Phishing is an online attack where malicious actors send messages to victims pretending to be a trusted person or company.
Phishing is an example of a social engineering attack, which is a tactic of manipulating, or influencing, someone in order to control their computer system or steal personal or financial information.
Specifically, phishing attacks attempt to manipulate users into providing sensitive information (like access credentials, personal identifiers, financial information, and passwords), installing dangerous files and software, or clicking malicious links.
How does phishing work?
Phishing happens via an electronic message sent using text, email, social media, or other online communication channels.
Phishers can use any public resources available to gather information about their victims. They then use this information to create a reliable fake message to lure their victims into performing an action. This message sent to victim can appear to come from a trusted and reliable source, such as a person they know, a club they are associated with, or any site or platform where they have an account.
Attacks can happen through malicious attachments or links to fake websites (that look like the website they are attempting to replicate). The fake websites, however, are set up to collect private information such as passwords, payment information, and private keys.
Types of phishing
Email phishing
Email phishing is the most common occurrence of phishing and happens when attacks are sent via email.
Typically, attackers will use fake domains that look like real ones (for example: replacing an ‘m’ with an ‘rn’) to trick users into clicking a link or responding with sensitive information.
Spear phishing
Spear phishing is similar to email phishing but, rather than attacking a large group of random people in the hopes that one responds, they are targeted attacks towards specific groups within organizations (like the entire HR staff) or even specific individuals.
Attackers try to use spear phishing to either gain employee credentials or to infect employee devices with malware (software designed to take control of a computer system).
Whaling
Whaling is the version of phishing targeted at high-profile individuals within an organization, generally executives (like a CEO or CFO).
Whaling emails are typically more specific and sophisticated than general phishing emails and can contain personal information on the person being targeted, as well as a deeper knowledge of the business.
Smishing
Smishing, also known as SMS phishing, is a targeted attack using text messages from respected companies to garner personal information, like passwords or credit card information.
Attackers might entice victims to click a link to a website that looks similar to the organization they are impersonating.
Vishing
Vishing, or voice phishing, is the practice of using phone calls to conduct phishing attacks. Perpetrators will call individuals pretending to be from a company and attempt to get them to reveal personal information.
Airdrop phishing
This type of phishing is specific to crypto and happens when airdrops are used for malicious purposes.
Recipients might find an unsolicited allocation of “locked” tokens, or unrevealed NFTs, in their wallets and discover that they’re being asked to buy more tokens, hand over their private keys, or connect their wallet to a third-party website where it risks being drained of funds.
How to spot a phishing attack
While cybercriminals are becoming better at creating authentic-looking messages, there are various ways for users to detect scams.
First, some messages can be spotted due to poor copywriting, grammatical errors and improper use of fonts and logos.
Second, a lot of phishing messages offer threats, like a threat of a lawsuit, or use a sense of urgency to force victims to act quickly. This is done with the hope that readers will not read the message thoroughly and act on impulse. Further, these types of messages will often incentivize readers to perform a strange request, like opening a malicious link or installing specific software on your computer.
The best way to spot a phishing message is to spot inconsistencies in web addresses. These can be found in the email address of the sender, or in the specific links within the message. For example, when receiving an email claiming to come from Bitstamp, readers must make sure that the sender’s email address ends in @bitstamp.net. Further, if there is a link in the email, readers should hover over it with their mouse. If the link doesn’t contain “bitstamp.net”, they should not click the link and discard the email.
Note that many phishing messages will contain requests for credentials, payment information, or other personal details (like asking for a cryptocurrency wallet’s seed phrase). Before offering this information, ensure that you checked the source thoroughly, especially if the message was received unexpectedly.
Phishing essentials
- Phishing is a cyber-attack where individuals are contacted via email, phone, or text and are directed to divulge personal information (like passwords or credit card information).
- Types of phishing include email phishing, spear phishing, whaling, vishing, smishing, and airdrop phishing.
- There are various ways to spot phishing messages, such as looking for grammatical errors in the messages, or studying the links in the message carefully.