Phishing is a technique where email is used to trick people into performing an action, such as downloading a file, supplying information, or conducting a transaction. Phishing is a common threat vector used in today’s technology environment. When phishing is used as part of a malicious attack on a company, it is referred to as a phishing attack. Phishing and other attacks involving manipulating employees are referred to as social engineering attacks.

Types of phishing

Although phishing can be used as a generic term, some like to further classify phishing into different types. Spear phishing is a term used to describe a phishing attack targeted to a specific individual or organizational position. With a spear-phishing email, the attacker tailors the phishing email to include relevant information lending credibility to the email in the eyes of the recipient. Where a generic phishing email may reference “Dear Sir,” a spear-phishing email would address the specific recipient, such as "Dear Steve Smith." As such, a spear-phishing email is likely to be more successful in achieving the attacker's desired results. Spear phishing is a common method in data breaches. Click here to learn about current phishing facts and statistics dealing with phishing threats.

Why is phishing so prevalent?

Phishing is used because it works and there is little risk to the attacker. Phishing attacks prey on the human element. The human element is very difficult to control. Humans can be tricked into performing an action, such as downloading a virus or conducting a fraudulent transaction. These actions often bypass other technical controls. The attackers will use this fact to help achieve their objective, which is often financial gain through either direct theft or some sort of ransom.

In addition to achieving the desired results, the initiator of a phishing attack has little risk of being apprehended or punished. The attack can be conducted remotely from anywhere in the world through various computer networks. As such, it is very difficult for authorities to trace phishing attacks to specific individuals. Some countries even sponsor such attacks, so they do not cooperate with authorities’ efforts to stop or punish groups or individuals for conducting cyberattacks like phishing.

What can be done to prevent phishing?

There are several things a company can do to prevent and/or minimize the threat from phishing. However, it will be difficult to fully eliminate the risk from phishing completely. Some phishing attacks may be highly sophisticated and take place over a long period of time. The complexity of the phishing attack is only reliant on the resources and motivation of the attacker. In any case, the following controls reduce the threat from phishing and other social engineering attacks:

Summary

Phishing is a social engineering method used to attack organizations through email and other electronic channels. The threat from phishing is real and should not be ignored. Through security awareness training and technology configurations, organizations can significantly reduce their sociability to the threat from phishing.