What is Phishing?

Phishing is a cyberattack in which scammers use fake emails, websites and other media to trick victims into revealing sensitive information, such as passwords or financial data.

Phishing attacks can have serious consequences, including theft of data and intellectual property, financial loss, ransomware infection, business disruption and reputational damage. If attackers install malware on victims’ devices, they could obtain credentials that enable them to steal sensitive information and infiltrate additional systems, where they can cause further damage. ​​

Malware can spread to other IT or operational technology (OT) devices on the network, infecting an entire organization. Ransomware malware can lock down a company’s data and make it inaccessible until the company pays the hacker’s ransom demand. In addition, organizations that are subject to regulatory compliance, such as ​hospitals that must comply with HIPAA​, may have to pay fines after a data breach.

Phishing emails are widespread. Attackers send fraudulent messages designed to look genuine and trick recipients into revealing sensitive information. While some phishing emails have obvious red flags, such as misspellings, many are sophisticated and, at first glance, look authentic.

In spear phishing, attackers target specific individuals or organizations, often using personal details to appear credible and lower victims’ defenses. Attackers may use social media accounts, organizational websites and other sources to glean details that allow them to craft personalized, convincing messages.

Whaling attacks focus on high-profile targets, such as executives, who often have greater access to sensitive information. Attackers gather information to carefully tailor these messages to their recipients, hoping to steal sensitive data or gain unauthorized access to systems.

In a business email compromise (BEC), attackers impersonate an executive to convince recipients to send money to an account or share credentials that enable a further attack. For example, an employee may receive an email that looks like it comes from her CEO, asking her to pay an attached “invoice” using an unfamiliar bank account. In BEC attacks, the criminals hope recipients will feel compelled to follow the instructions because they appear to be coming from an executive and the request appears important.

In clone phishing, attackers create a replica of a legitimate message and resend it with malicious links or attachments. The email address may appear fake, but attackers may spoof the address to match the legitimate domain.

Vishing and smishing use phone calls and text messages, respectively, to deceive victims into providing personal information. Attackers can spoof their caller IDs so that calls appear to come from a legitimate source, such as a local bank or the IRS.

Hackers employ multiple tactics to convince phishing recipients to share information or click a malicious link. The best ways to identify phishing attempts are to:

• Be wary of urgent requests for personal information or the promise of a reward.
• Check for unusual email addresses or phone numbers.
• Look for spelling and grammatical errors.
• Verify links before clicking by hovering over them.
• Call the sender to verify a request using a known phone number (not the one in the email).

The volume of phishing attacks shows no sign of slowing down, especially as artificial intelligence (AI) makes it faster, easier and cheaper for cybercriminals to launch attacks. The best defense is multilayered, incorporating several strategies to thwart criminals. That means organizations must take steps to prevent attackers from gaining access, minimize the damage if they do gain access and empower IT staffers with the visibility to detect and identify threats.

Several best practices help organizations defend against phishing:

• Educate users about how phishing works and teach them how to recognize it.
• Encourage or require strong password hygiene and regular password updates.
• Implement proper email security to reduce the likelihood of malicious emails reaching employees. Protections include spam filters, anti-phishing software, advanced email filtering and domain authentication protocols that verify the legitimacy of incoming emails.
• Implement multifactor authentication (MFA), which requires multiple verifications — a password and a code sent to a trusted device — before a user can access sensitive information. MFA provides an additional layer of protection so that even if a criminal obtains login credentials for a system or an account, they cannot gain access.
• Limit employees’ access to only those systems and accounts they need to perform their jobs. 
• Deploy security solutions that strengthen identity and access management capabilities and detect phishing and other malicious activity. For example, security information and event management (SEIM) tools collect and analyze data from servers, firewalls and applications, which IT departments can use to detect threats. 
• Establish an incident response plan that outlines what needs to happen after an attack. By acting quickly and following recommended protocols, an organization has a better chance of limiting the impact of a data breach.

If someone falls victim to a phishing attack using a personal device, they should take these steps to minimize the potential damage:

• Immediately change passwords for the compromised account and others using the same login credentials.
• Run an antivirus scan on the affected device to check for malware.
• Review recent transactions, logins and changes to the account settings. For example, a criminal could ​circumvent MFA​ by changing contact information to a device they control.
• Notify financial institutions if sensitive information was shared.
• Report the incident to the Federal Trade Commission, the Anti-Phishing Working Group and the organization spoofed in the attack.

