In a phishing attack, a scammer sends a fraudulent email claiming to be someone they’re not. These scammers trick their victims into giving up money, passwords, or personal information. Phishing attacks target individuals, businesses, and even government organizations. Scammers send over 3 billion phishing emails every day, making phishing one of the most prevalent vectors for cyberattacks.
Although these attackers use technical hacks to disguise themselves, at their heart, a phishing scheme is an old-fashioned con. It’s a form of social engineering: instead of trying to hack your computer, a phishing scammer tries to deceive their targets into unwittingly giving up money or sensitive information.
How Phishing Works: 3 Common Approaches
Phishing attackers use a variety of tricks to scam their victims. We’ll talk about more advanced types of phishing later in the article, but let’s start with three of the most common approaches.
Approach #1: Phishing for Passwords
In this scenario, the phishing scammer crafts an email representing a legitimate organization – for our example, let’s say Chase Bank. The scammer creates a fake web page, designed to look like an exact duplicate of the legitimate one.
From there, they write an email that also duplicates a legitimate email as closely as possible. Through a technique known as email spoofing, a phishing email can even fake the “from:” address to say the email came from an email address of the scammer’s choosing.
Frequently, a scammer will couple their arts of imitation with some kind of emotional appeal. Even a generic email, such as the one below, can provoke emotions. In this case, the threat of a hacked bank account is used to incur fear in their target so as to override their better judgement.
When the target receives the message, the attacker is counting on them to click through without thinking. From there, they land on the duplicate website and type in their password. They have now given up their bank account login, which can then be used to access their accounts. You can see an example below.
Phishing Example Email
Approach #2: Phishing for Personal Information
In other cases, phishing emails will ask you to give up personally identifiable information. You’re hopefully already careful with your social security number and bank account numbers. But even details like your address and phone number can be used to commit identity theft, especially if the attacker can build up a profile with several personal details.
You should be especially wary of surveys, as these can be an opportunity for a scammer to scoop up several pieces of personal information in one go. Just like you would with a login page, pay attention to the URL: a survey on a third party, for instance, is less secure than one hosted directly on a trusted website.
Keep an eye on the questions being asked as well. It’s one thing for a company to ask how you found out about them, or whether you like their products. But they shouldn’t need to ask for a bunch of personal details.
Personal Information Phishing Example Email
You have been selected for an Amazon customer experience survey. Please click here to fill it out.
You should be able to complete the survey in under 10 minutes. We appreciate your insights, and will happily credit your Amazon count with a $50 credit.
Approach #3: Phishing via Advance Fee Fraud
Other phishing schemes go after money directly. In advance fee fraud, the scammer promises a massive sum of money if you only wire them a few thousand dollars.
The best-known example is the Nigerian Prince who needs help securing his fortune. But advance fee phishers take other forms as well: they might pretend to be a foreign bureaucrat trying to move money out of their country, or an entrepreneur offering a dubious investment opportunity.
In all cases, they’re asking for a chunk of change in exchange for a much bigger chunk of change. Of course, it’s highly unlikely you’ll ever see a dime from them, which is why you should never give money to strangers over the internet – except as an act of charity.
Advance Fee Phish Example Email
I hope this email finds you well. I write to ask for your aid in remitting a sum of $18.4 million. These funds were awarded as part of a government contract, and I want to safely move them out of my country under your supervision.
My name is Adomas Masiulus and I am the Director of Extraction for the Lithuanian Department of Energy. It is in my power to move this money to a safe destination. All I ask from you is that you safeguard these funds. For your service, you would be eligible to transfer 15% of this money to your own personal accounts.
It is necessary that you handle this business with the highest discretion. Should you do so, the profits described above can be arrived at with a minimum of personal risk.
Kindly reach out to me for further information at firstname.lastname@example.org.
I eagerly await your reply.
Mr. Adomas Masiulis
7 More Types of Phishing Attacks
The above examples represent some of the most common phishing methods. They all follow the same core pattern, by which the attacker sends an email to solicit money, passwords, or personal information.
There are many other varieties of phishing attacks. Some of these use mediums other than email, such as text messages and phone calls.
Where most phishing attacks are generic emails designed to be sent far and wide, a spear phishing attack is highly targeted and personalized to a specific victim.
A spear phishing attack begins with research. The scammer looks for a personal angle, such as one related to a specific family event or work relationship. They can often learn quite a bit just from social media: where you went to school, where you work, who’s in your family, when their birthdays are, and plenty of other details. As such, you can make a potential spear phisher’s job much harder just by making your profiles and posts private.
