What is Phishing?

July 27, 2022

What is a Phishing Attack?

Phishing is an email scam that impersonates a reputable person or organization with the intent to steal credentials or sensitive information. Although email is the most common type of phishing attack, depending on the type of phishing scam, the attack may use a text message or even a voice message.

How do Phishing Attacks Work?

A typical phishing attack starts with a threat actor sending mass amounts of emails in hopes of getting anyone to click on malicious links.

These threat actors, whether an individual criminal or a nation-state, craft such messages to appear to be legitimate. A phishing email can appear to be from your bank, employer or boss, or use techniques to coerce information out of you by pretending, for example, to be a government agency.

The intent could be to deploy ransomware, to steal existing account credentials, to acquire enough information to open a new fraudulent account, or simply to compromise an endpoint. A single click on a malicious phishing link has the potential to create any of these problems.

Phishing Attack Techniques

1. Email Phishing

Spear phishing

Spear phishing is a phishing attempt that targets a specific individual or group of individuals. One adversary group, known as Helix Kitten, researches individuals in specific industries to learn about their interests and then structures spear phishing messages to appeal to those individuals. Victims may be targeted in an effort to reach a more valuable target; for example, a mid-level financial specialist may be targeted because her contact list contains email addresses for financial executives with greater access to sensitive information. Those higher-level executives may be targeted in the next phase of the attack.

Whale Phishing (Whaling)

Whaling, also called business email compromise (BEC), is a type of spear-phishing that targets a high-profile victim, such as a CEO or CFO. Whaling attacks usually employ a sense of urgency to pressure the victim into wiring funds or sharing credentials on a malicious website.

Learn More

Spear phishing is a targeted attack on a specific person or organization, whereas general phishing campaigns are sent to a large volume of people. Spear Phishing vs. Phishing

2. Voice Phishing (Vishing)

Vishing is a phishing attack conducted by telephone. These attacks may use a fake Caller ID profile to impersonate a legitimate business, government agency or charitable organization. The purpose of the call is to steal personal information, such as bank account or credit card numbers.

3. SMS Phishing (Smishing)

Smishing is a phishing campaign conducted through SMS messages instead of email. Smishing attacks are unlikely to result in a virus being downloaded directly. Instead, they usually lure the user into visiting a site that entices them to download malicious apps or content.

2022 CrowdStrike Global Threat Report

Download the 2022 Global Threat Report to find out how security teams can better protect the people, processes, and technologies of a modern enterprise in an increasingly ominous threat landscape.

Download Now

How to Recognize Phishing: Can you spot the Scam?

Typical characteristics of phishing messages make them easy to recognize. Phishing emails usually have one or more of the following indicators:

  1. Asks for Sensitive Information
  2. Uses a Different Domain
  3. Contains Links that Don’t Match the Domain
  4. Includes Unsolicited Attachments
  5. Is Not Personalized
  6. Uses Poor Spelling and Grammar
  7. Tries to Panic the Recipient
example of a general phishing email

Example of a phishing email attack

Learn More

CrowdStrike Intelligence identified a callback phishing campaign impersonating prominent cybersecurity companies, including CrowdStrike. Read more about the phishing attack here

How to Prevent Against Phishing

Even if you think you can spot a phishing email easily, make sure you also follow these secure steps:

Employee awareness training: Employees must be trained to recognize and constantly be on alert for the signs of a phishing attempt, and to report such attempts to the proper corporate security staff.

Use anti-virus software: Anti-malware tools scan devices to prevent, detect and remove malware that enter the system through phishing.

Use an anti-spam filter: Anti-spam filters use pre-defined blacklists created by expert security researchers to automatically move phishing emails to your junk folder, to protect against human error.

Use an up-to-date browser and software: Regardless of your system or browser, make sure you are always using the latest version. Companies are constantly patching and updating their solutions to provide stronger defenses against phishing scams, as new and innovative attacks are launched each day.

Never reply to spam: Responding to phishing emails lets cybercriminals know that your address is active. They will then put your address at the top of their priority lists and retarget you immediately.

Use multi-factor authentication (MFA): Even if a victim’s credentials have been compromised in a phishing attack, MFA requires a second level of verification, like an access code sent to your phone, before gaining access to a sensitive account.

Don’t open the email: If you believe you have a phishing email in your inbox, do not open it, and report it through the proper channels.

What happens if you open a phishing email?

Simply reading a phishing message is normally not unsafe. The user must click a link or download a file to activate malicious activity. Be cautious about all communications you receive, and remember that although phishing may most commonly happen through email, it can also occur through cell phone, SMS and social media.

How to Report a Phishing Attack

Users can’t prevent phishing attacks, but they can protect themselves and help slow the tide by reporting phishing emails when they recognize them. Do your part to be a good internet citizen. Report phishing to: phishing-report@us-cert.gov.