What is Phishing?

Think you're too smart to fall for a phishing scam? So do millions of others—until it's too late.

As a cybersecurity researcher, I've witnessed firsthand how these types of attacks can compromise even the most secure systems.

But what exactly is phishing, and how can you protect yourself?

This comprehensive guide will help you understand phishing, recognise its signs, and learn how to protect your data.

Contents:

• What is Phishing?
• Types of Phishing Attack
• Anatomy of a Phishing Email
• Importance of Email Authentication
• Phishing Prevention and Mitigation
• What If You Suspect Phishing?
• The Cost of a Phishing Attack
• Key Takeaways

What is Phishing?

Phishing is a cyber attack designed to deceive victims into giving away sensitive information.

Attackers impersonate trusted people or organisations to steal data like passwords, credit card numbers, or personal details.

Phishing is also a common method hackers use to breach security systems.

Many data breaches start with a simple phishing email that gives attackers a way into secure networks.

The famous 2013 Target data breach, which affected millions of customers, was started by a phishing attack on a third-party vendor.

Incidents like these highlight how phishing can have far-reaching consequences beyond the initial victim.

"Phishing attacks are becoming increasingly sophisticated, exploiting human trust and technological vulnerabilities alike. It's important for individuals and organisations to stay informed."

— Paul Holland, CEO, Beyond Encryption

Why Phishing is a Major Cyber Threat

Phishing is a favoured attack method because it's low cost and has a high success rate.

Attackers can send thousands of emails at once, and even if a small percentage of recipients fall for the scam, it can lead to significant gains for the criminals.

What are the Consequences of Phishing?

The consequences of phishing include:

• Ransomware Infections: Attackers can encrypt your data and demand payment to unlock it.
• Financial Loss: Direct theft of money or unauthorised transactions can happen, leaving you out of pocket.
• Data Breaches: Loss of sensitive company or personal information can lead to legal issues and reputational damage.
• Identity Theft: Personal information can be used to impersonate victims, leading to further fraud.

How Difficult is Phishing to Detect?

Phishing is hard to detect and counter because attackers constantly change their tactics to bypass traditional cybersecurity tools.

Criminals use techniques to mimic legitimate communications, making it challenging even for trained eyes to spot the deception.

"The challenge with phishing is that it's not just a technical issue; it's a human one. Attackers prey on emotions and trust, which means technical defences alone are not enough."

— Mike Wakefield, CTO, Beyond Encryption

Types of Phishing Attack

Here are some common terms used for types of phishing attack that you may or may not have come across.

Email Phishing

General phishing emails are sent to millions of people, hoping someone will take the bait.

They often use generic messages like "You've won a prize!" or "Your account has been compromised."

These emails usually direct you to a fake website where you're prompted to enter personal information.

Email phishing is the most common type of phishing attack.

Smishing and Vishing

Phishing attempts via SMS text messages are known as 'smishing'.

Attackers send texts that appear to be from reputable companies, urging you to click on a link or call a number.

Phishing attempts via voice calls or voicemails are often called 'vishing'.

Attackers might pose as bank officials or tech support to extract sensitive information over the phone.

Spear Phishing

Spear phishing attacks are targeted at specific individuals who have access to valuable information.

Attackers may personalise a message on any channel using your name, position, and other details to make it more convincing.

For example, an attacker might impersonate a colleague or a trusted business partner.

Whaling

Whaling is a form of spear phishing that targets high-profile figures within an organisation, such as CEOs or CFOs.

The goal is to trick them into authorising high-value transactions or revealing confidential information.

Whaling messages are often carefully crafted to match the executive's communication style.

Other Techniques

Other phishing techniques or tactics include:

• Link Manipulation: Altering website links to look legitimate but redirecting to malicious sites.
• Quishing: Phishing using QR codes that lead to harmful websites or initiate unwanted actions on your device.
• Watering Hole Attacks: Infecting websites often visited by a target group, so they download dangerous software (malware) onto devices.

"Phishing has evolved beyond just emails. Attackers are now exploiting multiple channels like SMS and voice calls to reach their targets, making it essential to be cautious across all forms of communication."

— Emily Plummer, Marketing Director, Beyond Encryption

The Anatomy of a Phishing Email

Understanding the common components of a phishing email can help you spot these messages.

