Tessian Named Representative Vendor in the 2022 Gartner® Market Guide for Data Loss Prevention. Download →
Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.
First things first: let’s answer the question at hand.
Phishing is a cyberattack where the attacker tricks the target into disclosing personal information, revealing login credentials, or transferring money. Occurring predominantly via email, phishing is typically bulk in nature and not personalized for an individual target.
That’s the short and sweet definition. But, there’s more you need to know. Phishing is a common type of social engineering attack that cybercriminals have been conducting for decades. In this article, we’ll take a look at some different types of phishing, how these differ from “traditional” phishing, and how phishing attacks work. Wondering what social engineering is? Check out this article, which includes plenty of real-world examples.
If you look at the definition above, you’ll notice we made an important distinction in the last sentence. “Phishing is typically bulk in nature and not personalized for an individual target.” But, oftentimes, you’ll hear the word “phishing” used as an umbrella term to cover many types of online social engineering attacks, including:
What links all these types of attacks? They all involve some form of “impersonation” — the attacker pretends to be a person or institution that the target is likely to trust. But, in this article, we’ll focus on traditional “spray and pray” phishing attacks. It’s one of the most straightforward types of online social engineering attacks.
Importantly, this “old-school” form of cybercrime is distinct from all the examples above because:
If you’re scratching your head trying to figure out how phishing is different from spam, we’ve answered all your questions in this article: Spam vs. Phishing: The Difference Between Spam and Phishing.
Let’s take a real-life example of a phishing attack to see how this type of cybercrime works. It appears to comes from a brand most of us know and trust: Netflix.
So, what makes it a phishing email? The “UPDATE ACCOUNT NOW” button leads to a malicious website (not Netflix’s genuine website) designed to steal payment information. But, the average person wouldn’t know that.
But look a little closer, and you’ll notice a few giveaways.
This is not your typical “Nigerian prince” scam and it’s easy to see why so many people – both consumers and employees – fall for these scams. If you’re looking for statistics to back this up, check out this article: Must-Know Phishing Statistics (Updated 2021).
Note that this scam appears to use “email impersonation”: the sender address (mailer.netflix.com) looks like it could be an authentic Netflix domain, but Netflix doesn’t own that domain at all. Hackers can also use account takeover and email spoofing for more advanced phishing attacks.
We’ve looked at how criminals use different methods to conduct phishing scams and target different types of people. But why do they do it? Attackers use phishing scams to target different types of resources. For example:
Want to know which of these resources hackers target the most frequently? Download this infographic.
Phishing has become a huge criminal industry, and there’s no sign of it getting smaller. Here are some of the latest statistics:
Want more of the most up-to-date figures on phishing? Subscribe to our newsletter for monthly updates, straight to your inbox. Now you know what “phishing” means, how common it is, and how much damage it can cause. If you want to learn how to protect yourself from phishing, check out our guidance on how to avoid falling for phishing attacks.