What is Phishing?:
Techniques, Prevention & How To Recognize

Bart Lenaerts-Bergmans - February 6, 2023

Phishing Definition

Phishing is a scam that impersonates a reputable person or organization with the intent to steal credentials or sensitive information. Although email is the most common type of phishing attack, depending on the type of phishing scam, the attack may use a text message or even a voice message.

How do Phishing Attacks Work?

A typical phishing attack starts with a threat actor sending mass amounts of emails in hopes of getting anyone to click on malicious links.

These threat actors, whether an individual criminal or a nation-state, craft such messages to appear to be legitimate. A phishing email can appear to be from your bank, employer or boss, or use techniques to coerce information out of you by pretending, for example, to be a government agency.

The intent could be to deploy ransomware, to steal existing account credentials, to acquire enough information to open a new fraudulent account, or simply to compromise an endpoint. A single click on a malicious phishing link has the potential to create any of these problems.

Phishing Attack Techniques

1. Email Phishing

Spear phishing

Spear phishing is a phishing attempt that targets a specific individual or group of individuals. One adversary group, known as Helix Kitten, researches individuals in specific industries to learn about their interests and then structures spear phishing messages to appeal to those individuals. Victims may be targeted in an effort to reach a more valuable target; for example, a mid-level financial specialist may be targeted because her contact list contains email addresses for financial executives with greater access to sensitive information. Those higher-level executives may be targeted in the next phase of the attack.

Whale Phishing (Whaling)

Whaling, a form of business email compromise (BEC), is a type of spear-phishing that targets a high-profile victim, such as a CEO or CFO. Whaling attacks usually employ a sense of urgency to pressure the victim into wiring funds or sharing credentials on a malicious website.

Learn More

Spear phishing is a targeted attack on a specific person or organization, whereas general phishing campaigns are sent to a large volume of people. Spear Phishing vs. Phishing

2. Voice Phishing (Vishing)

Vishing is a phishing attack conducted by telephone. These attacks may use a fake Caller ID profile to impersonate a legitimate business, government agency or charitable organization. The purpose of the call is to steal personal information, such as bank account or credit card numbers.

3. SMS Phishing (Smishing)

Smishing is a phishing campaign conducted through SMS messages instead of email. Smishing attacks are unlikely to result in a virus being downloaded directly. Instead, they usually lure the user into visiting a site that entices them to download malicious apps or content.

2023 CrowdStrike Global Threat Report

The 2023 Global Threat Report highlights some of the most prolific and advanced cyber threat actors around the world. These include nation-state, eCrime and hacktivist adversaries. Read about the most advanced and dangerous cybercriminals out there:

Download Now

How to Recognize Phishing: Can you spot the Scam?

Typical characteristics of phishing messages make them easy to recognize. Phishing emails usually have one or more of the following indicators:

  1. Asks for Sensitive Information
  2. Uses a Different Domain
  3. Contains Links that Don’t Match the Domain
  4. Includes Unsolicited Attachments
  5. Is Not Personalized
  6. Uses Poor Spelling and Grammar
  7. Tries to Panic the Recipient
example of a general phishing email

Example of a phishing email attack

Learn More

As cybercrime of all kinds, and phishing, in particular, reaches new heights in 2023, it’s important for every person in your organization to be able to identify a phishing attack and play an active role in keeping the business and your customers safe. Read: How to Implement Phishing Attack Awareness Training

The Most Impersonated Organizations in Phishing Scams

While the most well-known phishing attacks usually involve outlandish claims, such as a member of a royal family requesting an individual’s banking information, the modern phishing attack is far more sophisticated. In many cases, a cyber criminal may masquerade as common retailers, service providers or government agencies to extract personal information that may seem benign such as email addresses, phone numbers, the user’s date of birth, or the names of family members.

To assess exactly which organizations are being impersonated the most in phishing scams, the CrowdStrike data science team submitted an FOIA request to the Federal Trade Commission and asked for the total number of phishing scams reported as impersonating the top 50 brands and all U.S. federal agencies.

The results show the U.S. public which emails from brands and organizations they need to be the most cautious of, and which are the most lucrative to impersonate for phishing criminals. Top 10 brands/organizations include:

  1. Amazon 
  2. Apple
  3. Social Security Administration
  4. Microsoft 
  5. Bank of America
  6. Wells Fargo
  7. AT&T
  8. Facebook
  9. FedEx
  10. Comcast

Other organizations include retailers such as Costco (11), Walmart (12) and Home Depot (18); and other courier services such as UPS (14).

How To Prevent Against Phishing

Even if you think you can spot a phishing email easily, make sure you also follow these secure tips:

  • Employee awareness training: Employees must be trained to recognize and constantly be on alert for the signs of a phishing attempt, and to report such attempts to the proper corporate security staff.
  • Use anti-virus software: Anti-malware tools scan devices to prevent, detect and remove malware that enter the system through phishing.
  • Use an anti-spam filter: Anti-spam filters use pre-defined blacklists created by expert security researchers to automatically move phishing emails to your junk folder, to protect against human error.
  • Use an up-to-date browser and software: Regardless of your system or browser, make sure you are always using the latest version. Companies are constantly patching and updating their solutions to provide stronger defenses against phishing scams, as new and innovative attacks are launched each day.
  • Never reply to spam: Responding to phishing emails lets cybercriminals know that your address is active. They will then put your address at the top of their priority lists and retarget you immediately.
  • Use multi-factor authentication (MFA): Even if a victim’s credentials have been compromised in a phishing attack, MFA requires a second level of verification, like an access code sent to your phone, before gaining access to a sensitive account.
  • Don’t open the email: If you believe you have a phishing email in your inbox, do not open it, and report it through the proper channels.

What Happens If You Open a Phishing Email?

Simply reading a phishing message is normally not unsafe. The user must click a link or download a file to activate malicious activity. Be cautious about all communications you receive, and remember that although phishing may most commonly happen through email, it can also occur through cell phone, SMS and social media.

Case Study: StepStone

Founded in 1996, StepStone is one of the world’s leading digital recruitment platforms and is ideally positioned to create value in an environment with dramatically increasing talent scarcity. By combining AI-powered hiring platforms and digital recruitment services, StepStone pushes the boundaries of technology to help companies hire the right talent and help people find the right job.

Learn how CrowdStrike helped StepStone protect itself against the increasing threat level and higher sophistication of phishing and malware attacks.

Download Now

How to Report a Phishing Attack?

Users can’t prevent phishing attacks, but they can protect themselves and help slow the tide by reporting phishing emails when they recognize them. Do your part to be a good internet citizen. Report phishing to: phishing-report@us-cert.gov.

Protecting From Phishing Attacks With CrowdStrike

Protecting from a phishing attack starts with following the prevention tips listed above. Nevertheless, organizations find a lot of value in having a tool or service that aids protection.

Don’t wait until you are phished to find the right solution for your business. With CrowdStrike Falcon® Complete managed detection and response (MDR), you can stop breaches on endpoints, workloads, and identities with expert management, threat hunting, monitoring and remediation.

GET TO KNOW THE AUTHOR

Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.