Phishing is a type of cyber attack that involves tricking people into giving away sensitive information, such as login credentials or financial information, by pretending to be a trustworthy entity. These attacks are often carried out through email or social media messages that contain malicious links or attachments. When a person clicks on the link or opens the attachment, they are taken to a fake website that looks legitimate but is actually controlled by the attacker. The website will often ask the person to enter their information, which the attacker can then use for nefarious purposes. Phishing attacks can also be carried out over the phone or in person.
Phishing attacks are a very common type of cyber attack, and they have consistently ranked as one of the most common and successful types of attacks over the past decade. According to data from the Anti-Phishing Working Group, phishing attacks accounted for more than 30% of all cyber attacks in 2020, making them the most common type of attack. Phishing attacks are particularly successful because they rely on social engineering tactics to trick people into giving away sensitive information, rather than exploiting vulnerabilities in software or hardware. As a result, they can be difficult to defend against, especially if people are not aware of the risks and do not take steps to protect themselves.
Examples of phishing attacks
- Email phishing. An attacker sends an email to a victim that appears to be from a legitimate company or organization, such as a bank or a government agency. The email may contain a malicious link or attachment that, when clicked, installs malware on the victim’s computer or takes them to a fake website where they are asked to enter sensitive information.
- Spear phishing. This is a targeted form of phishing that involves creating a customized message or website specifically designed to trick a specific individual or organization. The attacker may use information gathered from social media or other sources to make the message or website more convincing.
- Whaling: This type of phishing targets high-level executives or other individuals with access to sensitive information. The attacker will often use spear phishing techniques to create a highly convincing and personalized message or website.
- Vishing: This is a type of phishing attack that occurs over the phone. The attacker may call a victim and pretend to be a representative from a legitimate company or organization, asking for sensitive information or trying to get the victim to install malware on their computer.
- In-person phishing: Attackers may also try to obtain sensitive information in person by pretending to be a legitimate representative of a company or organization. They may approach a victim in a public place and ask for login credentials or other sensitive information.
There have been many high-profile phishing attacks throughout history, but some of the most famous ones include:
- The Gmail phishing attack of 2017. In this attack, attackers sent fake Google Docs invitations to millions of Gmail users. When users clicked on the link, they were taken to a fake Google login page where they were asked to enter their login credentials. The attackers then used these credentials to access the victims’ accounts and send more phishing emails to their contacts.
- The Yahoo phishing attack of 2013. In this attack, attackers sent fake Yahoo login pages to millions of Yahoo users. When users entered their login credentials, the attackers were able to access their accounts and steal sensitive information.
- The Anthem phishing attack of 2015. In this attack, attackers sent phishing emails to Anthem employees that contained a link to a fake website. When employees clicked on the link and entered their login credentials, the attackers were able to access the company’s systems and steal the personal information of millions of Anthem customers.
- The Marriott phishing attack of 2018. In this attack, attackers sent phishing emails to Marriott employees that contained a link to a fake website. When employees clicked on the link and entered their login credentials, the attackers were able to access the company’s systems and steal the personal information of millions of Marriott customers.
How to protect yourself from phishing attacks
- Be cautious of emails or messages from unfamiliar sources: Don’t click on links or download attachments from emails or messages unless you are certain they are legitimate.
- Look for signs of a fake website: If you receive an email or message asking you to visit a website, be sure to check the website’s URL to make sure it is legitimate. Legitimate websites will often have URLs that begin with “https://” and contain the name of the company or organization.
- Use anti-phishing software: There are many software programs available that are designed to detect and block phishing attacks. These programs can help to protect you by scanning emails and websites for signs of phishing.
- Enable two-factor authentication: This adds an extra layer of security to your accounts by requiring you to enter a code sent to your phone or email in addition to your password.
- Be aware of social engineering tactics: Attackers may try to trick you into giving away sensitive information by using psychological manipulation techniques. Be on the lookout for unusual requests or offers, and take the time to verify the identity of the person making the request before providing any sensitive information.