What Is Phishing?

Phishing is the practice of sending fraudulent communications that appear to come from a legitimate and reputable source, usually through email and text messaging. The attacker's goal is to steal money, gain access to sensitive data and login information, or to install malware on the victim's device. Phishing is a dangerous, damaging, and an increasingly common type of cyberattack.

Contact Cisco

  • Get a call from Sales
  • Call Sales:
  • 1-800-553-6387
  • US/CAN | 5am-5pm PT
  • Product / Technical Support
  • Training & Certification

Phishing and security tactics will further evolve with the global use of artificial intelligence (AI)

"Last year Cisco Security saw that 80% of ransomware attacks we observed began with a phishing email," said Tom Gillis SVP and GM Security at Cisco, RSA Conference 2023

How do phishing scams trick users?

A phishing attack relies on a social-engineering effort where hackers create a counterfeit communication that looks legitimate and appears to come from a trusted source. Attackers use seemingly benign emails or text messages to trick unsuspecting users into taking an action such as downloading malware, visiting an infected site, or divulging login credentials in order to steal money or data.

Why do hackers send phishing scams?

Motivations for phishing attacks differ, but mainly attackers are seeking valuable user data such as personally identifiable information (PII) or login credentials that can be used to commit fraud by accessing the victim's financial accounts. Once attackers have login information, personal data, access to online accounts, or credit card data, they can obtain permissions to modify or compromise more cloud-connected systems and in some cases, hijack entire computer networks until the victim pays a ransom.

Some cybercriminals aren't satisfied with merely getting your personal data and credit card information. They won't stop until they have drained your bank account. In these cases, they may go beyond emails and use "popup phishing" combined with voice phishing (vishing) and SMS text messages (SMiShing). Victims may be frightened into divulging bank account access information and other details. Often perpetrated against elderly individuals or people in targeted organizations' finance departments, vishing and SMiShing are types of cyberattacks that everyone should learn about to protect themselves and their financial security. 

How does phishing work? 

Phishing works by luring a victim with legitimate-looking (but fraudulent) emails or other communication from a trusted (or sometimes seemingly desperate) sender who coaxes victims into providing confidential information—often on what looks to be a convincingly legitimate website. Sometimes malware or ransomware is also downloaded onto the victim's computer. 

  • Phishers frequently use tactics like fear, curiosity, a sense of urgency, and greed to compel recipients to open attachments or click on links.
  • Phishing attacks are designed to appear to come from legitimate companies and individuals.
  • Cybercriminals are continuously innovating and using increasingly sophisticated techniques, including spear phishing (an attack directed at a specific person or group) and other strategies, to trick users into clicking or tapping.
  • It only takes one successful phishing attack to compromise your network and steal your data, which is why it is always important to Think Before You Click. (You can click that link, as it has important phishing stats and information.)

Who are the targets of phishing?

Anyone. Most phishing attacks target numerous email addresses with the hope that some percentage of users will be tricked. Security-awareness training is helpful in educating users on the dangers of phishing attacks and teaches strategies to identify phishing communications. 

Why are phishing attacks so effective? 

Phishing is effective because it exploits the vulnerabilities of human nature, including a tendency to trust others, act out of curiosity, or respond emotionally to urgent messages. And phishing attacks are increasingly easy to perpetrate with phishing kits readily available on the dark web. It's a relatively low-risk pursuit for attackers, with bulk email addresses easy to obtain and emails virtually free to send.

Phishing is evolving with AI

The first primitive forms of phishing attacks emerged decades ago in chat rooms. Since then, phishing has evolved in complexity to become one of the largest and most costly cybercrimes on the internet that leads to business email compromise (BEC), (email account takeover (ATO), and ransomware. More recently, AI has made it easier for attackers to carry out sophisticated and targeted attacks by correcting spelling mistakes and personalizing messaging. For example, cybercriminals collect identifying information on groups or individuals they want to target and then use that information to mount highly personalized phishing campaigns called spear phishing. Because spear phishing communications are much more personalized, they can look especially legitimate, and thus are even more dangerous. 

