Definition

Phishing is a type of cyber attack and social engineering tactic used by malicious actors to deceive individuals or organizations into revealing sensitive information, such as usernames, passwords, credit card details, or other personal data, or to install malware on their systems.

It typically involves fraudulent communications that appear to come from trustworthy sources, aiming to exploit human psychology rather than technical vulnerabilities in software or hardware.

Core Mechanics: Manipulation and Impersonation

Attackers often craft messages that create a sense of urgency, fear, curiosity, or trust to prompt the recipient to take immediate action without verifying the legitimacy of the request.

These messages can take various forms, including emails, text messages (known as smishing), phone calls (vishing), or even fake websites (pharming). For instance, an email might mimic a legitimate entity like a bank, government agency, or popular online service, urging the user to click a link to "update account information" or "claim a prize," which then leads to a counterfeit website designed to capture credentials.

Phishing vs. Social Engineering

It may be easy to confuse these cybersecurity concepts as they both deal will people in the attack chain:

Phishing: digital targets, email, asynchronous
Social Engineering: Non-Digital, targets included, Spoofing, Synchronous

Social Engineering may be employed to ensure a Phishing attack is more believable and effective.

Types of Phishing Expanded

Email Phishing

This is the most traditional and widespread form of phishing, accounting for the majority of reported incidents. It involves sending mass emails that masquerade as legitimate communications from trusted entities, such as banks, e-commerce sites, or government agencies.

Mechanisms: Emails often contain forged sender addresses (spoofing), hyperlinks to fake websites, or attachments laced with malware. The content creates urgency, such as warnings about account suspensions or offers of rewards.

Common Tactics: Use of HTML to mimic official branding, inclusion of personal details scraped from public sources, and requests for credentials or financial information.

Examples: An email purporting to be from a bank asking to "verify" login details via a provided link, or a fake invoice prompting payment to a fraudulent account.

Spear Phishing

A more targeted evolution of email phishing, where attackers customize messages based on research about the victim, making them appear highly credible and personalized.

Mechanisms: Involves gathering intelligence from social media, company websites, or data breaches to reference specific details like names, job titles, or recent events.

Common Tactics: Tailored subject lines (e.g., referencing a real meeting or project), attachments disguised as business documents, or links to weaponized sites.

Examples: An email to a company's HR manager pretending to be from a job applicant with a resume attachment that installs spyware, or a message to an executive about a "confidential merger" with a malicious link.

Whaling

A subset of spear phishing focused on high-value targets, often referred to as "big fish" phishing.

Mechanisms: Impersonates senior executives or authoritative figures using spoofed emails or compromised accounts.

Common Tactics: Requests urgent wire transfers, sensitive data, or changes to payment details, leveraging authority and time pressure to bypass scrutiny.

Examples: An email from a spoofed CEO account instructing the finance team to transfer funds for an "emergency acquisition," or a message to an assistant requesting employee W-2 forms for "tax purposes."