What Is Phishing?

Phishing attacks are the practice of sending fraudulent communications that appear to come from a reputable source. It is usually performed through email. The goal is to steal sensitive data like credit card and login information or to install malware on the victim's machine. Phishing is a common type of cyber attack that everyone should learn about in order to protect against email threats.

Contact Cisco

  • Get a call from Sales
  • Call Sales:
  • 1-800-553-6387
  • US/CAN | 5am-5pm PT
  • Product / Technical Support
  • Training & Certification

What is phishing?

Phishing attacks are counterfeit communications that appear to come from a trustworthy source but which can compromise all types of data sources. Attacks can facilitate access to your online accounts and personal data, obtain permissions to modify and compromise connected systems--such as point of sale terminals and order processing systems--and in some cases hijack entire computer networks until a ransom fee is delivered.

Sometimes hackers are satisfied with getting your personal data and credit card information for financial gain. In other cases, phishing emails are sent to gather employee login information or other details for use in more malicious attacks against a few individuals or a specific company. Phishing is a type of cyber attack that everyone should learn about in order to protect themselves and ensure email security throughout an organization.

How has phishing evolved?

It has been a few decades since this type of scam was first referenced and the first primitive forms of phishing attacks started in chatrooms. Phishing has evolved to become one of the largest cybercrimes on the internet that leads to BEC and ransomware. Read about the phishing history, evolution, and predictions for the future in The Evolution of Phishing.

How does phishing work?

Phishing starts with a fraudulent email or other communication designed to lure a victim. The message is made to look as though it comes from a trusted sender. If it fools the victim, he or she is coaxed into providing confidential information--often on a scam website. Sometimes malware is also downloaded onto the target's computer.

Cybercriminals start by identifying a group of individuals they want to target. Then they create email and text messages that appear to be legitimate but actually contain dangerous links, attachments, or lures that trick their targets into taking an unknown, risky action. In brief:

  • Phishers frequently use emotions like fear, curiosity, urgency, and greed to compel recipients to open attachments or click on links.
  • Phishing attacks are designed to appear to come from legitimate companies and individuals.
  • Cybercriminals are continuously innovating and becoming more and more sophisticated.
  • It only takes one successful phishing attack to compromise your network and steal your data, which is why it is always important to Think Before You Click.

Dangers of phishing

Personal phishing risks include:

  • Money being stolen from your bank account
  • Fraudulent charges on credit cards
  • Lost access to photos, videos, and files
  • Fake social media posts made in your accounts
  • Cybercriminals impersonating you to a friend or family member, putting them at risk

At work the phishing risks include:

  • Loss of corporate funds
  • Exposing the personal information of customers and coworkers
  • Files becoming locked and inaccessible
  • Damage to your company's reputation

How can my company increase its phishing awareness?

No single cybersecurity solution can avert all phishing attacks. Your company should consider a tiered security approach to lessen the number of phishing attacks and reduce the impact when attacks do occur. This multilayered approach includes employee awareness training. When an attack makes it through your security, employees are typically the last line of defense.

Learn how to account for phishing attacks, how to recognize them, and what to do if you ever discern that you may have accidentally succumb to a phishing attack. Test your phishing knowledge by taking our Phishing Awareness Quiz.

How can I detect phishing?

On any email client: You can examine hypertext links, which is one of the best ways to recognize a phishing attack.

When checking for hyperlinks: The destination URL will show in a hover pop-up window near the hyperlink. Ensure that the destination URL link equals what is in the email. Additionally, be cautious about clicking on links that have strange characters in them or are abbreviated.

On mobile devices: You can observe the destination URL by briefly hovering your mouse over the hyperlink. As a result, the URL will materialize in a small pop-up window.

On web pages: The destination URL will be revealed in the bottom-left corner of the browser window, when hovering over the anchor text.

