What Is Phishing?
Phishing is a cyberattack involving a threat actor communicating via email, text, or telephone while posing as a trustworthy entity (individual or institution) to lure a target into providing information from an otherwise protected source. Even as cybersecurity solution providers upgrade their controls and promote best practices, phishing remains one of the most lucrative and convenient methods for threat actors to steal and gain access to sensitive information.
By swiping sensitive data, including personally identifiable information, a phishing attack can provide threat actors access to privileged accounts and cause damages associated with financial losses, reputational degradation, and a disruption of normal business operations.
Examples of Phishing
Humans are naturally inclined to trust the people they know, which makes phishing tactics effective.
The CEO Scam
A treat actor posing as the organization's CEO sends an employee a time-sensitive request via email. In the email, the CEO asks for help transferring funds to pay a foreign vendor. The phishing email infuses a sense of urgency tied to the organization's success. As a result, the targeted employee moves money without hesitation, thinking they are helping their CEO and organization.
Account Deactivation Scam
A threat actor posing as a PayPal representative sends the target an email stating their account has been hacked and will be canceled unless they confirm their account identity. The phishing email links to a bogus PayPal website, and the stolen account information is utilized for subsequent offenses.
Compromised Credit Card Scam
A threat actor learns that a target recently purchased an Apple product and poses as Apple customer service in an email informing the customer that their account may have been infiltrated. The email requests that they update their credit card info via a link leading to a fake website.
Types of Phishing Attacks
Phishing attempts are becoming increasingly complex, tempting, and varied. Here are a few kinds of phishing attacks.
Spear-phishing, or targeted phishing, targets specific people or groups within an organization with emails, social media, app messaging, and other electronic communications to convince users to divulge personal information or engage in activities that result in financial losses, network compromise, and data losses.
Smishing (Mobile Device Phishing)
A false SMS, social media message, voicemail, or other in-app communication requests that the recipient update their account information or password, or informs them that their account has been compromised. The message likely contains a link to a false website used to steal personal data from the victim or that installs malware on their phone.
Whaling focuses on enticing or tricking top-level targets, such as military leaders and corporate executives, into releasing sensitive or confidential information. Often, the top-level target has access to privileged accounts within the protected network; therefore, attackers place themselves in the middle of significant decision-making conversations and mission-critical data by gaining such high-level access.
Vishing is short for "voice phishing." In a vishing attack, threat actors use mobile devices as a vector of attack. They leverage text messages, phone calls, or mobile apps to steal victims' personal and private information. During vishing attacks, sophisticated, psychological phishing tactics are leveraged to exploit people's unique relationships with mobile devices.
How to Detect a Phishing Attack
Multiple billions of electronic messages are sent and received daily, making it hard to tell which ones are real and which are phishing scams. Nevertheless, phishing messages often include at least one telltale sign.
Malicious emails may present unusual requests. For example, the CEO demands an urgent money transfer without routine approval.
Inconsistencies in Email Addresses, URLs, and Domain Names
Phishing communications often have anomalies in the sender's email address or the links (URLs) they direct targets to, including the domain name.
Unfamiliar Greeting or Tone
Examine the language of phishing emails for errors. For instance, a family member or coworker may sound too official—or overly familiar. Search for clues that the email could be a hoax if it seems odd and does not include the language you would anticipate from the sender.
CylancePROTECT Mobile™ is a Mobile Threat Defense cybersecurity solution that prevents phishing attacks, blocks malware infections, and checks application integrity. It combines mobile endpoint management with seventh-generation Cylance AI-driven threat protection—stopping mobile malware and zero-day payload executions before they attack.