What is Phishing?

Last Update: August 31, 2021 Identity Theft

Phishing refers to the act of trying to steal someone’s sensitive information by tricking them to believe something is authentic.

This is a technique often used by Internet fraudsters looking to drain online bank accounts and payment wallets. In some cases, the scheme is run by someone with the knowledge to use the details they obtain for identity theft.

Phishing is a serious threat!

If you think of phishing as a harmless threat, think again. One of the biggest security breaches of all time was the Target database breach. This started with phishing a subcontractor’s account, which later gave the hacker more privileged access.

The Truth About Phishing

There are over 150-million phishing messages that get sent every single day.

Just over 1 in 10 make it through the various security blocks and into the end recipient’s inbox. Around half of the messages that get delivered are eventually opened. It’s estimated that about 80,000 people open the message, follow the instructions, and get their information stolen.

The statistics are alarming, but till now, you should be aware of phishing risks. Everyone with an e-mail account will have experienced their fair share of attempts over the years. Somehow criminals manage to get their hands on extensive mailing lists. You cannot stop the messages from coming in, but you can learn to decipher the good from the bad.

How Do Phishing Attacks Work?

In most cases, it starts with an email message that leads you to a fake login page. This could be done to grab information for your bank, Facebook, or even PayPal account. Regardless, the message will likely read with a sense of urgency to influence impulsive actions.

For example, the attacker might pretend to be PayPal, contacting you about a hacker logged into your account. You might feel inclined to follow their link and change your password for security reasons; if you fall for their phishing login page, your credentials will get stolen.

The particular approach comes down to the type of phishing method the attacker uses.

  • Basic phishing

The act of trying to steal specific credentials or information by impersonating a trusted business or person.

  • Clone phishing

The act of copying a legitimate message’s contents (images and text) but modifying it with a phishing attachment or link.

  • In-session phishing

Attempting to phish a user during an active browsing session by hijacking the current session and presenting the phishing login or web page.

  • Spear phishing

This is the act of targeting specific individuals with phishing techniques to get privileged access and maximize fraud.

  • Whaling

The act of spear-phishing top individuals in a company often involves impersonating another company or a federal agency (ex. the FBI).

How to Detect a Phishing Site?

To thwart a phishing attempt, you must be able to identify such malicious websites. The most obvious way is by examining the domain URL for abnormalities. Once you focus on the actual domain and its extension, it should be clear as to whether the website is legitimate or not. Further, you can inspect the site’s SSL certification and view the page source to understand better whether it contains fraudulence.

Many ad-blocker programs defend against phishing attacks. They work by keeping track of a list of phishing websites and blocking access to them. As a result, you will not fall for a phishing attempt that links to any listed phishing websites. OpenDNS paid service ‘Phishtank’ does exactly this, but you could always find your own list to filter through Adblock Plus or a similar (free) protection service.

Considering the source is also very important. Regardless of the website, think about how you got there; did you enter the URL or click a link? If you arrived after clicking a link, how do you know the source is trusted? If it came from an e-mail message, a whole lot more needs to be considered.

For phishing links in e-mail messages, the main thing to look out for is the sender’s e-mail address. This information gets spoofed, but you will always be able to identify it. Gmail hover over the sender’s name and wait for a little screen to pop up with the actual sender’s e-mail address. For most other e-mail services, it should be as simple as looking at the sender’s mail text.

How to Prevent Phishing Attacks?

Common sense is your best friend. Take the time to look around the page you land on for signs of a phishing attempt. In most cases, you will be able to spot at least one or two obvious red flags. Watch out for these signs and avoiding opening the message if any are present.

Signs of a Phishing Message

  • The email address of the sender is different from what the company tends to use.
  • Any links are masked or shortened instead of placed directly in the message.
  • There is an attachment even though there’s no reason for one to exist.
  • A direct request for you to ‘change’ or give your sensitive information.
  • A low Sender Score ranking.

Beware: You are putting yourself at risk by even opening a phishing email message. The sender can investigate your IP address’s activity and find your other online accounts. Further, you could install malware or other malicious software without knowing it if you go to the infected website.

Once you get there, you will be presented with a near-replica of the impersonated web page. How convincing the website is will boil down to the person behind it. Some will have sketchy images, improper wording, and invalid scripts. Others are custom-coded and designed to perfection, leaving only the referencing message and the website URL as potential evidence of a phishing attempt.

Major Phishing Attacks in Recent The History

There is no shortage of cases where hundreds of thousands (and even millions!) of Americans had their information stolen through phishing attacks. Yet, each of the large-scale cases below is worth mentioning on its own.

  • Cryptolocker

This type of ransomware refers to any ‘virus’ that includes a ransom for removal. It started as a phishing attack against larger businesses. Once accounts were breached, the attacker(s) had an easy way to lure more victims. The victims would have their computers infected and files locked up until they paid the ransom, making up over $18 million in extortion payments across hundreds of thousands of victims.

  • Home Depot

The sensitive information, including credit card details, of over 100-million Americans, was compromised due to Home Depot’s website getting hacked. While the specifics have not been disclosed, this security breach was the result of a phishing attack. After the crime, the stolen information was subsequently placed for sale on various black market forums.


ICANN is the Internet Corporation for Assigned Names and Numbers, a private corporation that oversees the entire domain registration system. The corporation targeted a spear-phishing attack, a technique used in more than 9 in 10 phishing attempts. It started with employee e-mail accounts getting hacked but lead to other systems getting compromised. For a period of time, the intruder had access to the Centralized Zone Data System containing usernames, encrypted passwords, mailing information, and more.

  • Target 

After one of the company’s sub-contractors had their account phished, the intruder managed to gain over 110-million American credit card information. This led to the firing of IT security staff and the company’s CEO, Tony Fisher. The 2013 security breach resulted in an endless liability for Target and a renewed debate on whether a company should be held responsible for such an attack.

Attacks Like Phishing

Phishing is the most common type of online phishing attack. Yet, there are still many other attacks that are similar in nature. Some examples include smishing and vishing attacks.

Here’s a better look at those …

  • Smishing

Smishing is the act of attempting to phish information through SMS messages. This could be done by requesting sensitive information in a response or sending the recipient to a website. It’s a popular alternative to standard phishing attacks as almost everyone has a cell phone, and the majority of smartphone users open their messages without so much as a second thought. This method is not a serious threat right now, but watch out, so it does not catch you off guard.

  • Vishing

Vishing is the act of attempting to phish information through a voice call. In most cases, this involves the fraudster impersonating a company employee. For example, they might pretend to be your credit card provider in an attempt to steal your credit card numbers. This method sometimes works as the caller can build rapport over the phone; you can easily avoid it by calling back and continuing the conversation.