What is phishing?: The Ultimate Guide

1. What is phishing?

Understand how we define phishing, why cybercriminals use it, and the top signs to watch out for.

Defining phishing…

To put it simply: phishing is a scam email designed to trick someone.

Scammers use social engineering tactics to fool you into parting with personal information, such as log-in details, or to accidentally download malware.

Voice phishing (vishing), text message phishing (smishing), and even video phishing via deepfakes is exist too – but the most common vector by far is email.

It’s a channel used by hundreds of millions of people in both their work and social lives, it’s free and easy for criminals to use anonymously, and people make a lot of mistakes when they use it.

The goals of phishing

An attacker’s short-term goal is to get a message inside an organisation’s technical defences. It’s a lot easier to get inside an organisation’s systems via phishing than it is to hack an IT system – and anyone can do it.

Just like it’s much easier to open a safe by stealing the combination code than trying to lockpick it.

Then once the email is delivered to an employee’s inbox, they’re relying on human error. They need the employee to click on a fraudulent link, or willingly give up sensitive information.

Once inside a system, attackers’ goals can vary. They might be trying to:

• Steal data to sell
• Exfiltrate data to blackmail the business
• Impersonate an executive
• Initiate a ransomware attack
• Carry out further attacks on their supply chain

Signs of phishing to watch out for

There are some tell-tale signs of phishing to watch out for. These may seem obvious, but it can be easy to forget when we’re rushing, stressed, or tired – especially when working quickly with emails:

2. The impacts of phishing

Covered the basics of phishing? Now it’s time to understand the real-life impacts it has on both businesses and individuals.

Business costs

If cybercrime was measured as a country, it would be considered the world’s third-largest economy after the U.S. and China.

The average cost of a phishing incident is already $3.92m, but global cybercrime costs are expected to grow by 15% per year over the next five years, reaching $10.5 trillion USD annually by 2025.

 The costs to a business from a phishing attack are far-reaching. They include:

• Remediation efforts
• Credit/fraud monitoring for affected clients
• Lawsuits from affected clients or consumers
• Operational inefficiency from being locked out of systems/data
• Ransom demands or rebuilding costs in the event of ransomware

Damaged reputations lead to lost clients

Reputations take years to build and minutes to lose. Clichéd, but true.

It might even seem unfair – should a business suffer because one employee innocently clicked a phishing link? Unfortunately, sentiment rarely comes into these things.

It’s not hard to see why clients get so spooked by their partners being susceptible to phishing attacks. A modern CISO considers not only the data security of their own business, but that of their supply chain too.

After all, strong data security doesn’t count for much if your sensitive data has to pass through a weak link in the supply chain.

Regulatory fines

According to Egress research, 73% of businesses have suffered at least one serious data breach from phishing during the past 12 months.

And it’s not just damaged reputations they need to worry about; they can (and often are) hit with large financial penalties from regulators for exposing private data.

These aren’t slaps on the wrist – fines for data breaches can be eye-watering.

In July 2019, Equifax agreed to pay $575 million (potentially rising to $700 million) in a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states and territories over the company’s "failure to take reasonable steps to secure its network.”

The human cost of a breach

The cruel thing about phishing is the victim is always an insider – and is always someone who made an honest mistake.

They might have been rushing, or tired, or under pressure… but they were most likely just trying to get their work done. Now they have to face up to the embarrassment of causing a major breach by falling for a phishing attack.

Egress research shows that in 23% of phishing incidents, the employee in question is either fired or leaves their role voluntarily.

But who’s fault is a phishing attack really? The employee for falling for it, or the employer for not having appropriate technical controls in place to protect them?

3. The psychology behind phishing: Why it’s so effective

Why is phishing so effective? Because criminals are using our psychology against us.

A human problem

At the heart of it, phishing is all about people. It relies on exploiting human fallibility and tricking someone into doing something they didn’t intend to do.

Phishing attacks originate externally, but we still class them under the umbrella of insider threat. Because ultimately, they still need a human mistake from an insider within the business for the attack to come to fruition.

