Phishing definition\n\nPhishing is a type of cyberattack that uses disguised email as a weapon. Variations of phishing use text messages, voicemail, or QR codes. These attacks use social engineering techniques to trick the email recipient into believing that the message is something they want or need\u2014a request from their bank, for instance, or a note from someone in their company\u2014and to click a link or download an attachment. Phishing emails can be targeted in several different ways, with some not being targeted at all, some being "soft targeted" at someone playing a particular role in an organization, and some being targeted at specific, high-value people.\n\nPhishing history\n\nOne of the oldest types of cyberattacks, phishing dates to the 1990s, and it's still one of the most widespread and pernicious, with phishing messages and techniques becoming increasingly sophisticated. The term arose among hackers aiming to trick AOL users into giving up their login information. The "ph" is part of a tradition of whimsical hacker spelling, and was probably influenced by the term "phreaking," short for "phone phreaking," an early form of hacking that involved playing sound tones into telephone handsets to get free phone calls.\n\nSome phishing scams have succeeded well enough to make waves:\n\nWhat a phishing email can do\n\nGenerally, a phishing campaign tries to get the victim to do one of two things:\n\nHand over sensitive information. These messages aim to trick the user into revealing important data\u2014often a username and password that the attacker can use to breach a system or account. The classic version of this scam involves sending out an email tailored to look like a message from a major bank. By sending email messages to millions of people, the attackers ensure that at least some of the recipients will be customers of that bank. The victim clicks on a link in the message and is taken to a malicious site designed to resemble the bank's webpage, and then hopefully enters their username and password. The attacker can now access the victim's account.\n\nDownload malware. Like a lot of spam, these types of phishing emails aim to get the victim to infect their own computer with malware. Often the messages are "soft targeted"\u2014they might be sent to an HR staffer with an attachment that purports to be a job seeker's resume, for instance. These attachments are often .zip files, or Microsoft Office documents with malicious embedded code. One of the most common form of malicious code is ransomware\u2014in 2017 it was estimated that 93% of phishing emails contained ransomware attachments.\n\nTypes of phishing\n\nOne way to categorize phishing attacks is by whom they target and how the messages are sent. If there's a common denominator among phishing attacks, it's the disguise. The attackers spoof their email address so it looks like it's coming from someone else, set up fake websites that look like ones the victim trusts, and use foreign character sets to disguise URLs.\n\nThat said, a variety of techniques fall under the umbrella of phishing. Each type of phishing is a variation on a theme, with the attacker masquerading as a trusted entity of some kind, often a real or plausibly real person, or a company the victim might do business with.\n\nEmail phishing: With general, mass-market phishing attacks, emails are sent to millions of potential victims to try to trick them into logging in to fake versions of very popular websites. According to the Brand Phishing Report Q2 2023 from Check Point Software Technologies, these were the top brands attackers used:\n\nThat list can change depending on the industry targeted. For example, the\u00a02023 Financial Services Sector Threat Landscape report\u00a0by Trustwave SpiderLabs lists Microsoft Docusign, and American Express as the top spoofed brands.\n\nSpear phishing: When attackers craft a message to target a specific individual. For instance, the spear phisher might target someone in the finance department and pretend to be the victim's manager requesting a large bank transfer on short notice.\n\nWhaling: Whale phishing, or whaling, is a form of spear phishing aimed at the very big fish\u2014CEOs or other high-value targets like company board members.\n\nGathering enough information to trick a really high-value target might take time, but it can have a surprisingly high payoff. In 2008, cybercriminals targeted corporate CEOs with emails that claimed to have FBI subpoenas attached. In fact, they downloaded keyloggers onto the executives' computers\u2014and the scammers' success rate was 10%, snagging almost 2,000 victims.\n\nBusiness email compromise (BEC): A type of targeted phishing attack in which attackers purport to be a company\u2019s CEO or other top executive, typically to get other individuals in that organization to transfer money.\n\nVishing, smishing, and qishing: Phishing via phone call, text message, and QR code, respectively.\n\nOther types of phishing include clone phishing, snowshoeing, social media phishing, and more\u2014and the list grows as attackers are constantly evolving their tactics and techniques.\n\nHow phishing works\n\nAll the tools needed to launch phishing campaigns (known as phishing kits), as well as mailing lists are readily available on the dark web, making it easy for cybercriminals, even those with minimal technical skills, to pull off phishing attacks. A phishing kit bundles phishing website resources and tools that need only be installed on a server. The graphic below from Duo Labs shows how phishing kits work. \n\nOnce installed, all the attacker needs to do is send out emails to potential victims. Some phishing kits allow attackers to spoof trusted brands, increasing the chances of someone clicking on a fraudulent link. Akamai's research provided in its Phishing--Baiting the Hook report found 62 kit variants for Microsoft, 14 for PayPal, seven for DHL, and 11 for Dropbox.\u00a0\u00a0\n\nPhishing examples\n\nCriminals rely on deception and creating a sense of urgency to achieve success with their phishing campaigns. As the following examples show, these social engineers know how to capitalize on a crisis.\n\nPhishing example: Corona updateThe following screen capture is a phishing campaign discovered by Mimecast that attempts to steal login credentials of the victim's Microsoft OneDrive account. The attacker knew that with more people working from home, sharing of documents via OneDrive would be common.\n\nPhishing example: Covid cureThis phishing campaign, identified by Proofpoint, asks victims to load an app on their device to "run simulations of the cure" for COVID-19. The app, of course, is malware.\n\nPhishing example: A matter of public healthThis email appears to be from Canada's Public Health Agency and asks recipients to click on a link to read an important letter. The link goes to a malicious document.\n\nHow to prevent phishing\n\nThe best way to learn to spot phishing emails is to study examples captured in the wild! Lehigh University's technology services department maintains a gallery of recent phishing emails received by students and staff.\n\nThere also are a number of steps you can take and mindsets you should get into that will keep you from becoming a phishing statistic, including:\n\nIf you work in your company's IT security department, you can implement proactive measures to protect the organization, including:\n\nEncouraging employees to send you suspected phishing emails\u2014and then following up with a word of thanks.