Phishing

Edit · View history

Phishing

Phishing is a form of cyberattack in which attackers masquerade as trustworthy entities to deceive individuals into disclosing sensitive data such as usernames, passwords, credit card numbers, or other personal information. The term is a play on "fishing," as the attacker "baits" a target with a seemingly legitimate message. Phishing is typically carried out through email spoofing, instant messaging, or social engineering techniques, and it remains one of the most prevalent and costly threats in cybersecurity.

Common variants include spear phishing, which targets specific individuals or organizations; whaling, which goes after high-profile executives; vishing (voice phishing) conducted over phone calls; and smishing (SMS phishing) via text messages. Attackers often design their messages to create a sense of urgency, fear, or curiosity, prompting victims to click on malicious links, open infected attachments, or directly provide login credentials.

History

The first documented use of the term "phishing" dates to the mid‑1990s on the Usenet newsgroup alt.2600, where it described the practice of stealing AOL account passwords by impersonating AOL staff. Early phishers used instant messages and fake "password recovery" pages. By the early 2000s, phishing had evolved into a broader criminal enterprise, with attackers targeting financial institutions, e‑commerce sites, and later social media platforms. The 2004 Sobig worm and subsequent phishing kits lowered the technical barrier, leading to a surge in attacks. In response, organizations such as the Anti-Phishing Working Group (APWG) were formed to track and combat the threat.

Features

Phishing attacks typically share several hallmarks:

Modern phishing may also incorporate malware, such as keyloggers or ransomware, to further compromise a victim’s device.

Defense and mitigation

Prevention of phishing relies on a combination of user awareness, technical controls, and organizational policies. Recommended practices include: