< Back to EPP 101

Phishing Explained: How to identify and prevent phishing attacks

April 9, 2020

What Does “Phishing” Mean

Phishing is a type of cyber attack that uses email, SMS, phone, or social media to entice a victim to share sensitive information — such as passwords or account numbers — or to download a malicious file that will install viruses on their computer or phone.

Why is it called phishing?

The term “phishing” goes back to the mid-1990s, when malicious adversaries first began trying to steal passwords from an early online-services website called America Online (now known as AOL). Attackers were “fishing” for a victim by setting a hook and waiting for someone to take the bait.

The “ph” spelling can be traced back to an earlier form of cybercrime called “phone phreaking,” in which hackers manipulated telephone signals to make free long-distance calls.

Learn More

As the COVID-19 pandemic continues to take hold in various regions around the world, phishing remains the primary initial access vector for threat actors. Learn more about cyber threats heightened by COVID-19 in our recent blog post

What is a Phishing Attack?

A phishing attack starts with a request, offer or plea. In the corporate environment, a phishing email may look like a message from the HR department or IT team asking the recipient to click a link and enter password information. In the larger world, a phishing email may look like an official communication from a business or government agency informing the recipient that there’s money waiting for them, or a plea from a charitable organization or person in need seeking donations.

Is phishing illegal in the United States?

Federal laws against fraud apply to phishing. Twenty-three states and Guam have laws specifically against phishing.

Sentences for phishing are usually one to three years in jail and/or fines of at least several thousand dollars, although they may be as high as $10,000 or more per offense.

Types of Phishing Attacks

Spear phishing

CrowdStrike Helix Kitten image

Spear phishing is a phishing attack that targets a specific individual or group of individuals. One adversary group, known as Helix Kitten, researches individuals in specific industries to learn about their interests and then structures phishing messages to appeal to those individuals. Victims may be targeted in an effort to reach a more valuable target; for example, a mid-level financial specialist may be targeted because her contact list contains email addresses for financial executives with greater access to sensitive information. Those higher-level executives may be targeted in the next phase of the attack.


A pharming attack does not require its victim to click a link. Instead, it redirects a user to a bogus website that either collects sensitive personal information or installs a virus on the user’s computer.


Smishing is a phishing attack conducted through SMS messages instead of email. Smishing attacks are unlikely to result in a virus being downloaded directly. Instead, they usually lure the user into visiting a site that entices them to download malicious apps or content.


Vishing is a phishing attack conducted by telephone. These attacks may use a fake Caller ID profile to impersonate a legitimate business, government agency or charitable organization. The purpose of the call is to steal personal information, such as bank account or credit card numbers.

Session hijacking

Session hijacking occurs when an attacker uses a stolen security token to impersonate a legitimate user.

When a user logs into a password-protected system, such as an online bank, the system issues the user a token and creates a session. The user is then authorized to perform specific actions, such as transferring funds or making purchases. When the user logs out or is timed out, the token is revoked and the session is ended. In session hijacking, the attacker steals the token and uses it to continue the session, and is then able to perform any action the legitimate user could perform.


Whaling, also called business email compromise (BEC), is a type of spear-phishing that targets a high-profile victim, such as a CEO or CFO. Whaling attacks usually employ a sense of urgency to pressure the victim into wiring funds or sharing credentials on a malicious website.


A cloning attack copies a legitimate email from a trusted sender and alters it by replacing a link or file to direct the recipient to a malicious website designed to harvest sensitive information.

Domain spoofing

Domain spoofing usually substitutes a false URL to deceive users into thinking they are visiting a legitimate site. For example, in a spoofed domain, a “W” may be replaced with two “V”s, or a lowercase “L” with a capital “I.” The user is unlikely to notice the difference and is deceived into entering sensitive data on the malicious site.

Stay Ahead of Adversaries

Download the 2020 Global Threat Report to uncover trends in attackers’ ever-evolving tactics, techniques, and procedures that our teams observed this past year.

Download Now

What are Examples of Phishing?

An attack on the financial industry

Bokbot is a banking trojan that includes a complex piece of code written to trick victims into sending sensitive information to a command-and-control server.

BokBot uses webinjects to create a replica of the original target website. Webinjects create replica websites called webfakes by rewriting URIs to forward traffic to the webfake site. The web browser is not aware that traffic is being redirected to the webfake. The replica site can scrape the victim’s browser page, screenshot it or ignore it. Web injects have replaced keyloggers as a common method of stealing financial data.


