What is phishing, and how does it work?

What is phishing?

Phishing is a type of social engineering attack in which attackers try to deceive people into giving them personal information, such as passwords, financial information, or personal identification numbers (PINs), by pretending to be a trustworthy person or organization. They might do this by sending an email, text, or social media message that appears to be from a legitimate source but is actually a fake.

Phishing usually appeals to people’s emotions, which clouds their judgment. Phishing scams have been around since the early days of the internet and are still one of the most widespread forms of a cyberattack. According to the 2024 data, scammers dispatch at least 31,000 phishing attacks every day, resulting in 3.4 billion phishing emails each day. And that’s without including phishing on social media or via text messages.

Attackers usually use phishing tactics to get money. It can be as simple as tricking someone into making a bank transfer. However, some cybercriminals use malware to get more information about a person or a company, which could then be sold online. Emails are the most popular form of phishing, with some perfected to such an extent that it can be hard to spot a fake.

Check out our YouTube video below to learn more about the difficulty and complexity of different phishing attacks:

How does phishing work?

Phishing works by creating believable reasons for people to provide sensitive information. While different types of phishing exist, the basic steps behind every phishing attack follow those seen in social engineering attacks and are usually the same.

• Step 1: The information (bait). To set up a phishing attack, scammers first have to create a certain bait to lure the victims in. The bait is usually an email or a text message that copies the style and communication of known and trusted entities (such as banks, businesses, or government agencies). Since the aim of the bait is to trick users into trusting the message, scammers try their best to create a sense of legitimacy, including using official company logos, email addresses that closely resemble real ones, and language that is similar to what the target would expect from the legitimate source.
• Step 2: The promise (hook). Once the bait is set, phishers need to deliver a strong reason to encourage targets to engage with the message. This is called the promise, or the hook, and often includes statements that induce strong emotions. For example, phishing emails might involve promises of rewards, such as winning a prize or getting a refund, or it might exploit fear by warning of account suspension, fraudulent activity, or some other immediate threat. These messages build a sense of urgency or curiosity, enticing targets to respond quickly without considering the possibility of a scam.
• Step 3: The attack (catch). The attack, or the catch, is the point of the scam, where phishers achieve their goal. Once the bait and the hook are set in place, the targets take action (either by clicking suspicious links or visiting fake websites and exposing their login credentials) and become victims of disclosing sensitive information (also known as data exfiltration attacks) or downloading malicious software.

Why is phishing a problem?

Phishing is a real problem because it affects millions of people worldwide each year, is extremely efficient, requires little effort, and generates significant financial gain. Cybersecurity experts have observed a continuous rise in phishing attempts, marking them as one of the most common cybersecurity threats to individuals and businesses.

Phishing risks for individuals

For individuals, phishing risks can include:

• Identity theft. If a phisher can obtain your personal information, they may be able to use it to steal your identity and commit financial fraud.
• Loss of money. Phishers may trick you into giving them access to your bank accounts or credit cards, allowing them to steal money or make unauthorized purchases.
• Installation of malware. Some phishing attacks may involve tricking people into downloading malware, which can then be used to access their devices and steal information.
• Privacy invasion. Through phishing, scammers can gain access to your personal information, hijack systems from the inside, and even deny you access to some of your personal files (such as photos or videos).

Phishing risks for businesses

For businesses, the risks of phishing include:

• Damage to reputation. If a phisher is able to obtain sensitive information, they may be able to use it to damage the reputation of a company or individual.
• Loss of sensitive data. Phishers may also target you or organizations to steal sensitive data, such as trade secrets or intellectual property.
• Financial loss. Companies that suffer phishing or business email compromise (BEC) attacks can experience millions of dollars worth of damage through lost investors, fines, exposed business secrets, ransomware, and many other woes.
• Hijacked systems. Successful phishing attacks can sometimes leave businesses without access to crucial files and information, causing mayhem and further trouble for the company, its employees, and customers.

Beware of the dangers of phishing and browse responsibly. Be cautious about clicking on links to malicious websites or downloading attachments from unconfirmed sources. Always use strong and unique passwords and remain vigilant.