Without human error, the bait remains untaken and the phishers remain frustrated.

So why do we fall for it? The truth is that in our most security-conscious and aware states, we most likely wouldn’t. Phishing emails are carefully designed to push people into a frame of mind where they act quickly, working on impulse and emotion rather than slow rational thought.

There’s a reason so many people get the instant ‘Oh no’ realisation as soon as they’ve slowed down after falling for a phishing attack.

Emotional triggers

These are just some of the tricks that cybercriminals use to make us act quickly and emotionally, rather than slowly and logically:

• Urgency: A phishing email usually wants something done right now, as the longer you have to think, the more you may question whether it’s legitimate.
• Plausibility: Modern phishing attempts will often be based on real-life, mundane scenarios. If the scam request is close to something an employee does every day, they’re more likely to miss the signs of phishing and do it in autopilot.
• Familiarity: There’s been a marked rise in spear phishing, where the attack is at least partially tailored to an individual – often claiming to be from an authority figure such as a CEO.
• Confidentiality: The action required is specific to you and needs to be done by you alone, as getting someone else involved increases the chances of the scam being spotted.

Overcoming bias with technology

Phishing can’t be completely solved with traditional technology, as it’s not a crime that solely focuses on gaps in security systems.

However, once we’ve understood and acknowledged our own human biases, we can start to even up the odds with intelligent technology.

The most advanced solutions work with users, educating them and guiding them back towards the place where they make intelligent security decisions.

We’re already using advanced machine learning to account for the unconscious human bias that makes phishing attacks successful. If you’re interested in learning how, jump to Chapter 12 to find out how the human layer security approach works in practice.

4. Spear phishing: it's personal!

Learn the signs of these highly-targeted and effective attacks.

The tactics behind spear phishing

Basic email phishing is all about quantity over quality.

Spear phishing is different, as it’s at least partially targeted at a specific individual. It’s a more time-consuming form of attack for the cybercriminal, as they have to research their victim.

For example, they might check LinkedIn or company websites to find out who has recently joined a large organization.

New joiners can be more susceptible to a spear phishing attack as they’re less familiar with company processes, security protocols, and communication styles. They also tend to be eager to please and willing to jump on tasks quickly.

Cybercriminals can also easily find out chains of line management, whether certain people are on annual leave, and which vendors a business is working with.

Spear phishing is more difficult for traditional security to detect and therefore more likely to get in front of an employee where that all-important human error takes place.

What about whaling?

Whaling is spear phishing with a single difference – they’re going after a big fish (or whale!).

These attacks are designed to catch out members of the c-suite or other senior executives within a business.

The benefit of tricking a ‘whale’ rather than a more junior employee is that they’re likely to have wider reaching access to more sensitive data and applications within a business.

They’re also often able to approve payments or wire transfers without jumping through approval hoops.

If a cybercriminal successfully lands a ‘whale’ there’s potential for huge immediate payoff, whereas if they manage to trick a junior employee via spear phishing, they’re more likely to raise suspicion by breaking protocol to try and get payments approved or request access to sensitive data.

Tips for spotting spear phishing

The best defense against spear phishing is an intelligent anti-phishing solution. However, there is still value in educating employees about the top signs to watch out for.

As you can see from the below example, they’re not always easy to catch:

Further defense against spear phishing

On top of educating employees on the above signs of spear phishing, there are some more things security teams can do to defend a business.

1. Secure personal information: Remember, any information about you on your corporate site or social media profiles can be easily found – by anyone. Cybercriminals regularly trawl LinkedIn to tailor spear phishing attacks to new employees at a business, so encourage all employees to be careful.
2. Improve your email security: Spam filters can catch basic phishing attempts, but more sophisticated spear phishing attacks can slip through. Security teams should strongly consider intelligent human layer security solutions to keep users safe.
3. Keep security systems up to date: Regularly updating your operating system can help fight spear phishing. Software updates contain patches to plug security vulnerabilities. Without these patches, your devices are vulnerable to malware.