Fake Sender Information

Attackers spoof legitimate email addresses to appear trustworthy.

They might use email addresses that closely resemble real ones, like "support@yourbankk.com" instead of "support@yourbank.com".

Can you spot the difference?

Urgent or Threatening Language

Phrases like "Immediate action required" or "Your account will be closed" are used to pressure people into responding without thinking.

Suspicious Links and Attachments

Links that lead to fake websites designed to steal your information or attachments containing malware.

Always hover over links to see where they actually lead before clicking.

Generic Greetings and Poor Grammar

A lack of personalisation (e.g., "Dear Customer") and grammatical errors can be red flags, as legitimate organisations usually get these things right.

Common Phishing Scenarios

Now you understand the components, you may recognise that you have come into contact with some of the most common examples of phishing:

• Fake Invoice Emails: Requesting payment for goods or services you didn't order, often with an attachment that is actually malware.
• Account Suspension Notices: Claiming your account will be suspended unless you verify your information, prompting you to enter credentials on a fake site.
• Security Alerts: Notifications about unusual activity on your account, urging immediate action to "secure" your account.

Phishing messages often bear the hallmarks described above, though criminals are becoming more sophisticated over time.

How Phishing Is Done

Attackers may research their targets to craft believable messages.

They might gather information from social media profiles, company websites, and public records—a technique known as Open Source Intelligence (OSINT).

The Phishing Attack Process

The process involved in deploying a phishing attack follows a familiar pattern of activity:

1. Information Gathering: Collecting data about the target, such as job role, interests, and contacts.
2. Crafting the Message: Creating a convincing email or message that appears relevant and legitimate.
3. Launching the Attack: Sending out the message to the target(s) using spoofed email addresses or compromised accounts.
4. Exploiting the Victim: Once you act (click a link, download a file, or provide information), attackers gain access to sensitive data or systems.

The Role of Psychological Manipulation

Attackers may exploit emotions like fear, curiosity, urgency, or greed to encourage you to act without thinking.

The psychological techniques they rely on include:

• Authority: Pretending to be someone in a position of power.
• Scarcity: Offering a limited-time deal.
• Reciprocity: Offering something in return for information.

"Phishing attacks often work because they tap into basic human emotions. Understanding these psychological tactics is key to defending against them."

— Carole Howard, Head of Network, Beyond Encryption

The Importance of Email Authentication

Email authentication is a security measure that verifies the sender or recipient of an email message.

This prevents fraud and spam, while allowing sensitive data to be delivered securely.

It involves using digital checks to confirm the identity of an email sender or recipient, making sure that the person or business sending or receiving an email is genuine and trustworthy.

Types of Email Authentication

To protect all participants in email communications, there are two main types of email authentication:

• Sender authentication
• Recipient authentication

Sender Authentication

Sender authentication confirms that an email from an organisation or individual is from a legitimate source.

It improves message deliverability for genuine senders and reduces the risk for recipients when opening emails.

This process often involves verifying the sender's email address and the integrity of the message using cryptographic techniques.

Several methods are used to achieve this:

• Sender Policy Framework (SPF): Allows you to specify which domains and IP addresses are authorised to send emails on behalf of your organisation. These authorised senders are published as DNS (Domain Name System) records.
• DomainKeys Identified Mail (DKIM): Uses encryption to verify both the sending domain and the email message. It works by creating a pair of cryptographic keys: a private key for signing outgoing messages and a public key published in your DNS records.
• Domain-Based Message Authentication, Reporting, and Conformance (DMARC): Combines SPF and DKIM to validate sender authenticity. It allows you to publish a DNS record specifying which authentication methods should be used to verify emails from your domain.

Recipient Authentication

Recipient authentication ensures that only the intended recipient(s) can access an email.

It uses multi-factor (MFA) or two-factor (2FA) authentication checks to verify the recipient's identity.

MFA requires users to provide two or more verification factors to access an email. These factors can include:

• Something you know: A password or PIN.
• Something you own: A mobile device or security token.
• Something you are: Biometric data like a fingerprint.

Secure email solutions like Mailock are used to add an extra layer of security to sensitive emails by encrypting data and requiring multi-factor authentication from recipients to access it.

Recipient authentication significantly increases security for organisations.

It protects both senders and recipients from threats like phishing and human error by proving people 'are who they say they are'.

