What is phishing?
Phishing scams trick victims into divulging sensitive data, downloading malware, and exposing themselves or their organizations to cybercrime.
aerial view of people working in a office
What is phishing?

Phishing attacks are fraudulent emails, text messages, phone calls or web sites designed  to manipulate people into downloading malware, sharing sensitive information (e.g., Social Security and credit card numbers, bank account numbers, login credentials), or taking other actions that expose themselves or their organizations to cybercrime.

Successful phishing attacks often lead to identity theft, credit card fraud, ransomware attacks, data breaches, and huge financial losses for individuals and corporations.

Phishing is the most common form of social engineering, the practice of deceiving, pressuring or manipulating people into sending information or assets to the wrong people. Social engineering attacks rely on human error and pressure tactics for success. The attacker typically masquerades as a person or organization the victim trusts—e.g., a coworker, a boss, a company the victim or victim’s employer does business with—and creates a sense of urgency that drives the victim to act rashly. Hackers use these tactics because it’s easier and less expensive to trick people than it is to hack into a computer or network.

According to the FBI, phishing emails are the most popular attack method, or vector, used by hackers to deliver ransomware to individuals and organizations. And according to IBM’s Cost of a Data Breach Report 2021, phishing is fourth most common and second most expensive cause of data breaches, costing businesses an average of USD 4.65 million per breach.

Types of phishing attacks
Bulk phishing emails

 Bulk email phishing is the most common type of phishing attack. A scammer creates an email message that appears to come from a large, well-known legitimate business or organization—a national or global bank, a large online retailer, the makers of a popular software application or app—and sends the message to millions of recipients. Bulk email phishing is a numbers game: The larger or more popular the impersonated sender, the more recipients who are likely to customers, subscribers or members.

The phishing email addresses a topic that the impersonated sender might credibly address, and that appeals to strong emotions—fear, greed, curiosity, a sense of urgency or time pressure—to get the recipient's attention. Typical subject lines include 'Please update your user profile,' 'Problem with your order,' 'Your closing documents are ready to sign,' Your invoice is attached.' 

The body of the email instructs the recipient to take an action that seems perfectly reasonable and consistent with the topic, but will result in the recipient divulging sensitive information—social security numbers, bank account numbers, credit card numbers, login credentials— or downloading a file that infects the recipient's device or network. For example, recipients might be directed to 'click this link to update your profile', but the link takes them to a fake website, where they enter their actual login credentials while ostensibly updating their profile. Or they may be told to open an attachment that appears to be legitimate (e.g., 'invoice20.xlsx') but that delivers malware or malicious code to the recipient's device or network.

Spear phishing

Spear phishing is a phishing attack that targets a specific individual - usually a person who has privileged access to sensitive data or network resources, or special authority that the scammer can exploit for fraudulent or nefarious purposes.

A spear phisher studies the target to gather information needed to pose as a person or entity the target truly trusts—a friend, boss, co-worker, colleague, trusted vendor or financial institution—or to pose as the target individual. Social media and social networking sites—where people publicly congratulate coworkers, endorse colleagues and vendors, and tend to overshare about meetings or events or travel plans - have become rich sources of information for spear phishing research. 

Armed with this information, the spear phisher can send a message containing specific personal details or financial information and a credible request to the target—as in, 'I know you're leaving tonight for vacation—can you please pay this invoice (or transfer USDXXX.XX to this account) before close of business today?'

Business email compromise (BEC)

Some spear phishing emails attempt to gather even more information, in preparation for a larger-scale attack. For example, a spear phishing message might ask a CEO to update their email account credentials lost during a brief outage, but provide a link to a malicious fake website designed to steal those credentials instead. With those credentials in hand the attacker has full access to the CEO’s mailbox—they can study the CEO's email messages for even more information, and send a convincing, fraudulent message directly from the CEO's email account, using the CEO's actual email address. 

This is an example of business email compromise (BEC), a particularly dangerous type of spear phishing attack designed to trick company employees into sending very large sums of money or valuable assets to an attacker. BEC emails are sent or appear to be sent from the email accounts of the highest-ranking members of the business —or from high-level associates of the business, such as attorneys, key business partners or large vendors—and contain enough detail to appear highly credible.

Spear phishing isn't the only tactic for getting the information needed to stage successful BEC attack. Hackers can also deploy malware or exploit system vulnerabilities to gain access to email account data. Or, if they can't gain access to account data, hackers can try spoofing the sender's address—using an email address so similar to the sender's actual address that the recipient doesn't notice the difference. 

Regardless of tactics, successful BEC attacks are among the costliest cyberattacks. In one of the best—known examples of BEC, hackers impersonating a CEO convinced his company's finance department to transfer nearly 50 million euros to a fradulent bank account.

Other phishing techniques and tactics

SMS phishing, or smishing, is phishing using mobile or smartphone text messages. The most effective smishing schemes are contextual—that is, related to smartphone account management or apps. For example, recipients may receive a text message offering a gift as 'thanks' for paying a wireless bill, or asking them to update their credit card information in order to continue using a streaming media service. 

Voice phishing, or vishing, is phishing via phone call. Thanks to voice over IP (VoIP) technology, scammers can make millions of automated vishing calls per day; they often use caller ID spoofing to make their calls appear as if they're made from legitimate organizations or local phone numbers. Vishing calls typically scare recipients with warnings of credit card processing problems, overdue payments or trouble with the IRS. Callers who respond end up providing sensitive data to people working for the scammers; some even end up granting remote control of their computers to the scammers on the other end of the phone call.

Social media phishing employs various capabilities of a social media platform to phish for members' sensitive information. Scammers use the platforms' own messaging capabilities—e.g., Facebook Messenger, LinkedIn messaging or InMail, Twitter DMs—in much the same ways they use regular email and text messaging. They also send users phishing emails that appear to come from the social networking site, asking recipients to update login credentials or payment information. These attacks can be especially costly to victims who use the same login credentials across multiple social media sites, an all-too-common 'worst practice.'

Application or in-app messaging. Popular smartphone apps and web-based (software-as-a-service, or SaaS) applications email their users regularly. As a result, these users are ripe for phishing campaigns that spoof emails from app or software vendors. Again playing the numbers game, scammers will typically spoof emails from the most popular apps and web applications—e.g. PayPal, Microsoft Office 365 or Teams—to get the most bang for their phishing buck. 

Protecting against phishing scams
User training and best practices

Organizations are encouraged to teach users how to recognize phishing scams, and to develop best-practices for dealing with any suspicious emails and text messages. For example, users can be taught to recognize these and other characteristic features of phishing emails:

- Requests for sensitive or personal information, or to update profile or payment information
- Requests to send or move money
- File attachment(s) the recipient did not request or expect
- A sense of urgency, whether blatant ('Your account will be closed today...') or subtle (e.g., a request from a colleague to pay an invoice immediately) threats of jail time or other unrealistic consequences
- Threats of jail time or other unrealistic consequences
- Poor spelling or grammar
- Inconsistent or spoofed sender address
- Links shortened using Bit.Ly or some other link-shortening service
- Images of text used in place of text (in messages, or on web pages linked to in messages)

This is only a partial list; unfortunately, hackers are always devising new phishing techniques to better avoid detection. Publications such as the Anti-Phishing Working Group's quarterly Phishing Trends Activity Report (link resides outside of ibm.com) can help organizations keep pace. 

Organizations can also encourage or enforce best practices that put less pressure on employees to be phishing sleuths. For example, organizations can establish and communicate clarifying policies - e.g., a superior or colleague will never email a request to transfer funds. They can require employees to verify any request for personal or sensitive information by contacting the sender or visiting the sender's legitimate site directly, using means other than those provided in the message. And they can insist that employees report phishing attempts and suspicious emails to the IT or Security group.

Security technologies that fight phishing

Despite the best user training and rigorous best practices, users still make mistakes. Fortunately, several established and emerging endpoint and network security technologies can help security teams pick up the battle against phishing where training and policy leave off.

- Spam filters combine data on existing phishing scams and machine learning algorithms to identify suspected phishing emails (and other spam), then move them to a separate folder and disable any links they contain.
- Antivirus and anti-malware software detects and neutralizes malicious files or code in phishing emails.
- Multi-factor authentication requires at least one login credential in addition to a username and a password—for example, a one-time code sent to the users' cell phone. By providing and additional last line of defense against phishing scams or other attacks that successfully compromise passwords, multi-factor authentication can undermine spear phishing attacks and prevent BEC. 
- Web filters prevent users from visiting known malicious web sites ('blacklisted' sites) and display alerts whenever users visit suspected malicious or fake web sites.

Centralized cybersecurity platforms - e.g. security information and event management (SIEM), endpoint detection and response (EDR), network detection and response (NDR) and extended detection and response (XDR) - combine these and other technologies with continually updated threat intelligence and automated incidence response capabilities that can help organizations to prevent phishing scams before they reach users, and to limit the impact of phishing attacks that get past endpoint or network defenses.

Related solutions

IBM Security QRadar XDR Connect

The industry’s first comprehensive extended detection and response (XDR) solution built with open standards and automation. XDR Connect provides deep visibility, automation and contextual insight across endpoints, network, cloud and applications.

IBM Incident Response

IBM Incident Response solutions help security teams proactively manage and response to phishing and other threats with intelligent orchestration, a full range of services, and the tools, expertise and people of IBM Security X-Force.

Phishing Attack Solutions

Protect your employees from phishing attacks that can compromise your organization’s security.

Ransomware Protection Solutions

Protect your organization’s sensitive data from ransomware threats that can hold it hostage with IBM Security solutions.

Zero trust security solutions

Get security wrapped around every user, every device and every connection-every time with IBM zero trust security solutions.

Data security and protection solutions

Protect enterprise data across multiple environments, meet privacy regulations and simplify operational complexity with data security solutions.

IBM Security Trusteer Rapport

IBM Trusteer Rapport helps financial institutions detect and prevent malware infections and phishing attacks by protecting their retail and business customers.

Incident response solutions

Intelligent orchestration bolsters incident response by defining repeatable processes, empowering skilled analysts and leveraging integrated technologies.

Insider threat security solutions

Learn how to protect your organization from malicious or unintentional threats from insiders with access to your network.