Phishing 101: How It Works & What to Look For

Phishing is today’s biggest cybersecurity threat: 90% of incidents that end in a data breach start with a phishing email. It is the delivery system of choice for malware like ransomware and the gateway to an array of cybercrimes and fraud. The humble phishing email has rocked the highest levels of business and government with far-reaching consequences. More than 80% of reported cyberattacks are phishing. The versatility and effectiveness of this type of threat is what makes it a favorite among cybercriminals. The devastation it brings in its wake is what makes it a nightmare for security teams.

Phishing Defined

The myriad styles of phishing attack are all variants on a theme: getting the target to take an action. They’re typically classified by the type of target or type of delivery system. The enticement proposition is called a bait or lure. By far, the most common type of phishing is spear phishing, which accounts for 65% of phishing attacks. Other common phishing methods include whaling, angler phishing, smishing, vishing, brand impersonation and business email compromise.

An image to depict phishing with a hook on an email.

What is the Purpose of Phishing?

At its most basic, phishing is a type of fraud that aims to lure the target into interacting with a deceptive message. Phishing attacks vary in complexity, but many use sophisticated social engineering techniques combined with information gathered from the dark web to simulate authenticity and relevance to their unsuspecting targets. If the attack is intended to deploy malware like ransomware, just opening the message is often enough to deploy its cargo. Otherwise, the message’s content will be designed to push the recipient into performing an action that benefits the cybercriminal and compromises the victim’s security like visiting a website, opening an attachment, sending money or information, downloading a PDF or providing a credential.

The History of Phishing

The earliest forms of phishing as a cyberattack began on AOL in the mid-1990s. The first known phishing attack against a retail bank was reported by industry magazine The Banker in September 2003, and the first known direct attempt against a payment system as an attack on E-gold in June 2001.

Phishing really took off in the early 2000s, with early attacks against banks, payment systems and consumers. Phishing by nation-state actors was prevalent in 2006 when experts estimate that more than half of all phishing attacks originated in Russia. By the 2010s, phishing was widespread and more like what we see today, with attacks against businesses, government agencies, banks and consumers becoming increasingly common. This attack reached new heights in 2020: Google recorded a more than 600% increase in phishing messages in March 2020 as COVID-19 became its most phished topic in history.

Where Did the Term ‘Phishing’ Originate?

Phishing is a term that was likely coined from a combination of video game “leetspeak” and an old type of telephone fraud called phreaking. It’s thought that the term first appeared in print in the hacker magazine 2600 in the early 1980s. The earliest record of phishing as a major topic of discussion among security professionals comes from a paper and presentation delivered to the 1987 International HP Users Group, Interex. The first widespread usage was in the cracking toolkit AOHell created by Koceilah Rekouche in 1995.

The first phishing attacks were perpetrated on AOL users as an attempt to snatch passwords to facilitate other cybercrimes. Phishing specializations emerged on a global scale in the mid-2000s, as cybercriminals began to sell or trade phishing software to organized gangs that could then utilize it to conduct phishing campaigns. The practice was closely associated with software pirating and credit card fraud. As the world grew more digital, phishing evolved to allow bad actors to utilize it in new ways, including social media phishing. Over 60% of cybercriminals used phishing as their primary form of attack in 2020.

What are Some Real-World Examples of Phishing?

Phishing doesn’t discriminate. From elementary schools to tech giants, phishing is an equal-opportunity menace. One employee clicking on one email can unleash a world of hurt on an organization. Here are a few examples of the damage that phishing can do.

  • Twitter was in the hot seat after the accounts of extremely prominent users like Donald Trump and Elon Musk were taken over by cybercriminals and used to spread messages luring people into a cryptocurrency scam. Investigation revealed that the entire incident stemmed from a cybercriminal phishing a single administrator password out of a Twitter employee by claiming to be a subcontractor.
  • In late 2020, the phish heard round the world set off a cascade of cybersecurity nightmares at the highest levels of government, business and finance after Russian cybercriminals gained access to SolarWinds systems. That password enabled them to set up backdoors into some of the most sensitive systems in the United States, reaching deep into national security targets, invading government agencies and snatching sensitive information at businesses. The full impact may never be measured.
  • A complex phishing scam perpetrated by suspected nation-state hackers against employees at drugmaker AstraZeneca was designed to inhibit its research and development of a COVID-19 vaccine. Threat actors used fake job listings sent through social media like LinkedIn and WhatsApp to lure employees into providing personal information that could be used to power spear phishing or downloading attachments full of malware.

How Often Does Phishing Happen?

Phishing is the most routine cyberattack for IT teams to handle. Experts at the University of Maryland estimate a new attack is launched every 39 seconds. The pandemic and accompanying chaos was an enormous boon to cybercriminals, which they were quick to capitalize on. In March 2020, Google announced that they had recorded a 667% jump in phishing attempts over the same time in 2019, estimating that it blocked about 18 million COVID-19 scam emails a day from its 1.5 billion users. By mid-2020, internet researchers saw the number of daily phishing threats top 25,000 a day, a 30% increase over 2019 figures. By fall, the number had grown to 35,000 per day and grew to 50,000 per day by December 2020. 75% of organizations around the world experienced some kind of phishing attack in 2020.

Is Phishing Illegal? 

That makes quite a cybercrime wave. Phishing is a form of fraud and identity theft, punishable by fines and even jail time. In the United States, there are federal, state and local statutes against phishing and its associated styles. Phishing is sometimes prosecuted under federal wire fraud statutes because it is transmitted through the internet. The United Kingdom, European Union and other nations also have laws against phishing.

