Updated: 17 May 2024
Contributor: Matthew Kosinski
Phishing attacks use fraudulent emails, text messages, phone calls or websites to trick people into sharing sensitive data, downloading malware or otherwise exposing themselves to cybercrime.
Phishing scams are a form of social engineering. Unlike other cyberattacks that directly target networks and resources, social engineering attacks use human error, fake stories and pressure tactics to manipulate victims into unintentionally harming themselves or their organizations.
In a typical phishing attempt, a hacker pretends to be someone the victim trusts, like a colleague, boss, authority figure or representative of a well-known brand. The hacker sends a message directing the victim to pay an invoice, open an attachment, click a link or take some other action.
Because they trust the supposed source of the message, the user follows the instructions and falls right into the scammer's trap. That "invoice" might lead directly to a hacker's account. That attachment might install ransomware on the user's device. That link might take the user to a website that steals credit card numbers, bank account numbers, login credentials or other personal data.
Phishing is popular among cybercriminals and highly effective. According to IBM's Cost of a Data Breach report, phishing is the most common data breach vector, accounting for 16% of all breaches. Breaches caused by phishing cost organizations an average of USD 4.76 million, which is higher than the overall average breach cost of USD 4.45 million.
Phishing is a significant threat because it exploits people rather than technological vulnerabilities. Attackers don't need to breach systems directly or outsmart cybersecurity tools. They can trick people who have authorized access to their target—be it money, sensitive information or something else—into doing their dirty work.
Phishers can be lone scammers or sophisticated criminal gangs. They can use phishing for many malicious ends, including identity theft, credit card fraud, monetary theft, extortion, account takeovers, espionage and more.
Phishing targets range from everyday people to major corporations and government agencies. In one of the most well-known phishing attacks, Russian hackers used a fake password-reset email to steal thousands of emails from Hillary Clinton's 2016 US presidential campaign.1
Because phishing scams manipulate human beings, standard network monitoring tools and techniques cannot always catch these attacks in progress. In fact, in the Clinton campaign attack, even the campaign's IT help desk thought the fraudulent password-reset emails were authentic.
To combat phishing, organizations must combine advanced threat detection tools with robust employee education to ensure that users can accurately identify and safely respond to scam attempts.
Our X-Force team of hackers, responders, researchers and intelligence analysts is available to discuss your organization's specific security challenges and how we can help.
Register for the X-Force Threat Intelligence Index
The word "phishing" plays on the fact that scammers use attractive "lures" to trick their victims, much the same way that fishers use bait to hook actual fish. In phishing, the lures are fraudulent messages that appear credible and evoke strong emotions like fear, greed and curiosity.
The kinds of lures phishing scammers use depend on whom and what they are after. Some common examples of phishing attacks include:
In bulk email phishing, scammers indiscriminately send spam emails to as many people as possible, hoping that a fraction of the targets fall for the attack.
Scammers often create emails that appear to come from large, legitimate businesses, such as banks, online retailers or the makers of popular apps. By impersonating well-known brands, scammers increase the chances that their targets are customers of those brands. If a target regularly interacts with a brand, they are more likely to open a phishing email that purports to come from that brand.
Cybercriminals go to great lengths to make phishing emails appear genuine. They might use the impersonated sender's logo and branding. They might spoof email addresses to make it seem like the message comes from the impersonated sender's domain name. They might even copy a genuine email from the impersonated sender and modify it for malicious ends.
Scammers write email subject lines to appeal to strong emotions or create a sense of urgency. Savvy scammers use subjects that the impersonated sender might actually address, such as "Problem with your order" or "Your invoice is attached."
The body of the email instructs the recipient to take a seemingly reasonable action that results in divulging sensitive information or downloading malware. For example, a phishing link might read, "Click here to update your profile." When the victim clicks that malicious link, it takes them to a fake website that steals their login credentials.
Some scammers time their phishing campaigns to align with holidays and other events where people are more susceptible to pressure. For example, phishing attacks on Amazon customers often spike around Prime Day, the online retailer's annual sales event.2 Scammers send emails about fake deals and payment problems to take advantage of people's lowered guards.
Spear phishing is a targeted phishing attack on a specific individual. The target is usually someone with privileged access to sensitive data or special authority that the scammer can exploit, such as a finance manager who can move money from company accounts.
A spear phisher studies their target to gather the information they need to pose as someone the target trusts, such as a friend, boss, coworker, vendor or financial institution. Social media and professional networking sites—where people publicly congratulate coworkers, endorse vendors and tend to overshare—are rich sources of information for spear phishing research.