The most common types of phishing attacks

Scammers use various phishing techniques to trick their victims into revealing their personally identifiable information. Here are the most common types of phishing:

• Email phishing. Email phishing is a type of cyberattack that uses email as the primary means of deception. An email phishing attack aims to trick the recipient into taking action, such as clicking on a link (URL phishing), visiting fake websites, or providing personal information. These emails can often be mixed up with spam, even though spam and phishing are two different things. Email phishing also includes such attacks as spear phishing, whaling, and clone phishing.
• Vishing. Vishing, or voice phishing, heavily relies on social engineering and creating stressful situations that push people to act without thinking. Attackers often call their victims on the phone and try to scare them into action by claiming that someone tried to use their credit card, or that they forgot to pay a fine. Unfortunately, they often succeed. When people let emotions cloud their judgment, they give away online banking and other personal details without thinking it through.
• Smishing. Smishing, or SMS phishing, is a phishing technique in which a fraudster sends an SMS message that appears to be from a reputable organization. The message may ask the recipient to click on a link to provide personal information or confirm account details. The link in the message may lead to a website that looks legitimate but is actually a phishing site designed to steal, or spoof, personal information.
• Angler phishing. Angler phishing is a new phishing technique used on social networks. Attackers pose as customer support agents on social networks to swindle victims out of their personal data or account details.

Real-life examples of phishing attacks

Numerous businesses and individuals have suffered phishing attacks in real life. While many have fallen for AOL phishing emails or fake websites, others have experienced attacks through Amazon phishing and social media phishing links. Here are a few examples of real-life phishing attacks.

• Facebook security alert scam. In 2018, Facebook users received Facebook phishing emails with false security alerts and links to secure their accounts. These links led to a fake Facebook login page where users were prompted to enter their credentials. Upon entering the information, the accounts fell into the hands of attackers, allowing them access to the victims’ Facebook accounts. Facebook is not the only social media site that has experienced phishing attacks. Instagram phishing through personal messages and LinkedIn phishing attacks have caused significant damage to users throughout the years.
• Coinbase unauthorized login attempt scam. In the midst of the COVID-19 pandemic, a widespread Coinbase phishing email spree targeted the platform’s users with emails claiming that there had been an unauthorized login attempt on their account. The email included a link that led to a fake Coinbase website, prompting users to log in and verify their identity. Once users entered their credentials, the attackers gained access to their Coinbase accounts.
• Bank of America security alert scam. In 2021, phishers used Bank of America phishing emails to scam unsuspecting individuals. The email claimed there was suspicious activity with the recipient’s account and that their account had been temporarily locked for security reasons. It urged the recipients to click on a link to verify their identity and unlock their accounts. Needless to say, the link led to a fake website, exposing users’ login information to scammers and resulting in lost funds, compromised accounts, and further fraud. Similarly, clients of other financial and government institutions have suffered phishing attacks throughout the years. USPS phishing email scams and Wells Fargo phishing attacks are just a few examples of large businesses’ clients experiencing a phishing attack.

How to recognize phishing attempts

Phishers have methods of tricking their victims into clicking on a link or downloading a malicious file. But if you keep an eye out, you can stay one step ahead of the cybercriminals. Here’s how you can recognize a phishing attack:

• Look for a sense of urgency in the message. Most phishing attacks rely on people’s fear of missing out to drive them toward questionable decisions. A sweet deal that’s available for a very short time might lead a hardcore fan of a brand to click on the link in their email or SMS without stopping to see whether it’s legit.
• Check for spelling and grammar errors. Are there grammatical errors? Does the overall tone of the message seem off? These factors point to a potential phishing scam. Legitimate companies and organizations generally produce well-written and error-free communication. Plus, always check for misspelled words or names in the links provided. A social engineering attack called typosquatting targets people who make mistakes when typing in domain names.
• Be wary of unexpected attachments or links. Businesses are unlikely to send newsletters, alert emails, or other messages with attachments — they typically have no reason to do so. Use link-checker tools to double-check suspicious links. And be cautious of malicious links, especially if you didn’t expect the email. Never download and open them.
• Be suspicious of generic greetings. Malicious emails are often sent to large groups of people and may use generic greetings such as “Dear customer” rather than your name.
• Make sure you are familiar with the sender. If a particular little-known service sent you special offers that seem too good to be true or contacted you with alerts on changed passwords, it’s likely a scam. Still, if you’re concerned and want to double-check, contact the sender directly via the official email or phone number (use the web to find official contact info instead of replying to the email).