On the other hand, AI security solutions are enabling advanced detection and prevention techniques. Now Cisco Secure products leverage predictive and generative AI that expands our reach and interaction with security touchpoints. Cisco Secure Email Threat Defense uses unique artificial intelligence and machine learning models, including natural language processing (NLP), to identify malicious techniques used in attacks targeting your organization, derive unparalleled context for specific business risks, provide searchable threat telemetry, and categorize threats to understand which parts of your organization are most vulnerable to attack. 

Cisco's upcoming acquisition of Armorblox, which is based in Sunnyvale, Calif., develops solutions to protect organizations against data loss and targeted email attacks. The integration of its solutions will incorporate enhanced attack prediction to rapidly detect threats and efficiently enforce policy to reduce phishing response times.

Learn about mailbox remediation

Dangers of phishing - What can happen when you are phished?

See the gaps that invite phishing attacks. Read our Phishing for Dummies eBook.

Personal phishing risks include:

  • Money stolen from your bank account
  • Fraudulent charges on credit cards
  • Lost access to photos, videos, and files
  • Fake social media posts made in your accounts
  • Cybercriminals impersonating you, putting friends or family members at risk

At work, phishing risks include:

  • Loss of corporate funds
  • Exposing personal information of partners, coworkers, and customers
  • Files becoming locked and inaccessible
  • Damage to your organization's reputation

How your organization can increase phishing awareness

It's important to adopt a multilayered approach that includes email filters and employee awareness training. If an attack makes it through your security defenses, employees are typically the last line of defense.

Build security resilience by learning how to recognize phishing attacks, prevent them, and remediate them if you ever accidentally succumb to a phishing attack. Start by testing your phishing knowledge with our Phishing Awareness Quiz.

Phishing prevention - What is the best defense against phishing?

No single cybersecurity solution can avert all phishing attacks. Your organization should deploy cybersecurity technology and take a tiered security approach to reduce the number of phishing attacks and the impact when attacks do occur. 

To learn about the latest phishing attack methods, including spear phishing, typosquatting, steganography, and how to combat them with advanced cybersecurity methods, download our new e-book, Phishing for Dummies, and see Chapter 1: Phishing 101.

Deploy tiered security solutions

Your organization can deploy Cisco Umbrella for phishing protection and Cisco Secure Email Threat Defense to safeguard inboxes. Organizations may also consider Cisco Secure Access, a cloud-delivered security service edge (SSE) solution, grounded in zero trust, that provides secure access from anything to anywhere, including phishing protection. 

  

Conduct regular training

Phishing training and anti-phishing strategies will help enlist employees in efforts to defend your organization. Include Cisco Secure Awareness Training as part of this approach. Phishing simulations and awareness training help you educate users on how to spot and report phishing attempts.

  

Avoid posting contact information online

Some attackers collect info by scraping information from these social media and websites. They collect mobile numbers for key stakeholders from email signatures and use that information for spear phishing and SMiShing campaigns.

  

Develop unique email address conventions

Common email address naming conventions are shared on the open internet and most patterns are easy to guess. Consider developing an email naming convention that doesn't follow the standard first name (dot) last name or the first-initial, last-name pattern. Randomizing email names across the organization will make them impossible to guess on a mass scale.

  

Deploy secure messaging platforms

With email remaining the number one vector for phishing attacks, many organizations are turning to the security of messaging platforms, including Cisco Webex Messaging for internal communication. Messaging platforms reduce the overall dependency on email for communication and in turn reduces email volume.

When combined with anti-phishing training, this approach gives employees more time and ability to detect fraudulent emails.

 

  

Sorry, no results matched your search criteria(s). Please try again.

How to detect phishing

You can learn how to detect phishing emails on desktop and mobile devices. Some basic steps for detecting phishing emails follow below.

On any email client

You can examine hypertext links, which is one of the best ways to recognize a phishing attack. Look for misspellings and grammatical errors in the body of the email. Check that the domain the email was sent from is spelled correctly. For example, in phishing emails you'll often find a number used instead of a letter. 

