Phishing is the attempt to acquire sensitive informative such as usernames, passwords and credit card details, often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. Phishing is the illegal attempt to acquire sensitive information for malicious reasons.
Traditional phishing attacks are usually conducted by sending malicious e-mails to as many people as possible. The attackers know that the more people they reach, the more people are likely to fall victim. It is not unusual for phishing attacks to target thousands of people at once, independent of where they live. To fool, trick or attack the victims, the phishing e-mail usually appears to come from a trusted source, like a bank or someone the victims may know. The phishing message will often try to lure the victims into opening an infected attachment or into clicking on a link that will take them to a malicious website.
The goal of a phishing attempt is to trick the recipient into taking the attacker’s desired action, such as providing login credentials or other sensitive information. The attacker will attempt to infect and take control over the victims’ computers or to harvest their usernames and passwords. To make phishing messages look like they are genuinely from a well-known company, they include logos and other identifying information taken directly from that company’s website. For instance, a phishing e-mail appearing to come from a bank may warn the recipient that their account information has been compromised, directing the individual to a website where their username and/or password can be reset. The website is also fraudulent, designed to look legitimate, but exists solely to collect login information. These fraudulent websites may also contain malicious code which executes on the user’s local machine when a link is clicked from a phishing e-mail to open the website.
Phishing is popular with cybercriminals, as it is far easier to trick someone into clicking a malicious link in seemingly legitimate e-mail than trying to break through a computer’s defenses. Although some phishing e-mails are poorly written and clearly fake, sophisticated cybercriminals employ the techniques of professional marketers to identify the most effective types of messages, the phishing “hooks” that get the highest “open” or click through rate and the Facebook posts that generate the most likes. Phishing campaigns are often built around the year’s major events, holidays and anniversaries or take advantage of breaking news stories, both true and fictitious.
A favorite phishing tactic is to ask you to act fast because the super deals are only for a limited time. Some of them will even tell you that you have only a few minutes to respond. When you come across these kinds of e-mails, you shouldn’t get carried away and you should ignore them. Sometimes, they will tell you that your account will be suspended unless you update your personal details immediately. When in doubt, it’s best to contact the company directly by telephone.
Running simulated phishing tests will determine your employees' susceptibility to social engineering and phishing scams. Train your employees and help them identify spear phishing and ransomware attacks.