Phishing
Phishing
Phishing is a form of cyberattack in which attackers masquerade as trustworthy entities to deceive individuals into disclosing sensitive data such as usernames, passwords, credit card numbers, or other personal information. The term is a play on "fishing," as the attacker "baits" a target with a seemingly legitimate message. Phishing is typically carried out through email spoofing, instant messaging, or social engineering techniques, and it remains one of the most prevalent and costly threats in cybersecurity.
Common variants include spear phishing, which targets specific individuals or organizations; whaling, which goes after high-profile executives; vishing (voice phishing) conducted over phone calls; and smishing (SMS phishing) via text messages. Attackers often design their messages to create a sense of urgency, fear, or curiosity, prompting victims to click on malicious links, open infected attachments, or directly provide login credentials.
History
The first documented use of the term "phishing" dates to the mid‑1990s on the Usenet newsgroup alt.2600, where it described the practice of stealing AOL account passwords by impersonating AOL staff. Early phishers used instant messages and fake "password recovery" pages. By the early 2000s, phishing had evolved into a broader criminal enterprise, with attackers targeting financial institutions, e‑commerce sites, and later social media platforms. The 2004 Sobig worm and subsequent phishing kits lowered the technical barrier, leading to a surge in attacks. In response, organizations such as the Anti-Phishing Working Group (APWG) were formed to track and combat the threat.
Features
Phishing attacks typically share several hallmarks:
- Deceptive sender addresses that mimic legitimate domains, often using subtle misspellings or look‑alike characters.
- Urgent or threatening language, such as warnings of account suspension or unauthorized login attempts.
- Requests for sensitive information, including passwords, Social Security numbers, or payment details.
- Links to fraudulent websites that closely resemble the real service’s login pages.
- Malicious attachments, often disguised as invoices, shipping notices, or security updates.
Modern phishing may also incorporate malware, such as keyloggers or ransomware, to further compromise a victim’s device.
Defense and mitigation
Prevention of phishing relies on a combination of user awareness, technical controls, and organizational policies. Recommended practices include:
- Using multi-factor authentication (MFA) to add an extra layer of security.
- Scrutinizing sender addresses and avoiding unsolicited links or attachments.
- Deploying email filtering and anti‑phishing software.
- Conducting regular security training and simulated phishing exercises.
- Encouraging reporting of suspicious messages to internal security teams.