This definition is part of our Essential Guide: Secure email servers on Exchange, Office 365 or both
Contributor(s): Mike Cobb

Phishing is a form of fraud in which the attacker tries to learn information such as login credentials or account information by masquerading as a reputable entity or person in email, IM or other communication channels.

Typically a victim receives a message that appears to have been sent by a known contact or organization. An attachment or links in the message may install malware on the user’s device or direct them to a malicious website set up to trick them into divulging personal and financial information, such as passwords, account IDs or credit card details. Phishing is a homophone of fishing, which involves using lures to catch fish.

Phishing is popular with cybercriminals, as it is far easier to trick someone into clicking a malicious link in a seemingly legitimate email than trying to break through a computer’s defenses. Although some phishing emails are poorly written and clearly fake, sophisticated cybercriminals employ the techniques of professional marketers to identify the most effective types of messages --  the phishing "hooks" that get the highest "open" or click through rate and the Facebook posts that generate the most likes. Phishing campaigns are often built around the year's major events, holidays and anniversaries, or take advantage of breaking news stories, both true and fictitious.

To make phishing messages look like they are genuinely from a well-known company, they include logos and other identifying information taken directly from that company’s website. The malicious links within the body of the message are designed to make it appear that they go to the spoofed organization. The use of subdomains and misspelled URLs (typosquatting) are common tricks, as is homograph spoofing -- URLs created using different logical characters to read exactly like a trusted domain. Some phishing scams use JavaScript to place a picture of a legitimate URL over a browser’s address bar. The URL revealed by hovering over an embedded link can also be changed by using JavaScript.

Spear phishing attacks are directed at specific individuals or companies, while incidents that specifically target senior executives within an organization are termed whaling attacks. Those preparing a spear phishing campaign research their victims in detail in order to create a more genuine message, as using information relevant or specific to a target increases the chances of the attack being successful. Phishers use social networking and other sources of information to gather background information about the victim’s personal history, their interests and activities. Names, job titles and email addresses of colleagues and key company employees are verified, as are vacations. This information is then used to craft a believable email. Targeted attacks and advanced persistent threats (APTs) typically start with a spear phishing email containing a malicious link or attachment.

A gateway email filter can trap a lot of mass targeted phishing emails, reducing the number of phishing emails that reach users’ inboxes. Ensure your own mail servers make use of one of the main authentication standards; Sender ID or DomainKeys will help cut out spoofed email too. A Web security gateway can also provide another layer of defense by preventing users from reaching the target of a malicious link. They work by checking requested URLs against a constantly updated database of sites suspected of distributing malware.

There are plenty of resources on the Internet that provide help in combating phishing. The Anti-Phishing Working Group Inc. and the federal government’s  website both provide advice on how to spot, avoid and report phishing attacks. Interactive training aids such as Wombat Security Technologies' Anti-Phishing Training Suite or PhishMe can help teach employees how to avoid phishing traps, while sites like FraudWatch International and MillerSmiles publish the latest phishing email subject lines that are circulating the Internet.

This was first published in October 2015

Continue Reading About phishing



Find more PRO+ content and other member only offers, here.

Related Discussions

Margaret Rouse asks:

What do you think is the best defense against phishing attacks?

1  Response So Far

Join the Discussion

1 comment


Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:


File Extensions and File Formats

Powered by: