What is phishing?
Explore IBM's phishing solution Subscribe to Security Topic Updates
Aerial view of people working in a office
What is phishing?

Phishing scams trick users into divulging sensitive data, downloading malware, and exposing themselves or their organizations to cybercrime.

Phishing attacks are fraudulent emails, text messages, phone calls or websites that are designed to trick users into actions like the following:

  • Downloading malware,
  • Sharing sensitive information or personal data (for example, Social Security and credit card numbers, bank account numbers, login credentials),
  • Other actions that expose themselves or their organizations to cybercrime.

Successful phishing attacks often lead to identity theft, credit card fraud, ransomware attacks, data breaches and huge financial losses for individuals and corporations.

Phishing is the most common type of social engineering, deceiving, pressuring or manipulating people into sending information or assets to the wrong people. Social engineering attacks rely on human error and pressure tactics for success. The attacker masquerades as a person or organization the victim trusts— like a coworker, a boss, a company the victim or victim’s employer deals with—and creates a sense of urgency to make the victim act rashly. Hackers and fraudsters use these tactics because it’s easier and cheaper to trick people than to hack into a computer or network.

According to the FBI, hackers favor phishing emails as their most popular attack method to deliver ransomware to individuals and organizations. IBM’s Cost of a Data Breach 2022 rates phishing as the second-most common cause of a data breach (up from fourth-most common last year) and the most expensive, costing victims USD 4.91 million on average.

Cost of a Data Breach

Get insights to better manage the risk of a data breach with the latest Cost of a Data Breach report.

Related content

Register for the X-Force Threat Intelligence Index

What is phishing?

Phishing attacks are fraudulent emails, text messages, phone calls or websites that are designed to trick users into downloading malware, sharing sensitive information or personal data (for example, Social Security and credit card numbers, bank account numbers, login credentials), or taking other actions that expose themselves or their organizations to cybercrime.

Successful phishing attacks often lead to identity theft, credit card fraud, ransomware attacks, data breaches and huge financial losses for individuals and corporations.

Phishing is the most common type of social engineering, the practice of deceiving, pressuring or manipulating people into sending information or assets to the wrong people. Social engineering attacks rely on human error and pressure tactics for success. The attacker masquerades as a person or organization the victim trusts—for example, a coworker, a boss, a company the victim or victim’s employer deals with—and creates a sense of urgency that drives the victim to act rashly. Hackers and fraudsters use these tactics because it’s easier and less expensive to trick people than it is to hack into a computer or network.

According to the FBI, phishing emails are the most popular attack method, or vector, used by hackers to deliver ransomware to individuals and organizations. IBM’s Cost of a Data Breach 2022 found that phishing is the second most common cause of a data breach (up from fourth most common last year), and that data breaches caused by phishing were the most expensive, costing victims USD 4.91 million on average.

Types of phishing attacks
Bulk phishing emails

Bulk email phishing is the most common type of phishing attack. A scammer creates an email message that appears to come from a large, well-known legitimate business or organization, like a national or global bank, a large online retailer, the makers of a popular software application or app. They then send the message to millions of recipients as bulk email phishing is a numbers game: The larger or more popular the impersonated sender, the more recipients who are likely to be customers, subscribers or members.

Cybercriminals go to various lengths to make the phishing email appear legitimate. They typically include the impersonated sender’s logo in the email, masking the ‘from’ email address to include the impersonated sender’s domain name. Some even spoof the sender’s domain name—for example, by using ‘rnicrosoft.com’ instead of ‘microsoft.com’—to appear legit at a glance.

The subject line addresses a topic that the impersonated sender might credibly address, and that appeals to strong emotions—fear, greed, curiosity, a sense of urgency or time pressure—to get the recipient's attention. Typical subject lines include 'Please update your user profile,' 'Problem with your order,' 'Your closing documents are ready to sign', 'Your invoice is attached'. 

The body of the email instructs the recipient to take a seemingly reasonable action but one that results in the recipient divulging sensitive information or downloading a file that infects the recipient's device or network.

