What is Phishing and Why You Should Care

Written by Emily Jones on September 26, 2022

Warren Averett What is Phishing image

As technology evolves to make businesses run smoother, cyber threats are also advancing, making doing business riskier. Since the term “phishing” was first used in 1996, phishing emails have become increasingly pervasive and much more sophisticated.

What is Phishing?

Phishing is a form of cyberattack that tricks a victim into downloading malware or giving up valuable information at the behest of a cleverly disguised email. A phishing attack uses social engineering to persuade unsuspecting employees to believe that the phishing email is genuine and originates from a trusted source—for instance, a colleague, a boss, a banking institution, government agency, etc.

Attackers typically use an email phishing campaign to create a sense of trust, fear, curiosity or urgency in a victim and urge them to reveal sensitive information, open attachments containing malware or click on links to malicious websites. Phishing examples include emails purportedly from an online service or social media account alerting the victim of a policy violation or event that requires immediate action such as a password change or to verify credentials.

The Rise of Phishing Attacks

Hackers now use HTTPS sites to execute phishing attacks—they bank on users impulsively believing that all HTTPS sites are trustworthy and safe. They also employ cutting-edge machine learning tools to process the massive amounts of data they steal from email inboxes to continually design more effective phishing attacks.

The first quarter of 2022 was undoubtedly the worst quarter for phishing statistics observed to date—a record total of 1,025,968 phishing attacks were experienced during this period, with 384,291 attacks occurring in March alone—the highest number of phishing attacks ever in a single month. Notably, a 7% rise in credential theft phishing took place with enterprise users, accounting for almost 59% of all malicious emails.

What Is Behind the Surge of Phishing Campaigns?

The recent uptick in phishing scams has been linked to the global shift to remote work and the massive adoption of new cloud-based enterprise technologies without security awareness training that is appropriate to the remote work environment.

Even more worrisome is the financial cost of these breaches.

Estimates from the Ponemon Institute show that, on average, companies lost $14.8 million to phishing in 2021. Aside from this, individuals, organizations and businesses suffered other unexpected financial impacts including:

  • Brand damage and PR fallout
  • Malware and ransomware payments
  • Loss of employee productivity
  • Reduced mental health and wellbeing as a result of email breach
  • Legal costs, liability claims and regulatory fines
  • Expensive cybersecurity budget increases
  • Rise of insurance premiums for cyber coverage

What Are the Social Engineering Tactics that Make Phishing Campaigns Effective?

Studies continue to show the shocking success rates of phishing attacks—20% of employees  will likely click on links in a phishing email, while 13.4% will likely submit their credentials on fraudulent phishing pages.

But what makes phishing attacks so persuasive and successful? Social engineering is a manipulation technique that exploits human error to gain private information, access or valuables. The success of every phishing email depends on how realistic the message is.

Phishing attacks are based on social engineering techniques, which rely on human error rather than vulnerabilities within operating systems and software. Such attacks capitalize on urgency, fear, trust and mistakes made by legitimate system users, something that’s extremely hard to thwart with software.

Phishing emails are worded to encourage recipients to reply with sensitive personal information, download a malicious attachment or click a link that leads to a fake website (prompting victims to submit credentials).

Some phishing examples bombard victims with fictitious threats and false alarms, urging them to take certain immediate actions to prevent their accounts from being compromised or hacked. The perpetrator could imitate a coworker, government agency, tax official or banking institution to request users to send sensitive information to ostensibly perform a critical task or verify the victim’s identity.

The Lifecycle of a Phishing Campaign

The lifecycle of a phishing attack is similar to that of other social engineering attacks:

  • Discovery and investigation
  • Deception and hook
  • Attack
  • Retreat

The phishing email then acts as the hook to pique curiosity in potential victims. As soon as the hook lures in the victim and the cybercriminal obtains what they’re looking for, the attack is successful. Once the mission is complete, the scammer vanishes leaving as little evidence as possible. Most phishing websites are abandoned within days while some sites vanish in less than 13 hours.

The phishing message could also be tailored toward specific high-value individuals or potential soft targets holding certain roles within an organization. This customization makes the attack less conspicuous and more legitimate, giving it a much better chance of success. The hacker usually scopes out the online profiles of potential victims and assembles information from their digital footprints. With this information, they can craft a personalized phishing attack with a higher chance of success to get potential targets to lower their guard.

In some cases, the attacker will gain access to contact lists or social media connections to spam the victim’s friends, family members, colleagues and acquaintances with phishing messages that appear to be sent by the victim. There are also complex spam vs. phishing scams that involve long cons where hackers use emails and fake social media profiles to build rapport and trust with victims over months and years.

What is Phishing as a Service (PhaaS)?

Phishing as a service (PhaaS) is a new menace pervading the world of cybercrime. Cybercriminals now outsource their expertise as vendors/service providers for phishing scams by providing phish kits to anyone with the means to pay their fee. Phishing kits include everything needed for a successful phishing attack. Many of these kits come with one or more of these mechanisms—legitimate cloud hosting, content injection, URLs in attachments, content encryption, inspection blocking and HTML character encoding.

These kits also come with detailed guides and instructions on how to perpetrate phishing attacks and even customer support. It’s been estimated that thousands of PhaaS kits are available on the dark web. The widespread availability of these kits is contributing to the unabated surge in phishing statistics, because they enable anyone, anywhere to carry out sophisticated phishing attacks, regardless of their skill sets.

What is Phishing Prevention and How Can I Get Help?

Although email is the primary vector for phishing attacks, cybercriminals now use apps, phone calls, messaging services and social media to get victims to hand over sensitive information that can be leveraged to ransack a business. With the ever-changing nature of phishing attacks, staying on top of your IT security can feel like an uphill climb.

The best way to protect your business is to leverage the expertise of managed service providers (MSP) and managed security services. An MSP understands cybercriminals’ latest tactics and can provide the kind of security awareness training to your employees that can help them avoid falling for a phishing scam. Schedule a consultation with an expert to evaluate your IT security health and how secure your systems are.

Back to Resources