5. Business email compromise (BEC)

Spear phishing is sometimes only the start of a more advanced scam: business email compromise (BEC).

What is BEC?

Business email compromise is an email impersonation attack with the goal of defrauding a business.

Cybercriminals will pose as a legitimate member of an organization or a vendor in order to sanction a wire transfer or the sharing of sensitive data.

BEC relies on careful research and social engineering to trick someone into doing something via text-based emails, rather than relying on malicious links or malware.

This makes it very hard to spot for traditional email security.

How does BEC work – and can it be stopped?

All BEC is essentially a form of impersonation. It works best when a senior executive’s account is used to sidestep process and request payments to fraudulent accounts.

This impersonation can be achieved in a couple of ways – spoofing or account takeover. 

Executive impersonation is covered in more detail in Chapter 6, or jump straight to Chapter 7 for the lowdown on impersonating tactics: spoofing and account takeover.

So, how to stop it?

As BEC relies on text-based social engineering, the only real defence is intelligent anti-phishing software that analyses both the content and context of emails through machine learning

6. Executive impersonation and CEO fraud

Believable impersonation is the key to many phishing scams – and the bigger the impersonated phish, the better.

Why target the top?

Anyone can be impersonated, but a cybercriminal can accomplish much more while impersonating an executive such as a CEO.

People tend to respond faster to executive requests, either through being eager to impress or being worried about keeping a member of the C-suite waiting – or a bit of both!

The goal might be:

• Tricking a vendor firm into making a payment
• Pressuring a junior employee to share sensitive data
• Getting someone to click a link that downloads ransomware

Employees are less likely to press an executive on a strange or unexpected requests. A junior employee might not feel comfortable pushing back on a CEO’s request that breaks process or seems out of the ordinary.

An executive is more likely to get this benefit of the doubt. It hits all the emotional triggers we explored in Chapter 2, using familiarity and seniority to encourage urgency and confidentiality.

Five ways employees can spot executive impersonation

1. Bizarre requests from senior leaders: If anyone asks you to transfer money or provide confidential information, treat the email with caution.
2. Attempts to sidestep normal channels: Be wary of any attempts to bypass security procedures – even if it’s your boss
3. Confidentiality requests: Is the sender asking you to keep these messages to yourself and only communicate via email? Ask yourself why!
4. Unusual content issues: Does the sender sound like their usual self? Different sign-off to normal? Follow up with a phone call.
5. Check the 'Reply To' address: An impostor's 'Reply to' email address might give away their fake display name. Double-check, as this can be hard to spot at first glance!

Seven ways security teams can stop executive impersonation

• Intelligent anti-phishing solutions: The most effective method is prevention via intelligent tech. Other tactics can help, but there’s no real substitute.
• Use a company email domain: Free, web-based email domains are easier to impersonate.
• Secure the login process: Enable multi-factor authentication and make it harder for hackers to access accounts with stolen passwords alone.
• Protect your domain: Cybercriminals create accounts that look similar to your domain name, so it can pay to register similar domains to prevent this.
• Empower employees: Encourage employees to challenge requests if they don’t trust the authenticity of an email – even if it’s from a senior team member.
• Set up processes: Ensure employees confirm email requests internally before making wire transfers or supplying confidential information. Even C-suite employees!
• Learn client habits: If a client or senior executive suddenly change their business practices, verify this directly with the sender using a different contact method.

7. Account takeover (ATO) and email spoofing

Get the lowdown on the two most common impersonation tactics used by hackers.

Email and domain spoofing

Spoofing is a tactic cybercriminals use to give the impression they’re contacting you from a known email address or website.

Scammers are able to forge the header of an email, so it looks like it’s from a legitimate source. Technical controls can be put in place to catch this, but they can’t always be fully trusted.

Websites can be spoofed too. A cybercriminal will often try to direct a user to click a malicious link, with the goal of getting them to input login details or make a financial payment.