  

Check hyperlinks in emails

In a browser,the destination URL will show in a hover-popup window for the hyperlink. Ensure that the destination URL link equals what is in the email. Additionally, be cautious about clicking links that have strange characters in them or are abbreviated.

  

On mobile devices

You can observe the destination URL by briefly holding your finger over the hyperlink. The URL preview will materialize in a small popup window.

  

On web pages

Hover over the anchor text to find the destination URL revealed in the bottom-left corner of the browser window. Check your phish spotting skills.

  

Sorry, no results matched your search criteria(s). Please try again.

Individuals can follow additional phishing safety steps:

  • Don't click email links from unknown sources
  • Keep your browser updated
  
  • Monitor your online accounts regularly
  • Be aware of popup windows
  
  • Never give out personal information over email
  • Be aware of text messages and phone calls from unknown persons
  
  • Be wary of social, emotion lures
  • Deploy malicious URL detection and content filtering
  
  • Take our phishing quiz as part of your phishing education
  • Track the latest phishing attacks with advanced phishing protection
  

Sorry, no results matched your search criteria(s). Please try again.

Most common types of phishing attacks

Business email compromise (BEC)

BEC attacks are carefully planned and researched attacks that impersonate an organizational executive vendor or supplier. 

Watch Phish and Learn to see why BEC is difficult to detect.

View business email compromise (BEC) infographic

Top phishing threats related to BEC

Email account compromise. This is a common type of BEC scam in which an employee's email account is hacked and used to request payments from vendors. The money is then sent to attacker-controlled bank accounts.

Employee impersonation. This type of BEC takes the form of an email scam, in which a bad actor impersonates a trusted internal employee or vendor to steal money or sensitive information through email.

VIP impersonation. This type of attack occurs when a malicious actor sends an email to an unsuspecting victim, using a compromised email of a legitimate company, individual or VIP, asking for payment or funds transfer.

External payment fraud. An email attack is sent to an unsuspecting victim impersonating trusted vendors for invoice payment requests. It is also known as Vendor Email Compromise (VEC).

Internal payment fraud. Using stolen credentials an attacker can gain access to internal payment systems such as payment platforms and set up fraudulent vendors, change payment recipients, or redirect payments to their accounts.

Payroll diversion fraud. Using stolen email credentials, an attacker emails an organization's payroll or finance department requesting a change to direct-deposit information.

Social engineering. Persuasion through psychology is used to gain a target's trust, causing them to lower their guard and take unsafe action such as divulging personal information.

Extortion. Threatening or intimidating action is used to obtain monetary or other financial gain, commonly used in vishing scams.

Malicious recon emails. This looks like legitimate email communication but is actually an email sent by an attacker with the purpose of eliciting a response prior to extracting sensitive user or organizational data.

Credential phishing. A bad actor steals login credentials by posing as a legitimate entity using emails and fake login pages. The bad actor then uses the victim's stolen credentials to carry out a secondary attack or extract data.

Account takeover (ATO)

The methods used by attackers to gain access to cloud email, such as a Microsoft 365 email account, are fairly simple and increasingly common. These phishing campaigns usually take the form of a fake email from Microsoft. The email contains a request to log in, stating the user needs to reset their password, hasn't logged in recently, or that there's a problem with the account that needs their attention. A URL is included, enticing the user to click to remedy the issue. 

Watch Phish and Learn to understand how ATO occurs.

Blog: Spotting fake Office 365 emails

Spear phishing

Spear phishing targets specific individuals instead of a wide group of people. That way, the attackers can customize their communications and appear more authentic. Spear phishing is often the first step used to penetrate a company's defenses and carry out a targeted attack. According to the SANS Institute, 95 percent of all attacks on enterprise networks are the result of successful spear phishing.

Tips to stop phishing (PDF)

Blog: How to identify a spear phish

Whaling

When attackers go after a "big fish" like a CEO, it's called whaling. These attackers often spend considerable time profiling the target to find the opportune moment and means to steal login credentials. Whaling is of particular concern because high-level executives have access to a great deal of sensitive organizational information.