"Implementing email authentication measures is not just a technical necessity but a foundational step towards building a more trusted email ecosystem."

— Adam Byford, CCO, Beyond Encryption

Phishing Prevention and Mitigation Strategies

What can you use to prevent or mitigate the impact of phishing to your email domain or organisation?

Inbound Email Filtering and Security Tools

You can use advanced spam filters and anti-phishing technologies that use machine learning and heuristic analysis to detect and block malicious emails before they reach your inbox.

Outbound Email Security and Authentication

You can use a secure email solution to make sure sensitive email communications are protected with recipient authentication and a strong method of encryption.

Monitoring Communications Activity

Monitoring outgoing emails can also help detect if an account has been compromised.

Indicators include unusual email activity, like sending emails in bulk or to unfamiliar recipients.

Email Authentication Protocols

Using protocols like SPF, DKIM, and DMARC helps prevent attackers from spoofing your email domain.

These protocols enable recipient email servers to verify that incoming messages are from legitimate sources, reducing the risk of phishing emails reaching your organisation.

User Training

Regular training sessions can help employees recognise phishing attempts.

This type of cyber awareness training often includes:

• Identifying Red Flags: Teaching what signs to look for in suspicious emails.
• Simulation Exercises: Providing practical experience through simulated phishing attacks.
• Reporting Procedures: Ensuring employees know how to report suspected phishing attempts.

"Empowering employees through training transforms them from potential vulnerabilities into active defenders."

— Sam Kendall, Marketing Manager, Beyond Encryption

Incident Response Plan

Having a clear plan helps you respond quickly to minimise damage if a phishing attempt succeeds.

A robust incident response plan should include:

• Immediate Actions: Steps to contain the breach, such as disconnecting affected systems.
• Notification Protocols: Informing stakeholders, customers, and possibly regulators.
• Recovery Procedures: Restoring systems from backups and changing compromised credentials.

What to Do If You Suspect Phishing

If you suspect you are the target of a phishing attack, follow these steps:

1. Do not click on any links or download attachments.
2. Report the email to your IT or security team immediately using the established reporting procedures.
3. Verify the message by contacting the sender through another, trusted communication method, such as a known phone number or official website.
4. Scan your device with updated antivirus software if you clicked on a suspicious link or opened an attachment.
5. Change your passwords for the affected accounts and any other accounts using the same credentials.
6. Monitor accounts and keep an eye on bank statements and credit reports for unusual activity.

Your Phishing Reporting Options

• For Individuals: Report phishing attempts to the National Cyber Security Centre (NCSC) by forwarding suspicious emails to report@phishing.gov.uk.
• For Organisations: Follow industry-specific guidelines for reporting cyber incidents, which will include notifying the Information Commissioner's Office (ICO) if personal data is compromised.

Building a Positive Cybersecurity Culture

In my experience, fostering a positive cybersecurity culture is key to effective defence against phishing.

Punishing employees for falling for phishing scams is counterproductive. Instead, you should:

• Encourage Open Communication: Create an environment where employees feel safe to report mistakes without fear of retribution.
• Focus on Education: Use phishing simulations as teaching tools to improve awareness, not to shame individuals.
• Recognise and Reward: Acknowledge employees who correctly identify and report phishing attempts.
• Educational Debriefs: After simulations, provide feedback explaining what clues indicated a phishing attempt.
• Regular Training: Keep cybersecurity at the forefront of employees' minds with ongoing education.

Case Study: The Cost of a Phishing Attack

Let's take a look at an example phishing scenario and how it can teach us about the preventative measures we've learned about.

Scenario

A medium-sized company fell victim to a phishing attack when an employee received an email that appeared to be from the CEO, requesting an urgent wire transfer to a new vendor.

Techniques

• Email Spoofing: The attacker's email address closely resembled the CEO's official email.
• Sense of Urgency: The message stressed that the transfer needed to happen before the end of the day.
• Lack of Verification: The employee did not follow company protocol for verifying these kinds of requests.

Consequences

• Financial Loss: The company transferred a significant sum to the attacker's account.
• Operational Impact: Resources were diverted to investigate and mitigate the breach.
• Reputational Damage: Trust with clients and stakeholders was affected.

