

Deceptive phishing is the most frequent type of phishing attack. In this case, the attacker attempts to obtain confidential information from the victims. Attackers then use the information to steal money or to launch other attacks. A email from a trusted company such as a bank asking you to visit a link and verify your account details is an example of deceptive phishing.

Whaling

When attackers go after a “big fish” like a CEO or similar, it’s called whaling. These attackers often spend a considerable amount of time profiling the target to find the opportune moment and means of obtaining their credentials. High-level executives are able to access a great deal of company information so whaling is of particular concern.

Pharming

Similar to phishing, pharming sends users to a fraudulent website that appears to be legitimate. However, in this case, victims do not even have to click a malicious link to be taken to the dishonest site. Attackers can infect either the user’s computer or the website’s DNS server and redirect the user to a false website even if the correct URL is typed in.

How to recognize phishing

An email or electronic message can contain official logos or other signs of a reputable organization and still come from phishers. Below are a few hints that can help you spot a phishing message.

Read more

  1. Generic or informal greetings – If a message lacks personalization (e.g. "Dear Customer") and formality then there is probably something amiss. The same applies to pseudo-personalization using randomized, fake reference numbers 
  2. A request for personal information – Frequently used by phishers, usually avoided by banks, financial institutions and most online services
  3. Poor grammar – Spelling mistakes, typos and unusual phrasing often indicates a fake (but the absence of any of these is not proof of legitimacy)
  4. Unexpected correspondence – Unsolicited contact from a bank or online service provider is highly unusual and thus suspicious
  5. A sense of urgency – Phishing messages often try to induce rapid and less-considered action
  6. An offer you cannot refuse? – If the message sounds too good to be true, it almost certainly is
  7. Suspicious domain – Would a US or German bank really send an email from a Chinese domain?

How To Prevent Phishing

To avoid a phishing bait, be aware of the above indicators by which phishing messages commonly give themselves away.

Follow these simple steps

  1. Be aware of new phishing techniques: Follow the media for phishing attack reports, as the attackers might come up with new techniques for luring users into a trap 
  2. Don’t give away your personal details: Always be alert if an electronic message from a seemingly trustworthy entity asks for your credentials or other sensitive details. If necessary, verify the contents of the message with the sender or the organization they seemingly represent (using contact details known to be genuine rather than details provided in the message)
  3. Think twice before you click: If a suspicious message provides a link or attachment, don’t click or download. Doing so might lead you to a malicious website or infect your device with malware
  4. Check your online accounts regularly: Even if you don’t suspect that someone is trying to steal your credentials, check your banking and other online accounts for suspicious activity. Just in case…
  5. Use a reliable anti-phishing solution. Apply these techniques and 'Enjoy Safer Technology' 

You can learn more about phishing here.

Notable examples

Systematic phishing started in the America Online (AOL) network in 1995. To steal legitimate account credentials, attackers contacted victims via AOL Instant Messenger (AIM), often pretending to be AOL employees verifying user passwords. The term “phishing” popped up on a Usenet newsgroup that focused on a tool called AOHell that automated this method, and the name stuck. After AOL introduced countermeasures in 1997, the attackers realized they could use the same technique in other parts of the online realm – and moved towards impersonating financial institutions.

Read more

One of the first large, albeit failed, attempts occurred in 2001, taking advantage of the chaos of the 9/11 terror attacks. Phishers sent out emails asking some of the victims for an ID check, trying to misuse the obtained data to steal financial details from the digital currency service e-gold.

It took only three more years for phishing to gain a firm foothold in the online world and by 2005 it already had cost US users over US$900 million.

According to the APWG Global Phishing Survey, over 250,000 unique phishing attacks were observed in 2016, using a record number of maliciously-registered domain names – surpassing the 95,000 mark. In recent years, phishers have tended to focus on banking, financial and money services, e-commerce customers and social network and email credentials.

ESET offers you an award-winning antivirus

ESET HOME Security Premium

Powerful, multilayered protection to encrypt sensitive data, manage passwords easily, secure online transactions and more. A user-friendly solution for enhanced privacy online. Secures Windows, macOS, Android, and iOS devices.

 

Ultimate digital security for business

Protect your company endpoints, business data and users with ESET's
multilayered technology.

Ultimate digital security for business

Protect your company endpoints, business data and users with ESET's multilayered technology.