Phishing, pronounced “fishing”, is when a malicious actor tries to trick people into giving them sensitive information such as usernames and passwords, or into installing or giving them access to something they shouldn’t.
It is a type of social engineering attack, which means that it exploits humans rather than machines by tricking us or taking advantage of our trust. High-tech fraud, essentially.
The classic version is an email pretending to be from your bank, an online service, retailer, the local council, your electricity supplier, or anyone else who might feasibly contact you by email. The message will usually try to give the impression of urgency – an unexpectedly high bill, expiring account, or limited-time offer. Others are banal – a shared file or calendar event that require you to login into an account or service.
Regardless of how they’re delivered, most phishing attacks will direct you to a website designed to resemble something legitimate, such as a Google, Dropbox or Microsoft account, where you’ll be prompted to enter your login details. Of course, the website isn’t what it claims to be, and your details are being stored by criminals for future use or sale.
Phishing techniques and targets
While you’ll mostly encounter generic phishing attacks hoping to collect your login credentials by crafting an email and website convincing enough to get you to type them in before you notice anything amiss.
Sometimes, however, phishing attacks are more specifically targeted. “Spear phishing” is when a bad actor takes aim at people with privileged access to the systems of a company, while “whaling” is the same the same thing, but targeting executives.
As well as email, phishing attacks can take the form of SMS messages, which are often harder to identify as untrustworthy at a glance than an email, or even phone calls, often automated, but sometimes involving a live phone call, where they can cross over with technical support scams.
While the most common targets of phishing attacks are login credentials and credit card details, two-factor authentication codes can also be phished, even though they’re only valid for 30 seconds or so – these often go hand-in-hand with more elaborate banking fraud.
What to do if you get phished?
If you only notice a phishing attack after you’ve already been taken in, try not to panic. It happens to almost everyone sooner or later. If you’ve entered any information, run files, or approved any services associated with attack, it’s time to calmly check your security.
- Immediately change the password on the affected account
- Enable two-factor authentication
- If the account can give you a list of connected devices, apps or, in the case of email, forwarding addresses, check though those and remove anything that you don’t recognise
- If you use the same username and password credentials anywhere, change them immediately – you can search your password manager for the specific password that got phished
- If you downloaded or ran a file, run a full-system malware scan
- If the account that got phished was work-related, inform your IT department immediately
- Report it to the relevant authorities; contact the police if money has been stolen from you
Identification and reporting
I’ve previously published an example of an Amazon phishing email, explaining the critical tells that show you that it’s not the real thing.
If you receive a phishing email, you can report it to both your email service provider and relevant authorities, such as the UK’s National Fraud and and Cyber Crime reporting centre. Follow my guide to do so.