Phishing Attack

What is a Phishing Attack? 

Phishing attacks are malicious in nature, with the intent of luring victims into submitting personal data without suspecting any wrongdoing. Oftentimes, the acquired sensitive data is used to achieve the threat actor’s ultimate goal: financial gain. However, there are various tactics that can be employed.

Phishing attacks are one of the most common attacks performed by cyber criminals to gain access to personal information or sensitive data including credit card numbers and login credentials. Threat actors trick victims into voluntarily sharing their data by impersonating trusted brands or people. According to the Anti-Phishing Working Group’s (APWG) Phishing Activity Trends Report, nearly 150,000 unique phishing websites were detected in Q2 2020. In the same period of time, over 125,000 unique phishing emails were reported. This means that at least 5% of the total amount of newly registered domains were used for phishing. Keep in mind that these figures only represent “detected” phishing attacks. In reality, the figures could be much larger.

How do Hackers Use Phishing? 

While phishing attacks rely on various tactics, their general anatomy follows a similar pattern:

  • Purchased Domain - While not necessary in phishing attacks, a look-alike domain can be purchased to fool users into trusting the sender. Nearly 70% of domains used in phishing attacks come from legacy generic Top Level Domains (TLDs) such as .com
  • Spoofed Sender - Email spoofing involves the creation of an email message with a forged address. With access to an SMTP server or various online tools, the “mail from” field can be replaced with any email address. Although this won’t pass SPF, DKIM, or DMARC checks, an untrained email user could fall victim to the phishing attempt. To check if the sender is legitimate on Gmail, users can click on the “show original” option on the email message and check the headers. Verify that the sending address passed SPF, DKIM, and DMARC.
  • Look-alike Webpage - As the threat landscape evolves, it’s not necessary for cyber criminals to be tech-savvy. A phishing kit can be purchased online, providing hackers a ready-to-use phishing campaign. Phishing kits clone legitimate business websites, add malicious software, and are packaged for sale. The forms on the cloned website typically save off credentials or sensitive data to be exploited. Today, nearly 80% of phishing websites have SSL encryption enabled which creates a sense of security in victims. Seeing the ‘https’ and a small lock next to the URL makes the website seem safe. However, over 90% of these certificates were domain-validated. This is the weakest method of certificate validation and only requires an email to be sent to a specified contact that could easily be the direct threat actor.
  • Message to Target Victim(s) With Call to Action - A message can be transmitted via email, text messages or common instant messaging platforms. Victims believe that the message came from a known sender. Example senders could be your company’s CEO or your bank. In the message, the phisher will create a sense of urgency causing the victim to click a link leading them to a fake webpage or prompting to download a file.

Types of Phishing

While phishing is a common tactic performed, there are several different methods of phishing. Each method generally contains the same components but often has different targets:

  • Spoofed Emails - With victims spending hours a day sifting through emails, it’s easy to mistakenly click on an email that is received from a spoofed email address. While these often direct victims to a web page, many request funds in the form of a wire transfer or gift cards. 
  • Spear Phishing - Spear-phishing targets a specific person or enterprise instead of a wide group. Phishers may perform research on the user to make the attack more effective. Unsurprisingly, tons of data can be found on social media platforms such as LinkedIn. Phishers can understand your network, contact information, and experience to draft a highly personalized phishing message.
  • Clone Phishing - Clone phishing is a phishing attack that leverages a user’s familiarity with the sender. A previously sent email with a link or attachment is intercepted and cloned. However, the original link or attachment has been replaced with a malicious link or attachment. It may be sent from a spoofed email address to appear like the original sender. By referencing the earlier message, the phisher may build trust with the recipient.
  • Whaling - Whaling has all the same characteristics as a typical phishing attack, only the phish are much bigger. In this attack, cyber criminals will target key or senior figures at an organization. If a key member in the finance department receives a spoofed message that they believe to be from the CEO requesting a wire transfer, they may not think twice. Similar to spear phishing, these attacks are highly targeted.


The reason phishing attacks are common for cyber criminals is because they work and are relatively low effort. There are several steps that individuals and organizations can take to prevent falling victim to phishing attempts:

  • Verify Email Links - Individuals should always be weary when viewing emails with attachments. By hovering over an attachment, your browser will show the actual destination of the link. If it doesn’t look like a website you are familiar with or recognize, don’t click it. 
  • Verify Email Senders - If the email appears to be from someone you know, but it’s unexpected or has information that is too good to be true, there is a good chance it’s a phish. By viewing the email message headers and verifying the DKIM, SPF, and DMARC passed, you can verify it’s a legitimate sender. If the message still seems suspicious, just reach out to the sender directly over the phone or instant message to verify they actually sent it. 
  • Don’t Trust the SSL Padlock - If the site is not HTTPS with an SSL certificate, your data is being transmitted in plain text to the hosting server, therefore you shouldn’t be entering sensitive data. However, having an SSL certificate alone is not enough but that isn’t enough to verify safety. Check to see if the site was certified by a Certificate Authority and was not domain-verified. Remember, roughly 80% of domains have domain-verified SSL certificates and appear to be secure. To verify the certificate issuer: click on the SSL padlock, then click certificate and view the details. 
  • Monitor Newly Registered Domains - Business organizations should use anti-phishing software to monitor newly registered domains to see if they mention their brand or trademark. If that is the case and the domain doesn’t belong to your organization, that’s a red flag. It’s imperative to continuously monitor these domains as they evolve because if they aren’t a threat today, tomorrow could be different. 
  • Monitor Incoming Email Traffic - Business Email Compromise (BEC) is a prime candidate for cyber criminals to trick victims into wiring money or navigating to a malicious domain to input credentials. By using anti-phishing tools that monitor incoming emails for authentication checks, members of your organization can be warned of malicious messages sent from spoofed email addresses.

Protect Today. Predict Tomorrow. Get started with ZeroFOX and secure your digital-first world with protection, intelligence and disruption.