They tend to have accurately designed logos and portals with slightly altered web addresses, so they seem normal at a glance e.g. ‘www.paypaI.com.’ Notice the capital I in place of an l?

Account takeover (ATO)

An account takeover (ATO) attack differs from impersonation via spoofing, as in this case a criminal has genuine control over a legitimate account. ATO starts with compromised credentials.

Someone within an organization will have entered their credentials into a spoofed website, responded to a spear phishing attack, or simply written their password down somewhere they shouldn’t have.

An attack from a compromised account is harder to detect because it comes from a trusted and legitimate domain. That means a hacker now has free reign to email people within a business.

At this point, security teams without intelligent anti-phishing are relying on someone within the business to catch the criminal out.

ATO and traditional technology

Social graphs, sometimes known as relationship graphs, map the communication patterns between people.

They’re touted by some as the answer to sophisticated attacks like account takeover – and they are indeed useful as part of a wider defence against phishing and preventing outbound email data breaches.

However, to stop ATO you need to be able to detect the subtle signs of advanced inbound attacks that social graphs cannot pick up. 

Traditional security methods might catch a spoofed email during an impersonation attack, but only intelligent solutions supported by machine learning and natural language processing (NLP) can detect a highly context-driven attack such as account takeover.

8. Crime-as-a-service: The business behind phishing

Crime-as-a-Service model

Phishing is a lucrative business and cybercriminals are cashing in.

In fact, it’s become so commodified that a whole new industry has been named after it: Crime-as-a-Service.

You don’t need advanced IT skills to mastermind a ransomware attack via a phishing email – anyone can do it, from anywhere in the world. It’s frighteningly easy to buy ransomware or website spoofing software online.

Organizations need to understand that there is a whole online store of software designed to break their defenses and seriously damage them.

Targeting law firms

Targeting law firms

Law firms offer a treasure trove of valuable data for cybercriminals.

They can blackmail a business with the threat of a data breach, sell personally-identifiable information on the dark web, and even offer IP to international competitors.

Or, they can lock an entire system with ransomware and demand a huge sum to unlock it – knowing full well top law firms can afford the ransom.

They’re also aware of the fact that many law firms have taken out cyber insurance policies (sometimes by hacking the actual insurer). One tactic is to set a ransom limit just below the upper limit of what the firm would be able to claim.

Law is a high-pressure environment, where people send a lot of emails and deal with hundreds of documents a day. Cybercriminals hope for one tired slip of the finger.

Targeting financial services

Cybercriminals are ramping up their attacks on financial institutions, and diversifying the tactics they use to carry out successful breaches.

Financial services organizations are targets ripe for phishing, holding reams of data regarding high-net-worth individuals and their financial transactions.

They’re transferring financial information every day, and access to their client supply chain is highly valuable from an attacker’s point of view.

And again, ransomware is a major concern to IT leaders working in the FS industry. In fact, it’s fast becoming the threat that keeps people up at night – with good reason.

9. Ransomware a rising epidemic

We’ve talked about a few phishing tactics, but there’s one that really terrifies security teams: ransomware.

How ransomware works

The premise is simple.

Firstly, ransomware needs to be downloaded into an organisation’s system, creating an initial point of infection.

In over 90% of cases, this comes from email phishing and an unwitting employee clicking on a link or opening an attachment that begins the download process.

From there, the ransomware spreads, silently infecting the entirety of a corporate system.

Once it’s made its way through the network, people within the business will notice there is a serious problem. The ransomware will lock down the organisation’s systems, which can now only be unlocked by an encryption key in the hands of the attackers.

They will demand a (sometimes huge) sum of money to share the encryption key and unlock the system.

Stop email phishing – stop ransomware

Once ransomware has struck, you’re left in a terrible catch-22.

Pay a ransom to criminals (with no guarantee they don’t keep hold of some data to blackmail you further) or rebuild your entire IT system from scratch, often at a higher cost than the price of the ransom.

Stopping the delivery of ransomware in the first place is the key to breaking the kill chain and stopping it for good.