Process tree example of how the CrowdStrike Falcon Platform provides a detailed view of the activity associated with a BokBot attack.

Spear-phishing through Microsoft Word documents

CrowdStrike’s 2020 Global Threat Report extensively covers the top cyber threats identified by our Intelligence and OverWatch teams in the past year. In 2019, the OverWatch team observed multiple spear-phishing attacks against targets to deploy the CHOLLIMA-associated malware known as BabyShark. Delivery is typically via phishing messages with Microsoft Office document attachments containing a macro to download a BabyShark HTML Application (HTA) file, though Windows executables have also been observed.

In mid-2019, VELVET CHOLLIMA conducted an intrusion where the targeted user received a highly tailored spear-phishing email with a malicious decoy Word document attachment. The first-stage payload was retrieved with a file name of Drfwj0.hta via mshta.exe from the actor-controlled domain https://bit-albania[.]com. The OverWatch team’s quick identification of the threat allowed defenders to take action before the adversary was able to perform threatening acts.

CrowdStrike observed COVID-19 related phishing activity in April 2020

During these unprecedented times of COVID-19, phishing continues to be the preferred access route for threat actors. In April 2020, Crowdstrike intelligence identified new phishing campaigns impersonating The World Health Organization (WHO). The phishing campaigns used a social engineering technique to conduct the attack. Threat actors used spoof email addresses to deliver the “AgentTesla” information stealer using an exploit document called “Virgo. CrowdStrike intelligence has found COVID-19 related lures used by eCrime adversaries most often contain “AgentTesla” final payloads. The WHO spoof emails used (WHO <eurohealthcities@who[.]int>) as the sender address.

How to Identify a Phishing Email?

Phishing graphic

Typical characteristics of phishing messages make them easy to recognize. A phishing email usually has one or more of the following indicators:

1. Asks for sensitive information

Legitimate businesses won’t request credit card information, social security numbers or passwords by email. They will also not send you a link to log into a system outside of their domain.

2. Uses a different domain

A message from Amazon will come from @amazon.com. It won’t come from amazon-subscriber@subscriber-services.com. Check the domain by looking at the Sent field.

3. Contains links that don’t match the domain

Hover the cursor over any links to make sure they will take you to the site you expect. Also look for https:// at the start of the URL, and do not click on any link that does not use HTTPS.

4.Includes unsolicited attachments

A legitimate company won’t send an attachment. It will direct you to its site, where you can download a document safely.

5. Is not personalized

Companies that do legitimate business with you know your name. They will use it rather than addressing you in a generic manner, such as “Dear Valued Member”.

6. Uses poor spelling and grammar

Of course, hackers aren’t ignorant, so it seems odd that their malicious messages would typically include so many spelling and grammar errors. The suspicion is that attackers use grammatical errors to weed out cautious users and entrap the uneducated or distracted, who will make easier targets.

How to Protect Against Phishing Attacks

How common is phishing?

Phishing is very common. According to Accenture, 60% of Americans say they or a family member has been a victim of a phishing attack, and 15% will be targeted more than once every year. The number of phishing attacks has also been increasing in the U.S., with a growth of 65% in the last year.

What happens if you open a phishing email?

Simply reading a phishing message is normally not unsafe. The user must click a link or download a file to activate malicious activity. Be cautious about all communications you receive, and remember that although phishing may most commonly happen through email, it can also occur through cell phone, SMS and social media.

What happens if you click a phishing link on your phone?

Phones are computers, and like any desktop, they can become infected by viruses when a malicious link is clicked. Typically, however, malicious links don’t download viruses directly to a phone. Instead, they direct the user to a website or the app store, where they are encouraged to download malicious content.

Before downloading an app, check the reviews for quantity and quality, only connect to trusted devices and treat any incoming messages with the same caution that you’d treat any message that lands in your computer inbox.

Expert Tip

Users can’t prevent phishing attacks, but they can protect themselves and help slow the tide by reporting phishing emails when they recognize them. Do your part to be a good internet citizen. Report phishing to: phishing-report@us-cert.gov

Learn how the CrowdStrike Falcon® platform can help you protect against phishing attacks and scams. Start your free trial today!

Start Free Trial