Potential Preventative Measures

• Verification Procedures: Implementing a mandatory verification process for financial transactions, such as dual approval or verbal confirmation.
• Email Authentication: Using DMARC, SPF, and DKIM to prevent email spoofing.
• Employee Training: Educating staff on recognising and verifying unusual requests, even if they appear to come from senior executives.
• Outbound Email Encryption: Ensuring all sensitive communications are encrypted and authenticated with recipient verification to prevent interception and unauthorised access.

Key Takeaways

Phishing is a serious threat that requires a multi-layered defence strategy.

You can reduce the risk by combining technical defences like spam filters, email authentication and encryption with user education and a positive cybersecurity culture.

Key Strategies:

• Implement Email Authentication Protocols: Use DMARC, SPF, and DKIM to prevent email spoofing.
• Encrypt All Sensitive Emails: Protect all sensitive emails with end-to-end encryption and recipient authentication to ensure only intended recipients can access the information.
• Regularly Train Employees: Equip your team with the knowledge to recognise and report phishing attempts.
• Use Advanced Security Tools: Employ anti-phishing technologies and spam filters to block malicious emails.
• Encourage Open Communication: Foster a culture where employees feel comfortable reporting security concerns.
• Stay Informed and Proactive: Keeping up to date with the latest phishing tactics and maintaining vigilant security practices are your best defences against cyber attacks.

Staying on Top of Phishing

As someone who regularly researches how to stay safe online, I can't stress enough the importance of staying vigilant against phishing attacks.

Implementing both inbound and outbound email security measures is crucial for creating a trusted email ecosystem.

Always think twice before clicking on links or providing personal information.

Your awareness, combined with robust security practices like email authentication and encryption applied to all sensitive communications, is the first line of defence against phishing threats.

FAQs

What is the Definition of Phishing?

Phishing is a cyber attack where criminals use fake communications to trick people into revealing sensitive information or installing malware.

What is an Example of Phishing?

An example of a phishing email would be you receiving an email that looks like it's from your bank asking you to confirm your password when it's actually been sent by a cyber criminal.

What is in a Phishing Email?

A phishing email often includes fake sender details, urgent language, suspicious links or attachments, and generic greetings. It aims to prompt immediate action without allowing time for scrutiny.

How Do You Stop Phishing Emails?

Use spam filters, implement email authentication protocols like DMARC, SPF, and DKIM, encrypt all sensitive emails, consider recipient authentication, and educate users to recognise phishing attempts.

What Do You Do If You Think an Email Is Phishing?

Do not click any links or download attachments. Report it to your IT team and verify the message through a trusted method. Delete the email after reporting it.

What Is the Most Common Phishing Email?

Common examples include account suspension notices, fake invoices, or alerts about unusual activity requiring immediate action.

Why Is Email Authentication Important?

Email authentication prevents attackers from sending emails that appear to come from trusted domains, reducing the risk of phishing and protecting sensitive information.

How Does Email Encryption Help in Preventing Phishing?

Email encryption secures the content of your emails, ensuring that even if intercepted, the information remains confidential and unreadable to unauthorised parties. Recipient authentication can increase security, ensuring only intended recipients can decrypt the information.

References:

Target Hackers Broke in Via HVAC Company, Krebs on Security, January 2014

2021 Data Breach Investigations Report, Verizon Enterprise, 2021

Internet Security Threat Report, Symantec Corporation, 2019

Phishing Activity Trends Report, APWG, 2020

Internet Organised Crime Threat Assessment (IOCTA), Europol, 2020

Smishing and Vishing Guidance, NCSC, 2020

Anatomy of a Phishing Email, Microsoft, 2018

Watering Hole Attacks Explained, Symantec Blogs, 2017

Open Source Intelligence (OSINT) Handbook, United States Department of the Army, 2012

Phishing, The Information Commissioner's Office (ICO), 2024

Social Engineering: The Art of Human Hacking, Wiley, 2010

Market Guide for Email Security, Gartner Research, 2020

Computer Security Incident Handling Guide, NIST Special Publication 800-61r2, 2012

Guide to the General Data Protection Regulation (GDPR), ICO, 2018

Suspicious Email Reporting Service (SERS), NCSC, 2020

Security Awareness Planning, SANS Security Awareness, 2019

Email Authentication Explained, Beyond Encryption Blog, 2024

Reviewed by:

Sabrina McClune, 21.11.24

Sam Kendall, 15.11.24