Over 90% of ransomware attacks come from email phishing, targeting the human layer within an organisation.

Unfortunately, the problem has not been solved effectively to date by traditional solutions. Advanced technology is needed to mitigate the threat of ransomware by stopping it at the most common source of origin: email. 

Ransomware in the news

We’ve described ransomware as an epidemic – because it really is spreading fast.

It’s quickly becoming ones of the most common forms of cybercrime, and is now viewed by the US government with the same priority as terrorist attacks.

When you consider how easily major infrastructure can be shut down by an attack, this is hardly surprising.

Below are just a few recent examples from the past year alone. Sadly, we can say with confidence that this list of headlines will be updated very soon.

10. Fighting phishing: Immediate actions

What to do if disaster strikes? Prevention is always best, but here are the steps to take if you fall victim to phishing.

What to do right away if you’ve been phished

Falling for a phishing scam means serious consequences for both the individual and organization concerned.

However, there are some immediate steps you can take that might help to mitigate any fallout:

Step 1: Disconnect your device from the internet. This could help stop your device being controlled remotely, malware spreading, or data being transferred.

Step 2: Call your Security team and give them full details. It might be embarrassing to fall for a scam, but staying quiet and hoping for the best is a bad move.

Step 3: Change your passwords. If you’ve entered login details into a spoofed website or email, change them immediately from a safe device.

Step 4: Alert your bank or finance team if you’ve shared financial information. They may be able to cancel cards or block accounts in time to stop malicious transactions.

Step 5: Backup your files, as they may be erased when recovering from a phishing attack. It’s also good practice to regularly back up to an external hard drive.

Step 6: Flag the email as malicious, so your email provider will send any future emails from the scammer to your junk/spam folder.

Step 7: Run a malware scan. If you don’t have a malware scanner – now’s a good time to get one. It may be able to quarantine or remove affected files.

Step 8: If you were contacted by a spoofed company, contact the real one so they can alert people to the scam and limit the amount of future victims.

Step 9: Keep an eye out for signs of identity theft. Just because nothing happens immediately, that doesn’t mean you’re out of the woods.

Step 10: Protect yourself against future scams. You can educate yourself on the risks and signs of phishing (this guide is a good place to start!) but it might also be time to protect your business with human layer security.

Empowering employees to report phishing

In an ideal world, Security leaders want employees to spot phishing attempts and report to the Security team, so they can alert other users.

But if the worst does happen, they also want people to feel empowered to come forward and alert the Security team that they’ve fallen for a phishing scam.

It’s important to create a culture where employees feel like they can come forward and report phishing (and other data breaches or security incidents).

If someone feels like they’re going to be punished or chastised for making a mistake, they’re more likely to sweep it under the carpet and hope it goes away.

Except it won’t – and the repercussions will be more severe due to early inaction.

Training and educating colleagues

Cybersecurity training and awareness is a key component of most organisation’s phishing defences.

Unfortunately, research from the UK’s National Cyber Security Centre (NCSC) shows that after two years of cyber training people are at the same level of awareness as when they first started.

Spotting spear phishing emails is hard, and people cannot be expected to be 100% vigilant all the time. A lot of training also has a natural ceiling to it; people forget it or weren’t paying attention in the first place.

And honestly, do you want employees to waste hours every day poring over each link and email that arrives into their inbox? There is a better way: human layer security.

11. Traditional anti-phishing vs future attacks

Fighting a losing battle

Traditional technology simply can’t keep up with the growing sophistication of phishing.

Especially advanced forms of spear phishing, business email compromise, and account takeover.

Nor can they detect zero day attacks (an advanced email scam that is 'new' and not yet reported, so it hasn’t been added to blacklists). 

Traditional anti-phishing tech wasn’t designed to work against modern phishing scams such as business email compromise (BEC), which rely on text-based social engineering rather than malicious links.

It needs support from more intelligent solutions to deal with sophisticated phishing attacks.

