Phishing is the practice of sending fraudulent communications that appear to come from a legitimate and reputable source, usually through email and text messaging. The attacker's goal is to steal money, gain access to sensitive data and login information, or to install malware on the victim's device. Phishing is a dangerous, damaging, and an increasingly common type of cyberattack.
"Last year Cisco Security saw that 80% of ransomware attacks we observed began with a phishing email," said Tom Gillis SVP and GM Security at Cisco, RSA Conference 2023
A phishing attack relies on a social-engineering effort where hackers create a counterfeit communication that looks legitimate and appears to come from a trusted source. Attackers use seemingly benign emails or text messages to trick unsuspecting users into taking an action such as downloading malware, visiting an infected site, or divulging login credentials in order to steal money or data.
Motivations for phishing attacks differ, but mainly attackers are seeking valuable user data such as personally identifiable information (PII) or login credentials that can be used to commit fraud by accessing the victim's financial accounts. Once attackers have login information, personal data, access to online accounts, or credit card data, they can obtain permissions to modify or compromise more cloud-connected systems and in some cases, hijack entire computer networks until the victim pays a ransom.
Some cybercriminals aren't satisfied with merely getting your personal data and credit card information. They won't stop until they have drained your bank account. In these cases, they may go beyond emails and use "popup phishing" combined with voice phishing (vishing) and SMS text messages (SMiShing). Victims may be frightened into divulging bank account access information and other details. Often perpetrated against elderly individuals or people in targeted organizations' finance departments, vishing and SMiShing are types of cyberattacks that everyone should learn about to protect themselves and their financial security.
Phishing works by luring a victim with legitimate-looking (but fraudulent) emails or other communication from a trusted (or sometimes seemingly desperate) sender who coaxes victims into providing confidential information—often on what looks to be a convincingly legitimate website. Sometimes malware or ransomware is also downloaded onto the victim's computer.
Anyone. Most phishing attacks target numerous email addresses with the hope that some percentage of users will be tricked. Security-awareness training is helpful in educating users on the dangers of phishing attacks and teaches strategies to identify phishing communications.
Phishing is effective because it exploits the vulnerabilities of human nature, including a tendency to trust others, act out of curiosity, or respond emotionally to urgent messages. And phishing attacks are increasingly easy to perpetrate with phishing kits readily available on the dark web. It's a relatively low-risk pursuit for attackers, with bulk email addresses easy to obtain and emails virtually free to send.
The first primitive forms of phishing attacks emerged decades ago in chat rooms. Since then, phishing has evolved in complexity to become one of the largest and most costly cybercrimes on the internet that leads to business email compromise (BEC), (email account takeover (ATO), and ransomware. More recently, AI has made it easier for attackers to carry out sophisticated and targeted attacks by correcting spelling mistakes and personalizing messaging. For example, cybercriminals collect identifying information on groups or individuals they want to target and then use that information to mount highly personalized phishing campaigns called spear phishing. Because spear phishing communications are much more personalized, they can look especially legitimate, and thus are even more dangerous.
On the other hand, AI security solutions are enabling advanced detection and prevention techniques. Now Cisco Secure products leverage predictive and generative AI that expands our reach and interaction with security touchpoints. Cisco Secure Email Threat Defense uses unique artificial intelligence and machine learning models, including natural language processing (NLP), to identify malicious techniques used in attacks targeting your organization, derive unparalleled context for specific business risks, provide searchable threat telemetry, and categorize threats to understand which parts of your organization are most vulnerable to attack.
Cisco's upcoming acquisition of Armorblox, which is based in Sunnyvale, Calif., develops solutions to protect organizations against data loss and targeted email attacks. The integration of its solutions will incorporate enhanced attack prediction to rapidly detect threats and efficiently enforce policy to reduce phishing response times.
See the gaps that invite phishing attacks. Read our Phishing for Dummies eBook.
It's important to adopt a multilayered approach that includes email filters and employee awareness training. If an attack makes it through your security defenses, employees are typically the last line of defense.
Build security resilience by learning how to recognize phishing attacks, prevent them, and remediate them if you ever accidentally succumb to a phishing attack. Start by testing your phishing knowledge with our Phishing Awareness Quiz.
No single cybersecurity solution can avert all phishing attacks. Your organization should deploy cybersecurity technology and take a tiered security approach to reduce the number of phishing attacks and the impact when attacks do occur.
To learn about the latest phishing attack methods, including spear phishing, typosquatting, steganography, and how to combat them with advanced cybersecurity methods, download our new e-book, Phishing for Dummies, and see Chapter 1: Phishing 101.
Deploy tiered security solutions |
Your organization can deploy Cisco Umbrella for phishing protection and Cisco Secure Email Threat Defense to safeguard inboxes. Organizations may also consider Cisco Secure Access, a cloud-delivered security service edge (SSE) solution, grounded in zero trust, that provides secure access from anything to anywhere, including phishing protection. A strong MFA solution, like Cisco Duo, can also deter would-be attackers who have stolen login credentials through phishing. |
|
Conduct regular training |
Phishing training and anti-phishing strategies will help enlist employees in efforts to defend your organization. Include Cisco Secure Awareness Training as part of this approach. Phishing simulations and awareness training help you educate users on how to spot and report phishing attempts. |
|
Avoid posting contact information online |
Some attackers collect info by scraping information from these social media and websites. They collect mobile numbers for key stakeholders from email signatures and use that information for spear phishing and SMiShing campaigns. |
|
Develop unique email address conventions |
Common email address naming conventions are shared on the open internet and most patterns are easy to guess. Consider developing an email naming convention that doesn't follow the standard first name (dot) last name or the first-initial, last-name pattern. Randomizing email names across the organization will make them impossible to guess on a mass scale. |
|
Deploy secure messaging platforms |
With email remaining the number one vector for phishing attacks, many organizations are turning to the security of messaging platforms, including Cisco Webex Messaging for internal communication. Messaging platforms reduce the overall dependency on email for communication and in turn reduces email volume.
|
Sorry, no results matched your search criteria(s). Please try again.