Remember – scammers are becoming more sophisticated every day. Always stay skeptical when you receive unsolicited emails, messages, or calls, no matter how urgent they may sound. You can also go one step further and use phishing detection tools for a more proactive approach.

What to do in case of phishing

If you’ve fallen victim to a phishing scam or suspect one, acting as quickly as possible is essential. The following describes what you should do if you receive a phishing email and what actions to take if you fall for a phishing scam.

If you receive an email or a message asking you to click on a link or download an attachment, make sure you know the sender or the company trying to reach out to you — only proceed after checking first.

If you receive an email from a company you know, try contacting it by other means. Look for its phone number or an official email address and ask if the email is legitimate.

If you do not have any relationship with the company that has sent you the message, look for the signs of a phishing attack. If the email is suspicious, make sure to report the phishing attempt and then delete the email. If you open a phishing email by accident, don’t click on any links, report it, and delete it at once.

If you have clicked on a phishing link, you’d be wise to change the password of your most important service (such as email, bank, cloud service, and social media) accounts. In addition, you should keep a close look on your financial accounts to prevent phishers from stealing your money.

You must react immediately if you’ve entered your banking information into a malicious website from a phishing email. Contact your bank’s customer support and report the incident. They will take action against the illegal usage of your details.

If you’ve given out personal information like your Social Security number, contact details, or home address, changing your passwords, contacting authorities, and keeping a close look on your financial and personal accounts should be your top priority. If you’re an American citizen, you can also look for further instructions on IdentifyTheft.gov.

How to protect yourself against phishing

Phishing attacks are not going anywhere. Even if you’ve never experienced one, you’ll likely be targeted in the future. Here are a few tips to help safeguard yourself and prevent phishing from affecting your everyday life.

• Use antivirus software. Most reliable antivirus services provide tools to protect against phishing. Use them or opt for a service like NordVPN, which has an anti-phishing certification, proving its effectiveness against phishing attacks.
• Enable two-factor authentication (2FA). Safeguarding your accounts with 2FA makes account takeover attempts significantly more difficult. Deploy this measure across all important accounts and do not approve any suspicious authentication requests.
• Use spam filters. The best way to avoid phishing emails is to prevent them from landing in your inbox. They will protect you from accidentally opening an email with malicious links and attachments. For additional security, tools created for anti-phishing can help you identify and block such content automatically.
• Get an attachment filter. NordVPN’s Threat Protection Pro™ feature is designed to protect you from phishing attempts. It’s a security feature that keeps you safe when browsing and protects you from malware. It scans your files during download and blocks malicious content before it reaches your device.
• Learn to recognize it. You can learn to spot phishing emails easily with some practice. Even the little things matter – if your manager always signs their emails with “Thanks!” but writes “Best regards” out of nowhere, it’s best to double-check with them. When it comes to company secrets and large sums of money, you can never be too careful.
• Keep your software updated. Keeping your software up to date is essential in protecting yourself from security vulnerabilities and cyberattacks. Software updates usually include protection against the latest threat factors.
• Use a password manager. Create and store complex, unique passwords for each of your online accounts.
• Stay vigilant. Use the SLAM method, be skeptical, and do not hesitate to verify the authenticity of any email or website. Contact the company or the person the email was supposed to be coming from by other means to verify.

FAQ

How do phishers target their victims?

Phishers target their victims by using data breaches, such as email harvesting, to acquire the target’s info (email address, phone number, or social media account). Scammers use the stolen data to identify high-risk groups and decide the best technique for approach (for example, mass phishing, spear phishing, whaling, etc.). So if you ever hear about one of your service providers (be it a streaming platform, social media app, car-sharing company, or anything else) suffering a data breach, keep your guard up — you’re likely to get some emails soon.

What’s the difference between phishing and scam?

The difference between phishing and scam is that, technically, one is a part of the other. “Scam” refers to any type of scheme or fraud designed to trick people into giving away money, goods, or services. Meanwhile phishing is a specific type of cyberattack (or online scam) that does so. In other words, all phishing attacks are scams, but not all scams involve phishing.

Is phishing illegal?

Yes, phishing is illegal, and sometimes it is a severely punishable offense. In most countries, it falls under the cybercrime category and can lead to consequences such as monetary fines, prosecution (in the EU), or federal charges (in the US).