Secure email gateways (SEGs)

SEGs are commonly used security software that monitor both sent and received emails.

They’re designed to filter out unwanted incoming content such as spam and phishing attacks, as well as preventing sensitive data from leaving organisations.

They work by analysing emails against flagged keywords and backlisted URLs, which is fine for bulk phishing emails and well-known attacks – but organisations need more.

Cleverly designed text-based spear phishing emails can easily slip through the defences of SEGs. And once an attacker is inside a system and taken over a legitimate email account, SEGs are largely redundant.

Solutions need to be able to analyse the content of text-based emails in order to catch attacks such as business email compromise (BEC).

Social graphing

In real life, not everyone you can know can be trusted, and every stranger is not a threat. It’s the same with email security.

Social graphing is software that maps the relationship patterns of how people within an organisation communicate via email with both colleagues and outsiders. It produces connection rankings, in a similar way to how LinkedIn classes people as first, second and third degree contacts.

The limitation with social graphing comes when a scammer has managed to take over a legitimate account and commit BEC that way – as the tech believes the account to be legit.

For sophisticated attacks like account takeover, only human layer security will do.

Future of phishing

Cybercriminals never sit still for long. They’re always finding new ways to outsmart and outmanoeuvre traditional anti-phishing defences.

Take deepfakes for example – images or videos manipulated with AI. Easy-to-access software can synthesise a fabricated voice or face that looks seriously convincing.

Adding a video or voice deepfake to the mix can make email phishing attacks far more effective. A cybercriminal might start by gaining access to an email account, then use a WhatsApp voice message, a voicemail, or a quick video call over Teams to follow up.

An employee might have questions marks over the initial email, but the follow up would leave them with little doubt the request is genuine (assuming the deepfake is convincing enough).

12. Human layer security: Prevent phishing for good

It’s not all doom and gloom! Intelligent technology exists that can fight back against phishing. Meet human layer security. 

The human layer – your last line of defence against phishing

Some phishing attempts will always slip through the net, even with prevention technology in place.

At this point, it’s all about whether an employee falls for the attack or not – making them literally your last line of defence.

Businesses have a choice: rely on the employee’s cybersecurity instincts and awareness training, or equip them with tools that can help.

If they choose the former, they need every employee to make the right decision every time. The cybercriminal simply needs one split-second mistake, once.

We can’t stay vigilant all the time, and anyone can slip up when they’re stressed or tired. Besides, do we really want employees forensically checking every single email that comes their way? That’s not productive – and it’s a game that’s fixed in favour of the cybercriminals.

Human layer security offers an alternative, by turning people from a security risk into your greatest security asset.

How human layer security can beat phishing

Some people will always fall for phishing attacks.

Insiders can generally be trusted to do the right thing – it’s just that they can’t be expected to do the right thing on every single occasion.

The goal of human layer security is to use intelligent technology to keep people in the mindset where they make smart security decisions (or block actions that will cause a security incident).

It’s not about policing their actions; it’s about stopping them pre-emptively and saying, “Hang on, you wouldn’t normally click on this. Are you sure you want to interact with this suspicious email?”

And that’s often all they need.

True human layer security acts more like a real-life security expert, who’s there to help and educate, rather than simply notify users that an attack has been discovered or hide it altogether.

Introducing Egress Defend

Egress Defend is the part of our human layer security platform that focuses specifically on the threat of phishing.

It’s the only anti-phishing solution globally that takes a zero-trust approach to all inbound emails, and uses machine learning and natural language processing capabilities to analyse both the content and context of emails.

Defend builds up an intelligent understanding of what constitutes a phishing attack, which allows it to detect phishing in real time, rather than simply trying to chase and block the most recent threats.

We can help you turn the tables and make cybercriminals the ones to feel frustration. Take the burden of security off your employees’ shoulder and empower them to work productively without risk.

If you’d like to learn more about Defend, or even book a no-strings-attached demo, you can head to our product page here. You might be surprised to learn just how many phishing emails are slipping through your current defenses.