What is Phishing?

March 7, 2022

What is a Phishing Attack?

Phishing is a type of social engineering technique that uses a fraudulent message to convince a victim to share personal information or to download a malicious file. Depending on the type of phishing scam, the attack may use a text message, email, or even a voice message.

How to Recognize Phishing Scams

Typical characteristics of phishing messages make them easy to recognize. Phishing emails usually have one or more of the following indicators:

  1. Asks for Sensitive Information
  2. Uses a Different Domain
  3. Contains Links that Don’t Match the Domain
  4. Includes Unsolicited Attachments
  5. Is Not Personalized
  6. Uses Poor Spelling and Grammar
  7. Tries to Panic the Recipient

example of a general phishing email

Read> 7 Telltale Signs of a Phishing Email

Types of Phishing Attacks

1. Email Phishing

Spear phishing

Spear phishing is a phishing attempt that targets a specific individual or group of individuals. One adversary group, known as Helix Kitten, researches individuals in specific industries to learn about their interests and then structures spear phishing messages to appeal to those individuals. Victims may be targeted in an effort to reach a more valuable target; for example, a mid-level financial specialist may be targeted because her contact list contains email addresses for financial executives with greater access to sensitive information. Those higher-level executives may be targeted in the next phase of the attack.

Whale Phishing (Whaling)

Whaling, also called business email compromise (BEC), is a type of spear-phishing that targets a high-profile victim, such as a CEO or CFO. Whaling attacks usually employ a sense of urgency to pressure the victim into wiring funds or sharing credentials on a malicious website.

2. Voice Phishing (Vishing)

Vishing is a phishing attack conducted by telephone. These attacks may use a fake Caller ID profile to impersonate a legitimate business, government agency or charitable organization. The purpose of the call is to steal personal information, such as bank account or credit card numbers.

3. SMS Phishing (Smishing)

Smishing is a phishing campaign conducted through SMS messages instead of email. Smishing attacks are unlikely to result in a virus being downloaded directly. Instead, they usually lure the user into visiting a site that entices them to download malicious apps or content.

Learn More

La différence entre les attaques de phishing, de harponnage et de chasse à la baleine se situe à l’échelle de la personnalisation. Le phishing est le moins personnalisé, le wheling est le plus, et le spear phishing se situe entre les deux.Spear Phishing vs. Phishing vs. Whaling

2022 CrowdStrike Global Threat Report

Download the 2022 Global Threat Report to find out how security teams can better protect the people, processes, and technologies of a modern enterprise in an increasingly ominous threat landscape.

Download Now

How to Protect Against Phishing

Even if you think you can spot a phishing email easily, make sure you also follow these secure steps:

Use anti-virus software: Anti-malware tools scan devices to prevent, detect and remove malware that enter the system through phishing

Use an anti-spam filter: Anti-spam filters use pre-defined blacklists created by expert security researchers to automatically move phishing emails to your junk folder, to protect against human error

Use an up-to-date browser and software: Regardless of your system or browser, make sure you are always using the latest version. Companies are constantly patching and updating their solutions to provide stronger defenses against phishing scams, as new and innovative attacks are launched each day.

Never reply to spam: Responding to phishing emails lets cybercriminals know that your address is active. They will then put your address at the top of their priority lists and retarget you immediately. 

Use multi-factor authentication (MFA): Even if a victim’s credentials have been compromised in a phishing attack, MFA requires a second level of verification, like an access code sent to your phone, before gaining access to a sensitive account.

What happens if you open a phishing email?

Simply reading a phishing message is normally not unsafe. The user must click a link or download a file to activate malicious activity. Be cautious about all communications you receive, and remember that although phishing may most commonly happen through email, it can also occur through cell phone, SMS and social media.

What happens if you click a phishing link on your phone?

Phones are computers, and like any desktop, they can become infected by viruses when a malicious link is clicked. Typically, however, malicious links don’t download viruses directly to a phone. Instead, they direct the user to a website or the app store, where they are encouraged to download malicious content.

Before downloading an app, check the reviews for quantity and quality, only connect to trusted devices and treat any incoming messages with the same caution that you’d treat any message that lands in your computer inbox.

How to Report a Phishing Attack

Users can’t prevent phishing attacks, but they can protect themselves and help slow the tide by reporting phishing emails when they recognize them. Do your part to be a good internet citizen. Report phishing to: phishing-report@us-cert.gov.