If the attack happened on a work device or involved work accounts, the employee should take additional steps, including:

• Alerting IT immediately.
• Disconnecting from the organization’s network to prevent the spread of malware.
• Following any other steps outlined by the organization.

Organizations should have clear protocols to follow in the wake of an attack, including:

• Involving the incident response team and, if applicable, the security operations center.
• Containing the attack by disconnecting affected devices from the network, isolating affected accounts and identifying any other compromised accounts or systems.
• Strengthening cybersecurity protections to address any gaps and vulnerabilities that the incident exposed.
• Monitoring systems for data theft and additional attacks that the cybercriminals might launch using the stolen information.
• Notifying stakeholders, which may include affected customers and regulatory bodies.
• Alerting employees about the incident to prevent them from falling for a similar attack, and modify cybersecurity training if the attack revealed gaps in employees’ phishing knowledge.

Cybercriminals constantly refine their tactics to take advantage of advanced technologies. For example, criminals use AI to automate the phishing process to scale their attacks dramatically without spending more money or requiring more people. Attackers can also use generative AI to research targets and craft customized emails.

AI also lets criminals create deepfakes: manipulated images, videos and audio recordings that appear genuine. These pose a significant risk because they can be extremely convincing. For example, a phishing attempt could come as a voicemail, ostensibly from an executive, asking an employee to make a financial transaction. In addition, the massive amount of content that is available online makes it easy for criminals to obtain audio, video and photo samples that they can use to create deepfakes.

Advanced social engineering is a highly sophisticated attack focusing on high-value targets — those who, if successfully breached, could provide access to financial assets, valuable intellectual property or other assets that attackers could use to make money or disrupt operations. 

Targets may be senior executives, finance team members or IT professionals with administrative access to key infrastructure. Attackers put considerable effort into advanced social engineering and may combine multiple tactics to gain a victim’s trust. It’s important to note that attackers may target lower-level employees, such as executive assistants, in an effort to reach senior executives. That’s another reason why it is essential for all employees to receive anti-phishing education and training.

Phishing has steadily increased over the past several years. In 2023, nearly 5 million attacks occurred, according to the Anti-Phishing Working Group, a nonprofit, international consortium. Attacks that employ voice phishing are also on the rise, aided by easily accessible voice samples online and technologies that facilitate deepfakes.

In addition to adapting their strategies to new technologies, cybercriminals also tailor their attacks to specific industries:

• ​​Financial institutions​: Banks and other institutions are among the most frequently targeted sectors because they manage significant amounts of money and frequently transfer funds. Criminals may use BEC attacks to impersonate bank executives and convince employees to authorize fraudulent transactions. The expansion of online banking and mobile payment apps has created additional vulnerability because consumers are accustomed to sending and receiving money digitally, which may make them more susceptible to phishing. 
• ​​Healthcare institutions​: Hospitals and other healthcare organizations maintain significant amounts of sensitive information that is extremely valuable on the dark web. This includes confidential patient information, financial information and intellectual property. Small and rural hospitals may be especially vulnerable to phishing attacks if they lack the resources to adequately defend against them.
• ​​Government agencies​: Federal, state and local agencies house vast troves of data and provide essential services. That makes them favored targets for phishing attacks aimed at stealing information or disrupting services. Criminals may target small municipalities that lack sophisticated cybersecurity protections or government-owned utilities that provide water and electricity. Attacks in this sector continue to grow in frequency, with ransomware and BEC attacks being common tactics. 
• ​​Educational institutions​: Phishing attacks on K–12 districts and colleges are common. Schools maintain personal, financial and healthcare data, while colleges may house valuable research data and other proprietary assets. The expansion of online learning has exacerbated the risks by increasing the potential attack surface, giving criminals more possible entry points to reach victims.
• ​​Small businesses​: Small businesses can be especially vulnerable to phishing because they often lack robust security and may not have a dedicated cybersecurity team. In addition, many small businesses are managed on home networks that are not as well-protected as enterprise networks. Criminals may try to take advantage of these weaknesses through spear phishing — for example, using personalized messages to convince an employee that they are a legitimate supplier submitting an invoice.

Phishing is a prevalent threat in the digital world. It remains challenging for individuals and organizations because cybercriminals continually refine their strategies, using AI and other new tools to launch more sophisticated, convincing attacks. By staying informed and vigilant, individuals and organizations can protect themselves from phishing and limit the damage that attackers can cause.