Spear phishers use their research to craft messages that contain specific personal details, making them seem highly credible to the target. For example, a spear phisher might pose as the target's boss and send an email that reads: "I know you're leaving tonight for vacation, but can you please pay this invoice before the close of business today?"
A spear phishing attack aimed at a C-level executive, wealthy individual or other high-value target is called a whale phishing or whaling attack.
BEC is a class of spear phishing attacks that attempt to steal money or valuable information—for example, trade secrets, customer data or financial information—from a business or other organization.
BEC attacks can take several forms. Two of the most common include:
- CEO fraud: The scammer impersonates a C-level executive, often by hijacking the executive's email account. The scammer sends a message to a lower-level employee instructing them to transfer funds to a fraudulent account, make a purchase from a fraudulent vendor or send files to an unauthorized party.
- Email account compromise (EAC): The scammer compromises a lower-level employee's email account, such as the account of a manager in finance, sales or research and development. The scammer uses the account to send fraudulent invoices to vendors, instruct other employees to make fraudulent payments or request access to confidential data.
BEC attacks can be among the costliest cyberattacks, with scammers often stealing millions of dollars at a time. In one notable example, a group of scammers stole more than USD 100 million from Facebook and Google by posing as a legitimate software vendor.3
Some BEC scammers are shifting away from these high-profile tactics in favor of launching small attacks against more targets. According to the Anti-Phishing Working Group (APWG), BEC attacks grew more frequent in 2023, but scammers asked for less money on average with each attack.4
SMS phishing, or smishing, uses fake text messages to trick targets. Scammers commonly pose as the victim's wireless provider, sending a text that offers a "free gift" or asks the user to update their credit card information.
Some smishers pose as the US Postal Service or another shipping company. They send texts that tell victims they must pay a fee to receive a package they ordered.
Voice phishing, or vishing, is phishing by phone call. Vishing incidents have exploded in recent years, increasing by 260% between 2022 and 2023 according to the APWG.5 The rise of vishing is partly due to the availability of voice over IP (VoIP) technology, which scammers can use to make millions of automated vishing calls per day.
Scammers often use caller ID spoofing to make their calls appear to come from legitimate organizations or local phone numbers. Vishing calls typically scare recipients with warnings of credit card processing problems, overdue payments or trouble with the law. Recipients end up providing sensitive data or money to the cybercriminals to "resolve" their issues.
Social media phishing employs social media platforms to trick people. Scammers use the platforms' built-in messaging capabilities—for example, Facebook Messenger, LinkedIn InMail and X (formerly Twitter) DMs—the same ways they use email and text messaging.
Scammers often pose as users who need the target's help logging in to their account or winning a contest. They use this ruse to steal the target's login credentials and take over their account on the platform. These attacks can be especially costly to victims who use the same passwords across multiple accounts, an all-too-common practice.
Scammers constantly devise new phishing techniques to avoid detection. Some recent developments include:
AI phishing uses generative artificial intelligence (AI) tools to create phishing messages. These tools can generate tailored emails and text messages that lack spelling errors, grammatical inconsistencies and other common red flags of phishing attempts.
Generative AI can also help scammers scale their operations. According to IBM's X-Force Threat Intelligence Index, it takes a scammer 16 hours to craft a phishing email manually. With AI, scammers can create even more convincing messages in only five minutes.
Scammers also use image generators and voice synthesizers to add further credibility to their schemes. For example, in 2019, attackers used AI to clone the voice of an energy company CEO and scam a bank manager out of USD 243,000.7
Quishing uses fake QR codes embedded in emails and text messages or posted in the real world. Quishing allows hackers to hide malicious websites and software in plain sight.
For example, the US Federal Trade Commission (FTC) warned last year of a scam where criminals replace QR codes on public parking meters with their own codes that steal payment data.6
Hybrid vishing attacks combine voice phishing with other methods to evade spam filters and gain victims' trust.
For example, a scammer might send an email purporting to come from the IRS. This email tells the target that there is a problem with their tax return. To resolve the issue, the target must call a phone number provided in the email, which connects them directly to the scammer.
Details can vary from scam to scam, but there are some common signs that indicate a message might be a phishing attempt. These signs include:
Phishing scams try to make victims feel a sense of urgency so that they act quickly without thinking. Scammers often do this by invoking strong emotions like fear, greed and curiosity. They might impose time limits and threaten unrealistic consequences, such as jail time.
Common phishing ruses include:
- "There is a problem with your account or financial information. You must update it immediately to avoid losing access."
- "We have detected illegal activity. Pay this fine now, or else you will be arrested."
- "You have won a free gift, but you must claim it right now."
