How Does Phishing Work? 8 Things That May Surprise You

Written by Emily Jones on September 27, 2022

Warren Averett How Does Phishing Work image

Phishing is an incredibly effective and dangerous type of cyberattack that enables malicious actors to deploy ransomware and defraud victims of money, credentials, passwords, user data and other digital assets.

It’s the second most common cause of data breaches, costing responding organizations an average of $4.91 million per breach.

Some of the most damaging cyberattacks in the past few decades started with a single phishing email. And it can happen to any business.

Case in point, even tech giants like Facebook and Google are vulnerable to phishing schemes. A cybercriminal from Lithuania and his co-conspirators emailed fake IT equipment invoices to the companies between 2013 and 2015 and, ultimately, cheated these big tech businesses out of more than $100 million in total.

Let’s take a look into the world of phishing scams to review some surprising facts and answer the question, “How does phishing work?” Understanding the cybercrime landscape is the first step for businesses and their employees to protect themselves and their digital assets from this insidious and pervasive theft.

1. How Does Phishing Work? The Psychology of Timing

Today’s phishers are getting more strategic—most malicious phishing emails targeted at employees are sent out during the 2 p.m. to 6 p.m. window, often during the mid-afternoon slump when the energy levels of office workers are low, and they feel drained by the workday.

Phishers avoid the 9 a.m. to 1 p.m. period when employees are typically very alert and energized. As such, there’s a higher chance that employees will fall for a phishing attack during the afternoon hours.

2. An Estimated 97% of Employees Are Unable to Recognize Sophisticated Phishing Emails

As hackers up their game and deploy increasingly sophisticated cyberattacks, it’s become more challenging for average employees (and even seasoned professionals) to differentiate legitimate messages from phishing attempts. Many organizations lack the resources and technical support needed to minimize the risk and exposure of their employees to potential phishing attacks.

3. Medical Data Ranks Among the Most Sought After in Email Phishing Scams

This fact may not come as a surprise. Phishing attacks targeted at healthcare organizations are on the rise. A HIPAA study reveals that the impermissible disclosure, exposure, theft or loss of 314,063,186 healthcare records occurred between 2009 and 2021.

This equates to nearly 95% of the 2021 population of the U.S. Such records are incredibly valuable because they are data rich and can therefore be used for medical identity theft, billing fraud and the purchase of prescription drugs for resale.

4. Clone Phishing Definition: What You Need to Know About This Sophisticated Attack

Cybercriminals engage in extensive research to determine the types of business applications that enterprise employers and their employees use during their daily activities. The clone phishing definition describes a scenario where phishers use services that the intended target has previously used to launch a phishing attack.

Phishers often target applications that typically send email notifications requiring recipients to click on links. Some examples of phishing scams include the use of DocuSign. Since many organizations use this to send, receive and sign electronic contracts and documents, a clone phisher can design fake phishing emails specifically for this service.

5. Example Phishing Scams: The Quiet Rise of Vishing

Vishing, also known as voice phishing, is somewhat less notorious than its email counterpart and is steadily gaining popularity. Vishing is a more sophisticated phishing attack that relies on the ability of a malicious actor to deceive victims in real time through phone communication.

Vishing describes a phishing attempt where cybercriminals call the phone number of potential victims and create a heightened sense of fear and urgency to get them to take a particular action. These calls often occur during stressful times or periods of fear and uncertainty.

For instance, phishers pretending to be Internal Revenue Service (IRS) officials often call targets during tax season demanding their social security numbers for audit purposes. In 2022, the operators of several India-based vishing call centers were indicted for perpetuating phone scams that cost Americans over $14 million.

6. Deepfake Voice Phishing Has Arrived

There’s also a more sophisticated type of vishing attack on the rise—one that uses AI and deep learning models to clone human voices. The use of AI to perfect audio deepfakes’ impersonations is attracting the attention of cybercriminals who use them to launch sophisticated vishing attacks on specific, high-profile victims.

Deepfake voice phishing is typically designed to trick employees into sending money to the attacker. The attacker identifies an employee within an organization, poses as a superior, chief executive or someone with authority, and pressures the employee into transferring money, as was the case of this $35 million bank heist in Hong Kong.

This type of phishing attack is heavily reliant on behavioral manipulation (the eagerness to please a superior), a talent for impersonation and an in-depth understanding of corporate hierarchy.

 7. Alternative Example Phishing Scams: Website Pop-Ups

Despite the widespread use of pop-up blockers, pop-up phishing remains an insidious and effective phishing channel for malicious actors. Cybercriminals place malicious code into pop-up boxes that show up when visiting certain websites and can even use a web browser’s “notifications” feature to install malicious code on target devices when users click on “allow notification.”

8. Beware of Link Manipulation and Website Forgery

Some of the tactics used by cybercriminals to execute phishing attacks on unsuspecting victims include link manipulation and website forgery. Cybercriminals design malicious websites to impersonate an authentic one and then use phishing to get victims to visit the site and download malware or submit sensitive information.

The phishing email may contain URL links that redirect you to a fraudulent site (for instance, or hidden beneath the credible link. The malicious site is set up to trick your business into surrendering your bank account credentials, credit card numbers, social security numbers and other sensitive personal information.

Get Help Understanding How Phishing Works to Prevent Cyberattacks

Hackers no longer need extensive technical knowledge and expertise to create malware, design a fraudulent website and craft convincing emails to pull off a phishing attack. The increasing popularity of phishing-as-a-service operators and the easy availability of plug-and-play phishing kits is enabling anyone, anywhere to execute sophisticated phishing attacks with little or no technical skills.

Essentially, phishing is real, dangerous and can be incredibly difficult to pin down or guard against without help from an expert who understands the evolving cybercrime landscape.

At Warren Averett Technology Group, we offer an array of services that can help proactively prevent phishing attacks from happening to you. Our experts understand cybersecurity best practices that can shield your business from risk. Schedule a consultation with an expert to evaluate how secure your systems are.

Back to Resources