What Is Phishing? 6 Common Cyber Security Exploits Explained

Picture this: Simone is the head of an acquisition team that is in the final round of competing for a huge deal. The morning of the big presentation, she gets up early and sees a Dropbox link from a team member with the subject “Urgent updates for today’s meeting.” 

Simone is puzzled, as she isn’t expecting further changes, but clicks the link anyway and signs in to open the document. She realizes her mistake immediately. There is nothing to view, just a blank error page. Simone had accidentally fallen for a phishing attack, putting her personal information—and the company’s security—at risk.

If you’ve spent any significant amount of time on the internet, you can probably sympathize with Simone’s story. Phishing scams are ubiquitous in our hyper-connected online society. Anyone with an active email account has likely received a phishing email as millions of fraudulent messages are pumped out daily.

But there’s more to phishing than just simple bait-and-switch scenarios. Read on to learn more about phishing, common types of phishing attacks and the steps you can take to help avoid getting hooked by email scams.

What is phishing? 

Phishing is an umbrella term for various fraudulent methods of obtaining data and/or sensitive information via electronic communication. Most phishing attacks arrive by email and are sent by cyberattackers who disguise themselves as another entity in order to access your information.

If you think you’re too savvy to fall for a scam, think again. According to a McAfee® and Center for Strategic and International Studies report, nearly two-thirds of the two billion people who use online services have had their data stolen or compromised.¹ Anyone with an email account or online presence can be targeted by phishing scams. The negative effects for companies and organizations can be severe. The most common consequences of a successful phishing attack are loss of data, compromised credentials and accounts, installation of ransomware and malware, and financial losses. Those losses can be substantial—IBM® reports the global average cost of a data breach in 2020 was $3.86 million.²

What do cyberattackers gain by phishing? 

Unsurprisingly, access to information and money are nearly always the end goals of phishing attacks. Perpetrators of phishing crimes can make ill-gotten financial gains in a myriad of ways. A few examples include selling passwords, personal information and data; threatening disclosure of private or sensitive materials in exchange for a ransom; hacking into bank accounts; stealing credentials and identities; and installing malware. 

Types of phishing attacks 

The people behind these cybercrimes are constantly evolving their tactics and finding new ways exploit people and organizations. Read on to learn more about the different types of phishing attacks being used on a regular basis.

Spoofing 

Spoofing, or intentionally misrepresenting the source or identity of a communication to appear as though it is from a trusted source, is the bread and butter of phishing scams. Criminals most commonly spoof email addresses, domains and IP addresses to trick people into engaging with their malicious links or software. This works to great effect because people are much more likely to open an email from an entity they know or use.

Spear phishing

Spear phishing is a highly targeted scam designed to trick a person or small group of people. In contrast to broad-based phishing attempts, the emails or other electronic communications used are much more customized for the intended recipient. To spear phish successfully, criminals use publicly available information about their targets to make the scam as convincing as possible. Even something simple, like knowing where a target lives or the online accounts a target uses, can help scammers craft their attacks. 

Whaling

Whaling uses the same tactics as spear phishing but with a hyper-specific focus on prominent, high-value targets. To land a successful whaling attack, cybercriminals will carefully select a senior or high-level leader at an organization and pretend to be a friend or trusted colleague. This tactic is a type of business email compromise (BEC) and is sometimes known as CEO fraud. Phishers are experts in forging emails, websites and credentials to make it seem like a legitimate message from a coworker.

Executives and other high-profile individuals should take extra care in curating their online presence. Sharing personal information—even everyday things, like birthdays, job titles, vacations or relationships—can be used by criminals to tailor attacks.

Clone phishing

As the word “clone” implies, this kind of attack uses a real, previously sent email and sends it again—but with dangerous additions. Scammers will replace legitimate links or attachments with malware, viruses or ransomware to trick receivers into thinking that they came from a trusted source. This kind of scam is particularly insidious because a busy employee with lots of emails in their inbox is likely to click it without hesitation.

How to stay off the phishing hook 

Your cybersecurity will have to be layered and multi-pronged to be effective. Some helpful tips for combating phishing scams are:

• Adopt a risk-aware mindset about phishing scams. Simple training and repetition can help build good habits. 
• Watch out for classic tell-tale signs of a scam, like misspellings or discrepancies in names, URLs, sender info, websites and grammatical errors. 
• Utilize a password manager to reduce the hassle of having complex and unique passwords. 
• Use email signing certificates for highly visible employees, like CEOs and leadership, who may be targeted.
• Be cautious about using public Wi-Fi. Never download an app or give personal information in exchange for free internet.
• Maintain robust cybersecurity programs. Use email filters, antivirus software and VPNs. 

Combat scammers with a career in cybersecurity 

Scammers never sleep, and organizations are under more pressure than ever to keep their data and information secure. While the negative effects of phishing and other malicious internet activities are certainly substantial, there’s a silver lining for tech professionals. Organizations need highly skilled help to keep their networks secure and the damage from security failures minimal. Could earning a Cyber Security degree be the right move for you? Our article “Is a Cyber Security Degree Worth It? Analyzing the Facts” can help you decide.

¹James Lewis “The Economic Impact of Cybercrime – No Slowing Down” McAfee and the Center for Strategic International Studies, February 2018 [accessed April 2021] https://www.csis.org/analysis/economic-impact-cybercrime
²IBM, “Cost of a Data Breach Report 2020 Highlights” [accessed April 2021] https://www.ibm.com/downloads/cas/QMXVZX6R

McAfee is a registered trademark of McAfee, LLC.
IBM is a registered trademark of International Business Machines