What is a phishing attack?

3 min read
Lexie

Hi, I'm Lexie! I write about information security, Bitcoin, and privacy.

An illustration of a scrap of paper with a username and password field on it. But get this! It's on a fishing hook! Lol.

Phishing is by far the most common “hack” used to steal passwords, take over accounts, and enter systems without authorization. It is mostly a social engineering attack, rather than a true hack in the technical sense. As such, it is far harder to defend against.

Phishing can occur through any channel: via telephone, email, a web page, or even in person. In short, it is an attempt to trick you into revealing a secret (such as your password or any other data).

The word phishing refers to the term fishing, as in “fishing for passwords,” and is possibly a portmanteau of phone and fishing. It’s also likely related to an early hacking term, phreaking, as phishing was already a common social engineering tactic even before the rise of the internet.

The symbol <>< was used to signify stolen or phished information on online forums, as it was hard for bots to detect or block it, thanks to its resemblance to valid HTML code.

How to defend against phishing attacks

The core of any phishing attack is usually the inability of humans to easily authenticate each other. Computer systems are also often not made with authentication problems in mind, and it takes a significant amount of effort to properly validate cryptographic signature schemes.

Telephone phishing

Verifying a caller’s identity can be difficult. Numbers that show up on caller ID are easy to spoof, so even if the phone number of the authorized person is known or saved in the phone book, there is no guarantee the person on the other side of the line is who they say they are.

Only calling back the number is sure proof it really belongs to the caller, but even then it’s important to verify the number by looking it up on the internet or in a telephone book. You can also consider it verified if it was collected in person, for example, via a business card.

Banks, governments, or courts will hardly ever call you to request personal information. If they do, ask for the caller’s name, title, and department, then call back with a publicly listed and available number of that institution.

Email

Phishing emails are by far the most common threat. Attackers will send legitimate-looking emails from financial institutions, governmental organizations, or generic schemes like lotteries to trick a user into visiting their website.

The attackers may set up a fake banking website, for example, that looks real enough and will prompt the user to enter personal information. Such a phishing site might ask for passwords, credit card details, or generic personal information for use in identity theft schemes.

The most robust way to verify the authenticity is PGP, though few individuals and sites have it set up.

As a rule, one should not click links in emails, especially not those in unexpected correspondence. Instead, users should navigate to the website directly and follow prompts there. Use the forms on the website to communicate with support staff.

Websites

Phishing sites might impersonate a site that the victim regularly visits. They might also simply be used to trick the user into calling a fake customer support number or to solicit credit card details from users, for example, by notifying them of a lottery jackpot.

Victims of phishing sites are often funneled to the sites using four distinct channels:

  • Emails: “Account verification required.”
  • Advertisements: “You’re the lucky winner!”
  • Typo-squatting: googel.com instead of google.com
  • Search engines: “You searched for your bank, here is your ‘bank’”

To avoid falling victim to a phishing site, it is a good idea to always check the URLs of the sites you visit and, ideally, only navigate to them using saved bookmarks.

Using a hardware two-factor authentication method is also a great way to protect yourself from phishing, although not all sites offer this. Some password managers can also help you identify phishing sites, as they will only auto-fill your passwords into sites they’ve previously authenticated.

Be careful with your personal information

Emails pressuring you to “verify your account” or to “keep your account open” are almost always phishing attempts intended to stress victims into clicking links and entering information in haste.

When receiving such emails or phone calls, keep calm and wait until you are back at a device that you are comfortable with, such as your desktop computer at home or your primary smartphone.

To mitigate vulnerability to phishing attacks, use bookmarks, password managers, and hardware two-factor authentication tokens. And finally, don’t hesitate to verify information, and always mistrust emails, advertisements, and phone calls.

Lexie is the blog's resident tech expert and gets excited about empowerment through technology, space travel, and pancakes with blueberries.