What is Phishing? A Detailed Overview

Have you ever wondered why phishing sounds like fishing? Because both are the same—just involving different animals. The first targets humans—social animals—while the second targets an actual fish. Both contain the same elements and procedure:

1. An unreasonably generous person rewarding unknowingly
2. A reward for doing nothing
3. A small hook
4. A string to pull back

The procedure follows as an unreasonably generous person rewards fish with free food (bait), and as soon as the fish avails it, it gets stuck by his hook. Later, he uses a string to pull it back and put it in a bucket. In the human context, the same scenario plays out as follows: the unreasonably generous person symbolizes the person trying to lure you, the free food symbolizes the things you desire, including fear of losing something or greed of getting it; a false sense of security; or a promise. In the digital form, it might be a link in an email promising free money, or a text from a random number announcing the demise of your loved one, it can also be a pop-up on a shady website warning you about a virus—it can be anything. 

But as soon as you take the bait, you get stuck by the hook—the hook of not getting the thing you were promised! The string symbolizes the channel through which they collected your valuable data. And lastly, you end up in a bucket—the bucket of regret!

It told you, right? These are the same things.

What are the types of phishing?

Over time, phishing has evolved into various types; the basic ideology is the same, but the method or channel is different.

Notable among them are:

1. Vishing

2. Spear phishing

3. Smishing

What is Vishing?

Vishing is a type of phishing that involves voice calls as a mode of communication.

• Example: Attacker impersonating a car sales agent, attempting to lure you into paying a down payment for a non-existing car.

What is Smishing?

Smishing is a baby of the parents 'phishing' and 'SMS'. As the name suggests, it is a phishing attack involving SMS. In this, attackers pretend to be a legitimate organization and trick users into doing their desired actions.

• Example:  An unknown attacker pretending to be Walmart, giving away a 50% discount coupon accessible via a link provided in the SMS.

What is Spear phishing?

Spear phishing is phishing with extra steps. It is more targeted and tailored to the target; the attacker gathers information, behaviors, and contact details of the target before attempting to make it look more legitimate and relevant.

• Example: An attacker scrolling through your social media profile, noticing your close friends, frequently visited places, and the date you celebrated your birthday, to craft a more relevant bait to phish you.

How to stay safe from phishing?

Phishing has more to do with psychological aspects than technological. The best way to protect yourself from phishing is always by questioning the legitimacy of the offerings, threats, and sources.

For example, you receive an email saying you have won 1,000$ from an unknown email address. Now you have to question yourself:

1. What will the next person gain from giving me 1,000$?
2. What did I do to earn that 1,000$?
3. Is it even from a legitimate source or not?

That way, you can gather your answers, resonate, and combat threats; all other technologies come after that phase.

Tools used to detect phishing:

Given below are some tools that can help you identify phishing links and emails:

1. Google Safe Browsing: Google Safe Browsing is a built-in security feature used by Chrome, Firefox, and other major browsers. It warns users when they try to visit a malicious website or download a suspicious file.
2. PhishTank: PhishTank is a community-driven platform where users submit and verify phishing websites. It's one of the largest open databases for phishing URLs serving as a go-to resource to detect phishing links for free.
3. Proofpoint: Proofpoint is an industry leader in email security solutions which uses AI and threat intelligence to block highly targeted phishing attacks. It uses global data to protect against display and domain name spoofing and stops zero-day threats, ransomware, and credential phishing.
4. Barracuda Email Security: Barracuda is a popular cloud-based security solution that protects organizations from phishing, malware, spam, and ransomware by actively scanning inbound and outbound emails. It combines email filtering with AI-based threat detection to combat threats and works well with Microsoft 365 and Google Workspace.

Bottom line:

Phishing is a cyberattack that exploits vulnerable humans, rather than vulnerable code. It preys on easily convinced people to make them take the bait and give away their valuable information. There are several types of phishing attacks varying in methods and channels, and the best way to protect against all of them is by questioning and using detection tools to identify inbound and outbound threats. Lastly, staying aware is the only way to stay secure, and keep reading Threat Writer to gain access to our well-researched awareness articles for free!