Because spear phishing is more time-intensive than generic email blast phishing, these attacks typically target high value victims, such as businesses and other organizations. For more information, see our definitive guide to spear phishing.
Whale phishing is a form of spear phishing whereby the attacker pursues especially high value targets, such as CEOs. The scammer may target other individuals within the organization as they work their way to the top – but they won’t cash out or stop until they’ve achieved their big goal.
Once they have access to an email address within an organization, they can then send emails from that account. At that point, they can then email other individuals from that email address, making it that much harder to spot a phishing email.
Smishing, aka SMS Phishing
Smishing, short for SMS phishing, refers to phishing attempts made via text message. The scammer will typically pose as a trusted company that serves millions of people, such as UPS or Bank of America.
From there, they’ll follow a playbook very similar to the phishing methods above: they might, for instance, use a shortened link to send you to a duplicate website where they can steal your login and password.
For more information and an example, see our guide on Smishing.
Vishing, aka Voice Phishing
Vishing refers to voice phishing, by which someone scams their target into giving up passwords or personal information over a phone or VoIP call. Scam calls have been around as long as the telephone, but what makes vishing a form of phishing is the technique: just like in a phishing email, they’re pretending to be someone they’re not and trying to get you to give up sensitive information.
Often, vishing attempts go hand-in-hand with a phishing email. The scammer will send an email and follow up with a voice call. You can respond (or not respond) to an email at your leisure. When you pick up the phone, they might catch you in the middle of something – and the scammer’s counting on you to do what they say so you can end the call and move on.
If someone calls and asks for passwords or personal information, the best thing you can do is tell them you’ll call back and end the call. From there, look up the phone number of the organization they claim to represent and dial that number directly. That way, you can be sure you’re talking to an official representative. Under no circumstances should you divulge sensitive information to an unsolicited caller.
You can read more in our complete guide to vishing.
Angler phishing refers to phishing attempts made on social media platforms such as Facebook and Twitter. Angler phish typically look for anyone talking about an established company or brand. When an angler phish sees someone complaining and trying to get a company’s attention on social media, they swoop in, pretending to be that company’s customer service department.
From there, they’ll try to get their victims to give up sensitive information, such as the credit card number they used to make a transaction.
Many social media platforms, including Facebook and Twitter, have implemented a “blue check mark” verification system to confirm the identity of established people and brands. You can’t rely 100% on the blue check though, and should carefully check their handle to make sure they didn’t just change their name.
It’s also possible for a legitimate account to get hacked, as many major accounts were in July 2020. As a general rule, I would never give out my credit card number on social media under any circumstances.
Catfishing has taken on a life of its own. But the “fishing” still refers to its origins as a type of phishing. A catfisher makes a fake profile on an online dating service such as Tinder. Catfishing methods and motives vary widely. Most frequently, the motive is financial. They might try to start a long-distance relationship and then ask for travel money. They might go after personal information, such as your phone number and address, so they can steal your identity. They might plan to meet up and then rob or assault you.
Online dating can be a great way to meet people. In a pandemic, it might even be one of the safer ways to date. But remember: not everyone is who they say they are. You shouldn’t assume so until you’ve met someone in person. And to be careful, make sure to meet them somewhere public for the first time. For more information, see these safety tips for online dating.
Phishing via Malware
Sometimes, a phishing email will attempt to get you to download malware. Most commonly that will be in the form of a zip or exe file, but hackers have also found exploits to embed malware into PDFs, Word docs, and other seemingly innocuous file types. Keep an eye out for password protected files, but in general, it’s a bad idea to trust any files from someone you don’t know.
Once the malware has a grip on your computer, what happens next largely depends on what type of malware it is. A ransomware, for instance, might prevent access to files or your computer unless you pay up.
When applied to businesses and organizations, a ransomware can hold critical systems hostage. That’s why businesses and government entities should take care to have a plan in place.
The best solution is to keep your defenses up to date and never download unsolicited files from someone you don’t know. When receiving an unexpected email with an attachment from someone you do know, follow up outside of email to make sure it was really they that sent it.
How to Prevent Phishing Attacks
No one trick will completely protect you from phishing attacks. But with knowledge and vigilance, you can greatly reduce your chances of falling for falling for their tricks. Read on for some pointers on how to stay safe online – and if you’re interested in more information, check out our complete guide to preventing phishing attacks.
Know the Warning Signs
The best way to protect yourself from phishing attacks is to learn how to identify a phishing email. Each of the following warning signs are key clues, but on their own they don’t all necessarily mean an email is safe or unsafe. Watch out for all of these signs, and if you spot one, check extra carefully for others.
