What Is Phishing?

A spy figure illustrated in various scenarios

Protect Yourself and Your Business

You’ve probably heard the term “phishing” floating around, but what exactly is phishing? Phishing is the practice of using misleading emails and websites to gain an individual’s or business’s personal information.

Phishing threats can come in a variety of forms, but most phishing threats involve the malicious use of email to encourage certain behavior from the target. This is usually done by convincing the target to do one of three things:

  1. open an email attachment that contains malware

  2. visit a website where malware can be dropped onto the target’s computer

  3. visit a website where they are convinced to divulge their user credentials

Targeted phishing campaigns that seek to gain the credentials of key targets in an organization or that seek to install malware on the computers of key targets are known as spearphishing. Spearphishing is a special case of phishing that often involves reconnaissance of the target organization to identify individuals in positions of budget authority or decision-making authority.

How is phishing is so successful? Phishing often works due to 1) distracted computing, and 2)the appearance of coming from a trusted source. Most email use takes place in an environment where there are multiple distractions. When we’re distracted, we pay less attention to the contents of emails. The malicious actors who employ phishing expect this from us and use it to their advantage.

Combined with distracted computing, phishing also relies upon conveying the illusion of authenticity and trust to a target. Phishing attempts to mimic popular services such as Microsoft, Amazon, iCloud, and Dropbox by using publicly-available, legitimate digital assets from these organizations such a logos, banners, or, using tools like Metasploit, wholly-replicated login pages.


Four Tips for Avoiding Phishing Threats

So how can we protect ourselves against phishing? Utilize these strategies to help keep your information secure.

Avoid viewing email as background noise.

Malicious actors count on targets' lack of discernment. Slow down while you are reading and acting on email messages, especially messages with embedded links or attachments.

Know when to expect messages with attachments from senders.

Be wary of unexpected attachments. If you are not expecting an attachment from a sender, do not open it. If the sender is someone you know personally, call them and confirm that they sent the message. If the sender is someone you do not know, do not open the attachment.

Similarly, if you receive a link or an embedded link in a message from an unexpected sender or an unknown sender, be skeptical.

Attempt to confirm with the sender if you know them. Do not click on links or embedded links in messages from senders you do not know. Remember to hover, not click; most modern web browsers will show you a link's destination if you hover over it, providing you with a way to see where a link will take you without actually visiting the site.

Remember that many phishing campaigns will attempt to mimic login pages for popular services like MSN, Amazon, iCloud, Dropbox, or an enterprise single sign on page.

Be particularly vigilant of these messages; most services will not contact you via email to reset your password or to prompt you to make changes to your account.


Business owners, remember – email is the primary agent for all digital risk and information compromise, and phishing is the most common method of exploiting people’s email habits. Phishing and spearphishing are the most prevalent social engineering threats faced by organizations and individuals. Understanding these practices and incorporating context of this content into your business’s every day operations will drive down your company’s digital risk significantly.

tl;dr

Be purposeful. Be cautious. Think before you click. Enable 2FA. Use a password manager. Use endpoint security and keep it regularly updated. 

Questions about your business's potential security shortcomings? Read more about our Digital Risk Mitigation Services, or give us a call (940-808-0071) – we can help.

Previous
Previous

Design Case Study: Estaville Law

Next
Next

Swash Labs' Digital Risk Mitigation Services