Phishing (a hacker-influenced corruption of fishing) is a kind of online fraud, which aims to steal confidential information such as account credentials or bank card details through social engineering. A typical phishing attack involves sending emails or messages in the name of a real organization with some “bait” in the subject line or message body and a link to a page asking for data; cybercriminals who carry out such attacks are known as phishers.
The concept of phishing may be interpreted more broadly to include sending emails or messages with links to pages that download malware or malicious attachments. The MITRE ATT&CK knowledge base defines phishing (technique T1566) as a technique aimed at gaining access to a victim’s system — typically by sending emails with links or malware-containing attachments. For phishing attacks targeting personal data, MITRE ATT&CK uses the more specific term phishing for information (T1598).
Types of phishing
Depending on the communication channel used in an attack, phishing is categorized as follows:
- Email phishing — phishing messages are sent by email.
- Phishing on social networks and in instant messengers.
- Smishing (from SMS and phishing) — phishing links sent in SMS.
- Vishing (from voice and phishing). The victim receives a phone call, either from an attacker or bot, during which they are persuaded to hand over personal information or, for example, install remote-access software. In some cases, the attackers may persuade the victim to call them (for example, by sending an email reporting an issue with their account and the phone number of “technical support”).
- Pharming (from phishing and farming). The victim is automatically redirected to a phishing site, for example, using special malware or DNS poisoning.
Phishing can also be either massive in scale (and untargeted) or targeted (also known as spear phishing). Mass phishing is sent to any and all addresses available to the attackers; spear phishing targets specific recipients — often preceded by data collection and building profiles of them. Spear phishing aimed at top executives is also known as whaling (as in big fish [sic]).
How phishers lure victims
Attackers use various types of “bait” to get victims to click on phishing links. These include:
- Account issues: for example, the victim is told their account has been blocked due to suspicious activity and asked to confirm or update their credentials.
- Special offers, promotions, and giveaways.
- Undelivered emails or voicemails, online documents, and other materials that can only be viewed by following the link provided.
Common phishing techniques
Besides social engineering, attackers often deploy a variety of techniques to make phishing emails and sites more convincing and to bypass detection, in particular:
- Spoofing website domains and/or email addresses. Cybercriminals register domain names similar to those of the organizations they are impersonating. In the case of email phishing, they can also replace the sender address that appears in the mail client with a legitimate one.
- Cloning legitimate websites.
- Posting phishing pages on hacked legitimate sites or legitimate survey services.
- Sending phishing pages as HTML attachments instead of links.
- Dynamically changing the page design depending on the victim’s email domain.
The fight against phishing
To consolidate fighting efforts against phishing, the Anti‐Phishing Working Group (APWG) was founded in 2003. In its own words, it is an international non-profit industry association focused on eliminating the identity theft and frauds that result from the growing problem of phishing, crimeware, and email spoofing. The group consists of organizations from various fields, including banks, cybersecurity firms, government agencies, and NGOs, as well as individual researchers.