What is Phishing?

Table of Contents

The digital scam known as phishing represents a significant threat to IT security. In this perfidious method, criminals attempt to steal confidential information such as login credentials or credit card details. The term itself is a creative word creation combining "password" and "fishing" - an apt image for the strategy of fraudsters who cast their bait hoping to catch unsuspecting internet users. However, phishing often targets specific individuals or organizations.

How does phishing work?

A typical phishing attack begins with initial contact. While emails are the preferred medium, fraudsters also use SMS (smishing), phone calls (vishing), or social networks. The messages claim to be from trusted sources such as financial institutions, online retailers, or tech giants. They often contain urgent calls to action, such as password changes or payment confirmations.

In the next step, the fraudsters usually lure their victims to fake websites. These pages are often deceptively real and imitate the original down to the smallest detail. Here, victims are supposed to reveal their sensitive data, which is directly forwarded to the criminals. Sometimes malware is also hidden in phishing messages as an attachment.

An illustrative example: A user receives an apparent email from their bank. The message warns of a security problem and asks to confirm login credentials. The attached link leads to a website that looks confusingly similar to the official bank platform. If the user enters their data here, it goes directly to the fraudsters.

What types of phishing exist?

There are various types of phishing attacks that differ in their approach and target group. In our article "Phishing Exercises" you can find details about the individual techniques.

  1. Mass phishing: This is the most common form where fraudsters send mass emails to random recipients. They hope that a small percentage of recipients will fall for the scam.
  2. Spear phishing: In this targeted form of phishing, specific individuals or companies are targeted. Attackers often research in advance to make their messages particularly credible.
  3. Whaling: A subcategory of spear phishing that specifically targets high-ranking targets such as CEOs or other executives.
  4. Smishing: Phishing via SMS messages. Fake package delivery notifications or alleged problems with bank accounts are often used as bait here.
  5. Vishing: Phone-based phishing where fraudsters call their victims pretending to be representatives of banks, authorities, or technology companies.
  6. Quishing: A newer form of phishing that uses QR codes to lure victims to fake websites.

Why is phishing so dangerous?

The danger of phishing lies in its psychological component. It doesn't target technical vulnerabilities, but human weaknesses. Even IT-savvy individuals can become victims, especially when attackers create urgency or fear. The consequences range from identity theft to financial losses to extensive data leaks in companies.

Alarming statistics show: About every third spam email is a phishing attempt. Around 62% of internet users have consciously received phishing emails. The annual damages from phishing run into billions. The increasing sophistication of the attacks is also concerning.

Phishing attacks have now also become a standard technique of APT and repeatedly enable attackers to penetrate corporate networks.

How can you protect yourself against phishing?

The most effective protection against phishing lies in vigilance and critical thinking. Some essential advice:

  • Approach unexpected messages with skepticism, especially if they urge immediate action.
  • Check sender addresses meticulously. Phishers often use deceptively real but slightly modified addresses.
  • Verify links by hovering over them with your mouse without clicking. Looking at the email source code can be revealing.
  • Never enter sensitive data through email links. Instead, open your browser and navigate manually to the desired page.
  • Pay attention to linguistic inconsistencies. Many phishing emails come from non-native fraudsters and contain noticeable errors. Problems with umlauts are also common.
  • Use two-factor authentication wherever possible.
  • Keep your software, especially operating system and browser, always up to date.
  • Use modern antivirus software to detect known phishing sites.

Technical solutions such as email filters, special browser extensions, and security software can also help identify and defend against phishing attempts. Many modern email clients and browsers already have integrated protection features against phishing.

What to do if you've become a victim of a phishing attack?

If you suspect you've become a victim of a phishing attack, swift action is required. Immediately change all potentially compromised passwords. If you suspect bank fraud, inform your financial institution immediately. Monitor your accounts carefully for suspicious activities. When updating your credentials, proceed strategically: Start with the most important accounts, change the passwords there, and immediately activate two-factor or multi-factor authentication.

Relevant information on Phishing

More info material

Thank you for your feedback! We will review it and optimize this content.

Do you have feedback on Phishing? Tell us!

Damian Strobel
DSecured can help you to train your employees and recognize phishing attacks.

Services

Penetration testing

Penetration testing

Focused search for security vulnerabilities in your software products and servers.

Red Teaming

Simulation of real attacks on your company including people, infrastructure and processes.

Phishing

Phishing exercises increase your employees' awareness of real attacks via email.

Overview of all services