You can learn how to detect phishing emails on desktop and mobile devices. Some basic steps for detecting phishing emails follow below.
On any email client |
You can examine hypertext links, which is one of the best ways to recognize a phishing attack. Look for misspellings and grammatical errors in the body of the email. Check that the domain the email was sent from is spelled correctly. For example, in phishing emails you'll often find a number used instead of a letter. |
|
Check hyperlinks in emails |
In a browser,the destination URL will show in a hover-popup window for the hyperlink. Ensure that the destination URL link equals what is in the email. Additionally, be cautious about clicking links that have strange characters in them or are abbreviated. |
|
On mobile devices |
You can observe the destination URL by briefly holding your finger over the hyperlink. The URL preview will materialize in a small popup window. |
|
On web pages |
Hover over the anchor text to find the destination URL revealed in the bottom-left corner of the browser window. Check your phish spotting skills. |
Sorry, no results matched your search criteria(s). Please try again.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Sorry, no results matched your search criteria(s). Please try again.
BEC attacks are carefully planned and researched attacks that impersonate an organizational executive vendor or supplier.
Watch Phish and Learn to see why BEC is difficult to detect.
View business email compromise (BEC) infographic
Email account compromise. This is a common type of BEC scam in which an employee's email account is hacked and used to request payments from vendors. The money is then sent to attacker-controlled bank accounts.
Employee impersonation. This type of BEC takes the form of an email scam, in which a bad actor impersonates a trusted internal employee or vendor to steal money or sensitive information through email.
VIP impersonation. This type of attack occurs when a malicious actor sends an email to an unsuspecting victim, using a compromised email of a legitimate company, individual or VIP, asking for payment or funds transfer.
External payment fraud. An email attack is sent to an unsuspecting victim impersonating trusted vendors for invoice payment requests. It is also known as Vendor Email Compromise (VEC).
Internal payment fraud. Using stolen credentials an attacker can gain access to internal payment systems such as payment platforms and set up fraudulent vendors, change payment recipients, or redirect payments to their accounts.
Payroll diversion fraud. Using stolen email credentials, an attacker emails an organization's payroll or finance department requesting a change to direct-deposit information.
Social engineering. Persuasion through psychology is used to gain a target's trust, causing them to lower their guard and take unsafe action such as divulging personal information.
Extortion. Threatening or intimidating action is used to obtain monetary or other financial gain, commonly used in vishing scams.
Malicious recon emails. This looks like legitimate email communication but is actually an email sent by an attacker with the purpose of eliciting a response prior to extracting sensitive user or organizational data.
Credential phishing. A bad actor steals login credentials by posing as a legitimate entity using emails and fake login pages. The bad actor then uses the victim's stolen credentials to carry out a secondary attack or extract data.
The methods used by attackers to gain access to cloud email, such as a Microsoft 365 email account, are fairly simple and increasingly common. These phishing campaigns usually take the form of a fake email from Microsoft. The email contains a request to log in, stating the user needs to reset their password, hasn't logged in recently, or that there's a problem with the account that needs their attention. A URL is included, enticing the user to click to remedy the issue.
Spear phishing targets specific individuals instead of a wide group of people. That way, the attackers can customize their communications and appear more authentic. Spear phishing is often the first step used to penetrate a company's defenses and carry out a targeted attack. According to the SANS Institute, 95 percent of all attacks on enterprise networks are the result of successful spear phishing.
When attackers go after a "big fish" like a CEO, it's called whaling. These attackers often spend considerable time profiling the target to find the opportune moment and means to steal login credentials. Whaling is of particular concern because high-level executives have access to a great deal of sensitive organizational information.
Voice phishing, or vishing, is a form of social engineering. It is a fraudulent phone call or voice message designed to obtain sensitive information such as login credentials. For instance, the attacker might call pretending to be a support agent or representative of your organization or a subscription service. New employees are often vulnerable to these types of scams, but they can happen to anyone—and are becoming more common. Deploying spam call-blocking software is a common tactic to prevent these types of calls.
Text message, or SMS phishing, can come through random broadcast text messages or portray a known coworker in your organization. Sometimes SMIShing messages contain a link or can request you to take immediate action. Either way, if you don't recognize the mobile number, delete the message. If you are ever unsure, call the individual using a valid phone number to make sure the task is legitimate.
Angler phishing is similar to vishing, but instead of a phone call, attackers reach out by direct messaging on social media platforms. Victims are targeted by fake customer service agents. These attacks have even tricked professional anti-scammers, so don't underestimate the efficacy of this method.
As phishing has evolved, it has taken on a variety of names—including spear phishing, smishing—and phishing attacks come through a variety of channels, including compromised websites, social media, fake ads, QR codes, attachments and text messages.