For example, recipients might be directed to ‘click here to update your profile', but the underlying hyperlink takes them to a fake website that tricks them into entering their actual login credentials. Alternatively, they may be told to open an attachment that appears legitimate (for example, 'invoice20.xlsx') but that delivers malware or malicious code to the recipient's device or network.

Spear phishing

Spear phishing targets a specific individual—usually someone with privileged access to sensitive data or network resources, or special authority that the scammer can exploit for fraudulent purposes.

A spear phisher studies the target to gather information to pose as a person or entity the target truly trusts—a friend, boss, co-worker, colleague, trusted vendor or financial institution—or to pose as the target individual. Social media and networking sites—where people publicly congratulate coworkers, endorse colleagues and vendors and tend to overshare—are rich sources of information for spear phishing research. 

With this information, the spear phisher can send a message containing specific personal details or financial information and a credible request to the target. For example, 'I know you're leaving tonight for vacation—but can you please pay this invoice (or transfer USDXXX.XX to this account) before close of business today?'

A spear phishing attack aimed at a C-level executive, a wealthy individual or some other high-value target is often called a whale phishing or whaling attack.

Business email compromise (BEC)

BEC is a class of spear phishing attack that attempts to steal large sums of money or extremely valuable information—for example, trade secrets, customer data, financial information—from corporations or institutions.

BEC attacks can take several different forms. Two of the most common include:

  • CEO fraud: The scammer impersonates a C-level executive’s email account or hacks into it directly and sends a message to a lower-level employee instructing them to transfer funds to a fraudulent account, make a purchase from a fraudulent vendor, or send files to an unauthorized party.
     

  • Email account compromise (EAC): The scammer accesses to a lower-level employee's email account—for example, a manager in finance, sales, R&D—and uses it to send fraudulent invoices to vendors, instruct other employees to make fraudulent payments or deposits, or request access to confidential data.

As part of these attacks, scammers often gains access to company email accounts by sending an executive or employee a spear phishing message that tricks them into divulging email account credentials (username and password). For example, a message such as ‘Your password is about to expire. Click this link to update your account’ might conceal a malicious link to a fake website designed to steal account information.

Regardless of the tactics used, successful BEC attacks are among the costliest cyberattacks. In one of the best-known examples of BEC, hackers impersonating a CEO convinced his company's finance department to transfer EUR 42 million to a fraudulent bank account ( link resides outside ibm.com).

Learn more about BEC
Other phishing techniques and tactics

SMS phishing, or smishing, is phishing using mobile or smartphone text messages. The most effective smishing schemes are contextual—that is, related to smartphone account management or apps. For example, recipients may receive a text message offering a gift as 'thanks' for paying a wireless bill, or asking them to update their credit card information to continue using a streaming media service. 

Voice phishing, or vishing, is phishing by phone call. Thanks to voice over IP (VoIP) technology, scammers can make millions of automated vishing calls per day. They often use caller ID spoofing to make their calls appear to be from legitimate organizations or local phone numbers. Vishing calls typically scare recipients with warnings of credit card processing problems, overdue payments or trouble with the IRS. Recipients who respond end up providing sensitive data to the cybercriminals. Some recipients even end up granting remote control of their computers to the scammers on the call.

Social media phishing employs various capabilities of a social media platform to phish for members' sensitive information. Scammers use the platforms' own messaging capabilities—for example, Facebook Messenger, LinkedIn messaging or InMail, Twitter DMs—in much the same ways they use regular email and text messaging. They also send users phishing emails that appear to come from the social networking site, asking recipients to update login credentials or payment information. These attacks can be especially costly to victims who use the same login credentials across multiple social media sites, an all-too-common 'worst practice'.

Application or in-app messaging. Popular mobile device apps and web-based (software-as-a-service, or SaaS) applications email their users regularly. As a result, these users are ripe for phishing campaigns that spoof emails from app or software vendors. Again, playing the numbers game, scammers spoof emails from the most popular apps and web applications—for example, PayPal, Microsoft Office 365 or Teams—to get the most bang for their phishing buck. 

