What Is Phishing?

Phishing is a common cybercrime that involves tricking people to share passwords, credit card numbers, and/or personal details that criminals use to steal valuable data and assets and to gain control of systems to plant malware. Scammers know the best time to phish is when victims least expect it.

Here’s how phishing works: The criminal sends an email, text message, or social media message from what may look like a known and trusted sender, getting the target to accept it as legitimate, act fast, often without thinking, and share critical information. Once a cybercriminal breaks in, they can wreak havoc.

Losses can be massive. Accessing sensitive company systems can shut down operations and lead to the theft of assets, intellectual property, and valuable data. With such high stakes coupled with the wide variety and sheer volume of phishing attempts, the need for a comprehensive approach to thwarting this insidious form of cybercrime has never been greater.

What Are Some Phishing Techniques?

Phishing takes many forms, using techniques that are always adapting. Understanding the types and techniques of these cyberattacks is the first step in developing cybersecurity best practices for dealing with them.

Email/Spam

Email exploits are where most phishing attacks start. The target gets a message that appears to come from a source they know and trust, like a bank, online retailer, service provider, or even a co-worker. Emails may contain links to fake websites, or they may have malicious attachments that trick recipients into revealing vital information or inadvertently installing malware.

Spear Phishing

Spear fishing uses personalized messages to enhance the appearance of legitimacy. They may reference names, job titles, or recent events or transactions, all to increase the likelihood a recipient will take the bait and click.

Text (Smishing)

Smishing, using short message service (SMS) platforms to phish, exploits texts to trick targets with fake delivery notices, bank alerts, or prize notifications. All include links to fraudulent websites. People often respond to these urgent texts without thinking, opening their mobile devices to fraudsters.

Social Engineering

Social engineering uses manipulations that play on human nature instead of technical vulnerabilities. Attackers use phone calls, social media, or even face-to-face interactions to pose as a trusted figure with the goal of gaining access to systems, data, and financial assets.

Malware

Although some phishing attacks seek to directly steal data and assets, others are designed to install malicious software on systems to either hijack them, set up a long-term data theft exploit, or worm their way from one sensitive system to another. Malware comes in many forms.

Trojans

A Trojan is malware that looks like a legitimate application, document, or file. Once downloaded, it opens to let the cybercriminals run amok. Trojans can steal data, upload additional malware, install trackers, and give attackers full control of your device and sometimes the systems connected to it.

Keyloggers

These programs record every keystroke a user makes to capture usernames, passwords, credit card numbers, mothers’ maiden names, and other valuable information. They are a form of malware that comes from downloads, email attachments, or visiting infected websites.

Cybersecurity Techniques to Thwart Phishing

Stopping phishing attacks and protecting systems and data requires a combination of technology, training, and constant vigilance. The United Kingdom’s National Cyber Security Centre prescribes four layers of mitigation:

Prevention

Stopping an attack before it starts is the best way to protect information and assets. Awareness of how attacks start can address the human element. Limiting the amount of personal information available on your site gives would-be attackers less material to use for social engineering. Technologies that filter emails, require multifactor authentication, and monitor domains can reduce the number of malicious email and texts that get into inboxes. Security tools at login locations or data transfers points can effectively thwart attacks. Tools that detect intrusions and anti-malware software can spot potential attacks as they happen.

Detection

The faster an attack is discovered, the sooner a response can be mounted, ideally limiting the damage caused. Employee training also plays a large role, helping users to not only keep from falling prey to cybercrime but also quickly report phishing attempts, whether failed or successful. Fostering a no-blame culture that encourages timely reporting is key.

Mitigation

It’s unrealistic to think you’ll prevent every cyberattack, so organizations also need a strategy for limiting the damage cybercriminals can do if the first line of defense fails. Isolating devices and systems attacked, revoking usernames and passwords, and blocking malicious websites can limit the damage. Adding layers of security throughout a system, such as multifactor authentication, password managers, and alternate forms of authentication like biometrics can also be effective.

Response

Acting as fast as possible to protect systems and data is the first priority. Getting systems back up and running and restoring uncorrupted data keeps organizations operating. Timely detection is key. Software can be used to monitor systems for breaches, but this is where your culture of reporting will pay dividends.

However, detection is just the beginning; you must also create an effective system for users to log reports. And your organization needs a well-rehearsed response plan in place to take timely action. An after-incident report will help the organization strengthen its defenses to prevent repeat attacks.

Join the Front Lines of Cyber Defense Against Phishing

Phishing is a gateway cybercrime—the open door to most major digital exploits. Cybercriminals are growing more sophisticated, powering the need for people with cybersecurity skills. A career in technology, specifically in cybersecurity, is one that pays off in plentiful jobs, interesting roles, and increasing pay. With a cybersecurity degree, you’ll find opportunities in business, government, and nonprofits, protecting them against evolving threats.

Excelsior University has been designated a Center of Academic Excellence in Cyber Defense by the National Security Agency and the Department of Homeland Security, and it is home to the National Cybersecurity Institute. Excelsior’s Bachelor of Science in Cybersecurity provides you with the skills and practical training to thrive and lead in the field as well as take certification exams like CEH or Security+. The BS in Cybersecurity program doesn’t just prepare you to deal with the threats facing our world today, like phishing; it prepares you to protect organizations from the cyberthreats yet to emerge, helping you take your place on the front lines of cyber defense.