Phishing scams are a form of social engineering. Unlike other cyberattacks that directly target networks and resources, social engineering attacks use human error, fake stories and pressure tactics to manipulate victims into unintentionally harming themselves or their organizations. 
In a typical phishing attempt, a hacker pretends to be someone the victim trusts, like a colleague, boss, authority figure or representative of a well-known brand. The hacker sends a message directing the victim to pay an invoice, open an attachment, click a link or take some other action.

Because they trust the supposed source of the message, the user follows the instructions and falls right into the scammer's trap. That "invoice" might lead directly to a hacker's account. That attachment might install ransomware on the user's device. That link might take the user to a website that steals credit card numbers, bank account numbers, login credentials or other personal data.  

Why phishing is a major cyberthreat 

Phishing is popular among cybercriminals and highly effective. According to IBM's Cost of a Data Breach report, phishing is the most common data breach vector, accounting for 16% of all breaches. Breaches caused by phishing cost organizations an average of USD 4.76 million, which is higher than the overall average breach cost of USD 4.45 million.

Phishing is a significant threat because it exploits people rather than technological vulnerabilities. Attackers don't need to breach systems directly or outsmart cybersecurity tools. They can trick people who have authorized access to their target—be it money, sensitive information or something else—into doing their dirty work. 

Phishers can be lone scammers or sophisticated criminal gangs. They can use phishing for many malicious ends, including identity theft, credit card fraud, monetary theft, extortion, account takeovers, espionage and more. 

Phishing targets range from everyday people to major corporations and government agencies. In one of the most well-known phishing attacks, Russian hackers used a fake password-reset email to steal thousands of emails from Hillary Clinton's 2016 US presidential campaign.1

Because phishing scams manipulate human beings, standard network monitoring tools and techniques cannot always catch these attacks in progress. In fact, in the Clinton campaign attack, even the campaign's IT help desk thought the fraudulent password-reset emails were authentic. 

To combat phishing, organizations must combine advanced threat detection tools with robust employee education to ensure that users can accurately identify and safely respond to scam attempts.

Types of phishing attacks


The word "phishing" plays on the fact that scammers use attractive "lures" to trick their victims, much the same way that fishers use bait to hook actual fish. In phishing, the lures are fraudulent messages that appear credible and evoke strong emotions like fear, greed and curiosity. 

The kinds of lures phishing scammers use depend on whom and what they are after. Some common examples of phishing attacks include:  

Bulk email phishing 

In bulk email phishing, scammers indiscriminately send spam emails to as many people as possible, hoping that a fraction of the targets fall for the attack. 

Scammers often create emails that appear to come from large, legitimate businesses, such as banks, online retailers or the makers of popular apps. By impersonating well-known brands, scammers increase the chances that their targets are customers of those brands. If a target regularly interacts with a brand, they are more likely to open a phishing email that purports to come from that brand. 

Cybercriminals go to great lengths to make phishing emails appear genuine. They might use the impersonated sender's logo and branding. They might spoof email addresses to make it seem like the message comes from the impersonated sender's domain name. They might even copy a genuine email from the impersonated sender and modify it for malicious ends. 

Scammers write email subject lines to appeal to strong emotions or create a sense of urgency. Savvy scammers use subjects that the impersonated sender might actually address, such as "Problem with your order" or "Your invoice is attached."

The body of the email instructs the recipient to take a seemingly reasonable action that results in divulging sensitive information or downloading malware. For example, a phishing link might read, "Click here to update your profile." When the victim clicks that malicious link, it takes them to a fake website that steals their login credentials. 

Some scammers time their phishing campaigns to align with holidays and other events where people are more susceptible to pressure. For example, phishing attacks on Amazon customers often spike around Prime Day, the online retailer's annual sales event.2 Scammers send emails about fake deals and payment problems to take advantage of people's lowered guards.

Spear phishing

Spear phishing is a targeted phishing attack on a specific individual. The target is usually someone with privileged access to sensitive data or special authority that the scammer can exploit, such as a finance manager who can move money from company accounts. 

A spear phisher studies their target to gather the information they need to pose as someone the target trusts, such as a friend, boss, coworker, vendor or financial institution. Social media and professional networking sites—where people publicly congratulate coworkers, endorse vendors and tend to overshare—are rich sources of information for spear phishing research. 

Spear phishers use their research to craft messages that contain specific personal details, making them seem highly credible to the target. For example, a spear phisher might pose as the target's boss and send an email that reads: "I know you're leaving tonight for vacation, but can you please pay this invoice before the close of business today?"

A spear phishing attack aimed at a C-level executive, wealthy individual or other high-value target is called a whale phishing or whaling attack. 

Business email compromise (BEC) 

BEC is a class of spear phishing attacks that attempt to steal money or valuable information—for example, trade secrets, customer data or financial information—from a business or other organization. 

BEC attacks can take several forms. Two of the most common include:

CEO fraud: The scammer impersonates a C-level executive, often by hijacking the executive's email account. The scammer sends a message to a lower-level employee instructing them to transfer funds to a fraudulent account, make a purchase from a fraudulent vendor or send files to an unauthorized party.

Email account compromise (EAC): The scammer compromises a lower-level employee's email account, such as the account of a manager in finance, sales or research and development. The scammer uses the account to send fraudulent invoices to vendors, instruct other employees to make fraudulent payments or request access to confidential data.
BEC attacks can be among the costliest cyberattacks, with scammers often stealing millions of dollars at a time. In one notable example, a group of scammers stole more than USD 100 million from Facebook and Google by posing as a legitimate software vendor.3

Some BEC scammers are shifting away from these high-profile tactics in favor of launching small attacks against more targets. According to the Anti-Phishing Working Group (APWG), BEC attacks grew more frequent in 2023, but scammers asked for less money on average with each attack.4


Smishing

SMS phishing, or smishing, uses fake text messages to trick targets. Scammers commonly pose as the victim's wireless provider, sending a text that offers a "free gift" or asks the user to update their credit card information.

Some smishers pose as the US Postal Service or another shipping company. They send texts that tell victims they must pay a fee to receive a package they ordered.  

Vishing

Voice phishing, or vishing, is phishing by phone call. Vishing incidents have exploded in recent years, increasing by 260% between 2022 and 2023 according to the APWG.5 The rise of vishing is partly due to the availability of voice over IP (VoIP) technology, which scammers can use to make millions of automated vishing calls per day. 

Scammers often use caller ID spoofing to make their calls appear to come from legitimate organizations or local phone numbers. Vishing calls typically scare recipients with warnings of credit card processing problems, overdue payments or trouble with the law. Recipients end up providing sensitive data or money to the cybercriminals to "resolve" their issues. 

Social media phishing

Social media phishing employs social media platforms to trick people. Scammers use the platforms' built-in messaging capabilities—for example, Facebook Messenger, LinkedIn InMail and X (formerly Twitter) DMs—the same ways they use email and text messaging. 

Scammers often pose as users who need the target's help logging in to their account or winning a contest. They use this ruse to steal the target's login credentials and take over their account on the platform. These attacks can be especially costly to victims who use the same passwords across multiple accounts, an all-too-common practice.

Πηγή: IBM