Voice phishing (vishing)

Voice phishing, or vishing, is a form of social engineering. It is a fraudulent phone call or voice message designed to obtain sensitive information such as login credentials. For instance, the attacker might call pretending to be a support agent or representative of your organization or a subscription service. New employees are often vulnerable to these types of scams, but they can happen to anyone—and are becoming more common. Deploying spam call-blocking software is a common tactic to prevent these types of calls.

SMS phishing (SMiShing)

Text message, or SMS phishing, can come through random broadcast text messages or portray a known coworker in your organization. Sometimes SMIShing messages contain a link or can request you to take immediate action. Either way, if you don't recognize the mobile number, delete the message. If you are ever unsure, call the individual using a valid phone number to make sure the task is legitimate.

Angler phishing

Angler phishing is similar to vishing, but instead of a phone call, attackers reach out by direct messaging on social media platforms. Victims are targeted by fake customer service agents. These attacks have even tricked professional anti-scammers, so don't underestimate the efficacy of this method.

As phishing has evolved, it has taken on a variety of names—including spear phishing, smishing—and phishing attacks come through a variety of channels, including compromised websites, social media, fake ads, QR codes, attachments and text messages.

Phishing Awareness Quiz

What should you do as an employee if you suspect a phishing attack?

  1. Report it so the organization can investigate.
  2. Ignore it.
  3. Open the email and see whether it looks legitimate.
  4. Show your coworkers to see what they think.

What are the most common signs of a phishing scams?

  1. Nice graphics and layout
  2. Contains personal information
  3. Proper spelling and grammar
  4. Unknown sender, sense of urgency, unexpected attachment, or too good to be true

How many phishing emails are sent each day worldwide?

  1. 100 million
  2. 250 million
  3. 1.5 billion
  4. 3.4 billion

What is spear fishing?

  1. A type of phishing that involves vacation offers
  2. A type of phishing that promises a large reward
  3. A type of phishing that targets specific groups of people in an organization .
  4. A type of phishing that lures the recipient in with a fun offer and then spreads a virus

What can happen if you click on a phishing email link or attachment?

  1. The email sender could gain access to company systems.
  2. The email sender could steal your personal information or company information.
  3. The email sender could distribute malware into the company network.
  4. All of the above

Why is it important for me to watch out for phishing emails if my organization has email controls and security in place?

  1. Phishing emails grow more sophisticated all the time. Each one of us needs to be vigilant.
  2. IT has several security precautions in place, but they don't control individual users' non-corporate devices.
  3. You most likely receive phishing emails on your personal email accounts as well, so it pays to be aware.
  4. All of the above

How can a person executing a phishing attack steal someone's identity?

  1. They pretend they are someone else when emailing phishing messages, so that's like stealing an identity.
  2. They ask for personal information on a webpage or pop-up window linked from the phishing email, and they use the information entered to make illegal purchases or commit fraud.
  3. They send a request for the recipient's driver's license and credit cards.
  4. They ask for money to purchase your ID on the black market.

Why would people who send phishing emails be excited about a natural disaster or health scare?

  1. If people are distracted by a hurricane or a flu pandemic, they might be less likely to read emails carefully.
  2. Phishers often take advantage of current events, such as natural disasters, health scares, or political elections, and send messages with those themes to play on people's fears.
  3. Phishing emails reach more people if they are worried about the weather.
  4. If people go without power due to a storm or other natural disaster, they will be excited about communication being restored and they will respond to the emails they receive once power is back.

Unsure whether an email is real or phishing? Which of the following should you do?

  1. An unknown email sender sound vague or generic, and is threatening something about one of your online accounts? Report it as phishing.
  2. An alert email comes from PayPal or your bank. Open a new browser window and go to your account to see if anything is happening with your account.
  3. An offer appears to be from Amazon, but upon closer inspection it's actually from Amzon.co. You should report and delete the email.
  4. All of the above

Get started

Connect with us

Related email security topics

Cisco blogs