- Strange links. Links are the first place I check when I look at an email. Carefully examine the URL for any irregularities, such as a shortened link or any URL that differs from the legit one. If you’re not sure whether a web domain is the official one, don’t click it.
- Asking for passwords, personal information, or money. If an email asks for any of these – or directs you to a website that does – proceed with care. These are phishing attackers’ most common targets.
- A generic, impersonal email. Phishing attackers like to create generic emails they can send far and wide. As such, they frequently impersonate organizations that affect millions of people, such as UPS and the IRS. Emails from these organizations aren’t necessarily phishing attempts, but you should look at them carefully.
- Emotional appeals. Phishing emails often aim to override your better judgement by provoking a strong emotional response. Most frequently they’ll provoke fear and urgency, but sometimes they’ll entice greed or other emotions. If an email raises your heartrate or otherwise makes you feel something, don’t take action until you’ve checked for other warning signs.
- Warning signs from your email provider. You might be surprised at how many people ignore literal warning signs of danger. We see a lot of warnings and disclaimers around the internet, but that’s no reason to get complacent. Any warning from you email provider should be taken very seriously.
- The “from:” address. The “from” address is often the quickest way to identify a phishing attempt. But I list it last because it can be easily faked via a technique known as email spoofing. Because you can’t rely on the “from:” address to know an email is legitimate, it isn’t my #1 method of spotting phishing emails.
Don’t Click on Links in Emails
Links in emails are one of the most common vectors for phishing attacks. As such, I would recommend you never click a link in an email unless you absolutely must. Instead, open a new tab and type in the actual web address yourself. If you go to the website directly, you minimize the chances a phishing email will mislead you on your way there.
It’s a little safer to click on a link in a solicited email, such as when you request to change a password. Even then, you should closely examine the link before you do.
Take Care with Passwords & Personal Information
If an email or website asks for your personal information, take a minute to think about it and look for other warning signs. Unless you’ve already given over your information, it’s never too late to doublecheck.
Set Up Two Factor Authentication
Two factor authentication is hands-down my favorite technical safeguard against phishing attacks. With two factor authentication, you have to take another step after entering your password to access your account. The company might send a temporary code to your phone number via text message, for instance, making your account that much harder to break into.
Because two factor authentication is so powerful at stopping scammers, many banks and other high-security organizations insist on using it. I strongly encourage using it on any important logins, such as your bank account and any healthcare providers.
Phishing isn’t a technical hack so much as a feat of social engineering, whereby the scammer deceives their victims into giving up key information. Because of this, no one technical fix is sufficient to fix the problem.
You need not only understand these tips but apply them consistently, to every email you receive. All it takes is one slip up and you could expose your bank account. You should stay up-to-date on the latest scams through resources such as the FTC’s index of the latest phishing scams.
You can learn more in our complete guide on How to Identify and Prevent Phishing Attacks.
Phishing Attacks on Businesses and Organizations
Many phishing attacks target businesses and other organizations. Because businesses typically offer a higher payout than an individual, a scammer will often put more time and energy into attacking a business target. They’re more likely to use spear phishing techniques, for instance, investing the time to send carefully crafted emails instead of a generic email blast.
Phishing scammers often impersonate someone within the organization they’re targeting. They might pretend to be the CEO, for instance, asking employees to pay an invoice. If you ever receive an unexpected message from someone within your organization, follow up over another means of communication to ensure it was they who sent it.
Organizations should also have phishing defenses in place, such as mandatory two-factor authentication. Remember that phishing is a social hack, making no technical tool perfectly effective on its own. It’s best to implement a phishing awareness training program to educate your employees. A chain is only as strong as its weakest link; to protect your organization, everyone must be aware of phishing methods and how to respond.
Some of the highest-level phishing attacks target governmental and political organizations. Sometimes their motives are financial. But often, these hackers are engaging in state-sponsored espionage.
The 2016 hack of the Democratic National Committee is one example. In this case, a group of Russian hackers worked for months to phish account access to high level staffers. This information was then used to subvert the election.
As you can see, phishing is a powerful and versatile method. It can be used to trick someone into giving up $100, or it can be used to undermine a foreign government.
The Bottom Line
As you’ve seen, phishing attacks come in many forms. At their core, though, all these examples follow the same premise: a scammer pretends to be someone they’re not, hoping their victim will give up passwords, personal information, or money.
The best thing you can do to protect yourself from phishing attacks is to carefully check any email you receive for signs of phishing. With a combination of knowledge and vigilance, you can greatly reduce your chances of getting phished. Adding two-factor authentication to your important accounts can’t hurt either.