How Phishing Works

In its broadest sense, phishing is intended to trick the target into providing information, credentials or access that enables the sender to gain ingress to systems, data and other resources fraudulently. Cybercriminals make use of social engineering, psychology, stress and disruption to create powerfully tempting lures. Often, bad actors will obtain specific information about their targets from the dark web. Billions of records filled with information about people and businesses are available in dark web data markets and dumps, with more added daily — 22 million were added in 2020 alone. You don’t even need tech skills to run a phishing operation. Everything from complete plug-and-play “phishing kits” to fully outsourcing through freelance operators is available for a price.

What Happens During a Phishing Attack?

Take a look at a basic overview of a standard phishing attack.

  1. The bad actors generate a list of targets and gather the information necessary to reach their intended victims.
  2. Preparation at this point can include buying personally identifiable information (PII), obtaining a stolen database of records for other online accounts that the target maintains or the details needed to impersonate a trusted brand.
  3. Then, the bad actors craft an email designed for maximum appeal to the intended victim to lure them into opening it or completing an action.
  4. The email will often include personalized details gathered from dark web data markets and dumps.
  5. The message could masquerade as something that seems harmless and routine, like a communication from the victim’s alumni association or a favored charity.
  6. Sometimes, the message will contain an attachment, like a PDF, that carries malware.
  7. Another common lure is to include a link asking the victim to reset their password using an included link.
  8. If the goal of the attack is to deliver malware, the payload will deploy when the victim completes a target interaction, like downloading a file or clicking a link.
  9. Or, if credential compromise is the objective, the victim is typically directed to a falsified web page and fleeced of their credentials.
  10. The cybercriminals are then free to capture data, deploy malware or otherwise wreak havoc on the victim or the victim’s company.

What Can Phishing Lead To?

What kind of havoc? The kind that shuts down companies and destroys dreams. Experts estimate that 60% of companies go out of business after a cyberattack. The expense of incident response, investigation, remediation and recovery can be catastrophic. Plus, businesses don’t end up paying for an incident like ransomware just when it happens. It can take years to determine the full extent of the damage and pay the bills. Along with that giant budget hit, companies that are impacted by a damaging cyberattack lose productivity and suffer a dent in their reputation. Phishing is particularly devastating when companies lose valuable information like trade secrets or records that are highly sensitive – especially when that loss also incurs hefty regulatory penalties under legislation like HIPAA or GDPR.

How to Spot Phishing Attempts

Cybercriminals can produce extremely convincing fraudulent messages and attachments that can be a challenge for even cybersecurity professionals to detect. However, there are a few common signs that the potential targets can look for to spot a potential phishing message and head off disaster. A detailed walkthrough for investigating and adjudicating a potential phishing message safely is available in the infographic, The Safe Path to Email.

What Are Common Signs of a Phishing Email?

A few tell-tale signs that a message is probably phishing include:

  • If the language is off or the message doesn’t seem like it was grated by someone who is a native speaker of the target’s language, including misspellings and poor grammar or usage
  • If the message purports to be from a trusted brand, but it contains things that look unfamiliar like not-quite-right colors, formats or fonts
  • If it seems very “unprofessional” but it is being presented as a communication from an executive or other powerful person.
  • If it’s a U.S. federal government agency asking you to provide PII via email
  • If the sender asks for your Social Security or tax identification number out of the blue
  • If the sender’s address, name, or email address look strange
  • If someone you don’t know well asks for gift cards, money transfers, banking or credit card information
  • If there’s a link for you to click or an attachment to download, but the address or file name seem unusual

When in doubt, always err on the side of caution. Your IT team will thank you.

How Do I Know if a Link is Malicious?

Malicious links are an extremely popular tool for phishing attacks due to the heightened awareness that most users have developed over the years around attachments. However, a bogus link can be just as nasty as an infectious attachment – and sometimes worse. Always check a link before you click on it to see if it actually goes where it says it is going. Faux links may have odd spellings, unexpected suffixes, strange mashups of a company’s name and similar details that just aren’t quite right. Google has registered 2,145,013 phishing sites as of Jan 17, 2021. This is up from 1,690,000 on Jan 19, 2020 (up 27% over 12 months).

How Can I Identify a Malicious Attachment?

Malicious attachments are what users tend to think of when they think about phishing, especially as it relates to malware. Experts estimated in a recent study that 94% of phishing emails use malicious file attachments as the payload or infection source for the attack. They further noted that the top malicious email attachment types that they’re seeing are .doc and .dot at 37% of the pie, with .exe coming in at 19.5% and other file names lower. Malicious attachments can also be PDFs. Audacious cybercriminals had a field day sending out poisonous COVID-19 maps in that format from sources like the World Health Organization in early 2020. Unexpected attachments or files with unusual or unfamiliar names are hallmarks of malicious attachments.

Minimize Phishing Dangers with a Strong Defensive Posture That Includes SaaS Backup

Catching phishing messages can be challenging. Companies that engage in regular security awareness training that includes phishing resistance for every employee at least quarterly have up to 70% fewer security incidents. Conventional email security solutions like filters or built-in tools in email applications aren’t up to today’s sophisticated phishing threats — over 40% of the phishing emails sent in a 2020 test weren’t caught by traditional email security.

The other half of the coin in building a strong defense against phishing is also essential for building cyber resilience: SaaS backup. An estimated 60% of businesses impacted by a phishing attack lose unrecoverable data, and that can create an increasingly devastating damage cascade.

That’s why solutions like Spanning 360 with built-in phishing defense capabilities are a must-have in any cybersecurity plan. Over 70% of organizations in the United States were impacted by a successful phishing attack in the past 12 months. Every company’s goal should be to say off that list in 2021.

Learn More About Spanning 360

Want to get started?
Start backing up Microsoft 365, Google Workspace and Saleforce.

Request a Demo