Protecting against phishing scams
Security awareness training and best practices

Organizations are encouraged to teach users how to recognize phishing scams, and to develop best-practices for dealing with any suspicious emails and text messages. For example, users can be taught to recognize these and other characteristic features of phishing emails:

  • Requests for sensitive or personal information, or to update profile or payment information,

  • Requests to send or move money,

  • File attachments the recipient did not request or expect,

  • A sense of urgency, whether blatant ('Your account will be closed today...') or subtle (e.g., a request from a colleague to pay an invoice immediately) threats of jail time or other unrealistic consequences,

  • Threats of jail time or other unrealistic consequences,

  • Poor spelling or grammar,

  • Inconsistent or spoofed sender address,

  • Links shortened by using Bit.Ly or some other link-shortening service,

  • Images of text used in place of text (in messages or on linked web pages).

This is only a partial list; unfortunately, hackers are always devising new phishing techniques to better avoid detection. Publications such as the Anti-Phishing Working Group's quarterly Phishing Trends Activity Report (link resides outside ibm.com) can help organizations keep pace. 

Organizations can also encourage or enforce best practices that put less pressure on employees to be phishing sleuths. For example, organizations can establish and communicate clarifying policies - for example, a superior or colleague will never email a request to transfer funds. They can require employees to verify any request for personal or sensitive information by contacting the sender or visiting the sender's legitimate site directly, by using means other than those provided in the message. And they can insist that employees report phishing attempts and suspicious emails to the IT or Security group.

Security technologies that fight phishing

Despite the best user training and rigorous best practices, users still make mistakes. Fortunately, several established and emerging endpoint and network security technologies can help security teams pick up the battle against phishing where training and policy leave off.

  • Spam filters and email security software use data on existing phishing scams and machine learning algorithms to identify suspected phishing emails (and other spam). The scams and spam are then moved to a separate folder and any links they contain are disabled.
     

  • Antivirus and anti-malware software detects and neutralizes malicious files or code in phishing emails.
     

  • Multi-factor authentication requires at least one login credential in addition to a username and a password—for example, a one-time code sent to the users' cell phone. By providing an extra last line of defense against phishing scams or other attacks that successfully compromise passwords, multi-factor authentication can undermine spear phishing attacks and prevent BEC.
     

  • Web filters prevent users from visiting known malicious websites ('blacklisted' sites) and display alerts whenever users visit suspected malicious or fake websites.

Enterprise cybersecurity solutions include the following technologies:

These technologies can be combined with continually updated threat intelligence and automated incidence response capabilities. These solutions can help organizations prevent phishing scams before they reach users and limit the impact of phishing attacks that get past traditional endpoint or network defenses.

Related solutions
IBM Security® QRadar® SIEM

Catch advanced threats that others simply miss. QRadar SIEM leverages analytics and AI to monitor threat intel, network and user behavior anomalies and to prioritize where immediate attention and remediation are needed.

Explore QRadar SIEM solutions
IBM Security Trusteer Rapport®

IBM Trusteer Rapport helps financial institutions detect and prevent malware infections and phishing attacks by protecting their retail and business customers.

Explore Trusteer Rapport
IBM Security QRadar EDR

Secure endpoints from cyberattacks, detect anomalous behavior and remediate in near real time with this sophisticated yet easy-to-use endpoint detection and response (EDR) solution.

Explore QRadar EDR
Resources Keep current on phishing

Keep current on phishing news, trends and prevention techniques at Security Intelligence, the thought leadership blog hosted by IBM Security.

What is ransomware?

Ransomware is a form of malware that threatens to destroy or withhold the victim’s data or files unless a ransom is paid to the attacker to unencrypt and restore access to the data.

Cost of a Data Breach

Now in its 17th year, this report shares the latest insights into the expanding threat landscape and offers recommendations for saving time and limiting losses.

Take the next step

Cybersecurity threats are becoming more advanced and more persistent, and demanding more effort by security analysts to sift through countless alerts and incidents. IBM Security QRadar SIEM helps you remediate threats faster while maintaining your bottom line. QRadar SIEM prioritizes high-fidelity alerts to help you catch threats that others simply miss.

Explore QRadar SIEM Book a live demo