- "This invoice is overdue. You must pay it immediately, or we will shut off your service."
- "We have an exciting investment opportunity for you. Deposit money now, and we can guarantee incredible returns."
Phishing scams typically ask for one of two things: money or data. Unsolicited or unexpected requests for payment or personal information can be signs of phishing attacks.
Scammers disguise their requests for money as overdue invoices, fines or fees for services. They disguise requests for information as notices to update payment or account information or reset a password.
Many phishing gangs operate internationally, which means they often write phishing messages in languages they do not speak fluently. Therefore, many phishing attempts contain grammatical errors and inconsistencies.
Messages from legitimate brands often contain specific details. They might address customers by name, reference specific order numbers or explain precisely what the problem is. A vague message such as "There is an issue with your account" with no further details is a red flag.
Scammers often use URLs and email addresses that appear legitimate at first glance. For example, an email from "admin@rnicrosoft.com" might seem safe, but look again. The "m" in "Microsoft" is actually an "r" and an "n."
Another common tactic is using a URL like "bankingapp.scamsite.com." A user might think this links to bankingapp.com, but it actually points to a subdomain of scamsite.com. Hackers might also use link-shortening services to disguise malicious URLs.
Scammers might send files and attachments the target did not request for and does not expect. They might use images of text instead of actual text in messages and web pages to avoid spam filters.
Some scammers reference hot-button issues to get victims riled up. For example, IBM® X-Force® found that scammers commonly use the conflict in Ukraine to stoke targets' emotions.
Because phishing scams target people, employees are often an organization's first and last line of defense against these attacks. Organizations can teach users how to recognize the signs of phishing attempts and respond to suspicious emails and text messages. This can include giving employees easy ways to report phishing attempts to the IT or security team.
Organizations can also establish policies and practices that make it harder for phishers to succeed.
For example, organizations can forbid people from initiating monetary transfers over email. They can require employees to verify requests for money or information by contacting the requester through means other than those provided in the message. For example, employees can type a URL directly into their browser instead of clicking a link or call a colleague's office line instead of replying to a text from an unknown number.
Organizations can supplement employee training and company policies with security tools that help detect phishing messages and thwart hackers who use phishing to break into networks.
- Spam filters and email security software use data on existing phishing scams and machine learning algorithms to identify phishing emails and other spam messages. The scams and spam are then moved to a separate folder, where malicious links and code are eradicated.
- Antivirus and antimalware software can detect and neutralize malicious files or code carried by phishing emails.
- Multifactor authentication can prevent hackers from taking over user accounts. Phishers can steal passwords, but they have a much harder time stealing a second factor like a fingerprint scan or one-time passcode.
- Endpoint security tools like endpoint detection and response (EDR) and unified endpoint management (UEM) solutions can use artificial intelligence (AI) and advanced analytics to intercept phishing attempts and block malware.
- Web filters prevent users from visiting known malicious websites and display alerts whenever users visit suspicious pages. These tools can help mitigate damage if a user clicks a phishing link.
- Enterprise cybersecurity solutions, such as security orchestration, automation and response (SOAR) and security information and event management (SIEM) platforms, use AI and automation to detect and respond to anomalous activity. These solutions can help stop phishers who are attempting to install malware or take over accounts.
Perform near real-time, AI-driven risk assessments and protect critical apps and data with IBM's mobile security solutions.
Deliver seamless customer experiences and build digital identity trust with AI-powered, real-time fraud detection.
IBM Security Trusteer Rapport helps financial institutions detect and prevent malware infections and phishing attacks by protecting their retail and business customers.
Keep current on phishing news, trends and prevention techniques at Security Intelligence, the thought leadership blog hosted by IBM Security®.
Learn why and how organizations use phishing simulations to strengthen defenses against social engineering attacks.
Be better prepared for breaches by understanding their causes and the factors that increase or reduce costs. Based on the experiences of more than 550 organizations that faced real-world data breaches.
Footnotes
All links reside outside ibm.com
1 How Russian hackers pried into Clinton campaign emails. Associated Press. 4 November 2017.
2 How cybercriminals are targeting Amazon Prime Day shoppers. TechRepublic. 6 July 2022.
3 How this scammer used phishing emails to steal over USD 100 million from Google and Facebook. CNBC. 27 March 2019.
4, 5 Phishing Activity Trends Report (PDF, 3.6 MB). Anti-Phishing Working Group. 13 February 2024.
6 Quishing is the new phishing. ZDNET. 11 December 2023.
7 That panicky call from a relative? It could be a thief using a voice clone, FTC warns. NPR. 22 March 2023.