Anti-phishing tactics to help prevent phishing attacks:

  • Take our phishing quiz as part of your phishing education
  • Monitor your online accounts regularly
  • Keep your browser updated
  • Don't click on email links from unknown sources
  • Be aware of pop-up windows
  • Never give out personal information over email
  • Be wary of social, emotion lures
  • Track the latest phishing attacks with advanced phishing protection
  • Deploy malicious URL detection and content filtering

What should I do if I receive a phishing email?

If you receive a suspicious email, the first step is to not open the email. Instead, report the email to your company or organization as suspected phishing. Most importantly, you never want to assume that a coworker has already reported a phishing attack. The sooner your IT and security teams are forewarned to the potential threat, the sooner your company can take actions to prevent it from damaging your network.

If you discern that you have accidently engaged with a phishing attack and gave out any internal information, you must report the occurrence immediately. If you don't report a phishing attack immediately, you could put your data and your company at risk.

Types of phishing attacks

Spear phishing

Spear phishing targets specific individuals instead of a wide group of people. That way, the attackers can customize their communications and appear more authentic. Spear phishing is often the first step used to penetrate a company's defenses and carry out a targeted attack. According to the SANS Institute, 95 percent of all attacks on enterprise networks are the result of successful spear phishing.

Tips to stop phishing (PDF) Blog: How to Identify a Spear Phish

Microsoft 365 phishing

The methods used by attackers to gain access to a Microsoft 365 email account are fairly simple and becoming the most common. These phishing campaigns usually take the form of a fake email from Microsoft. The email contains a request to log in, stating the user needs to reset their password, hasn't logged in recently, or that there's a problem with the account that needs their attention. A URL is included, enticing the user to click to remedy the issue.

Blog: Spotting fake Office 365 emails >

Business email compromise (BEC)

BEC is carefully planned and researched attacks that impersonate a company executive vendor or supplier.

View business email compromise (BEC) infographic >

Whaling

When attackers go after a "big fish" like a CEO, it's called whaling. These attackers often spend considerable time profiling the target to find the opportune moment and means to steal login credentials. Whaling is of particular concern because high-level executives are able to access a great deal of sensitive company information.

Social media phish

Attackers often research their victims on social media and other sites to collect detailed information, and then plan their attack accordingly.

Voice phishing

Voice phishing, or "vishing," is a form of social engineering. It is a fraudulent phone call designed to obtain sensitive information such as login credentials. For instance, the attacker might call pretending to be a support agent or representative of your company. New employees are often vulnerable to these types of scams, but they can happen to anyone--and are becoming more common.

Phishing Awareness Quiz

What should you do as an employee if you suspect a phishing attack?

  1. Report it so the organization can investigate.
  2. Ignore it.
  3. Open the email and see whether it looks legitimate.
  4. Show your coworkers to see what they think.

What are the most common signs of a phishing scams?

  1. Nice graphics and layout
  2. Contains personal information
  3. Proper spelling and grammar
  4. Unknown sender, sense of urgency, unexpected attachment, or too good to be true

How many phishing emails are sent each day worldwide?

  1. 100 million
  2. 250 million
  3. 1.5 billion
  4. 3.4 billion

What is spear fishing?

  1. A type of phishing that involves vacation offers
  2. A type of phishing that promises a large reward
  3. A type of phishing that targets specific groups of people in an organization .
  4. A type of phishing that lures the recipient in with a fun offer and then spreads a virus

What can happen if you click on a phishing email link or attachment?

  1. The email sender could gain access to company systems.
  2. The email sender could steal your personal information or company information.
  3. The email sender could distribute malware into the company network.
  4. All of the above

Why is it important for me to watch out for phishing emails if my organization has email controls and security in place?

  1. Phishing emails grow more sophisticated all the time. Each one of us needs to be vigilant.
  2. IT has several security precautions in place, but they don't control individual users' non-corporate devices.
  3. You most likely receive phishing emails on your personal email accounts as well, so it pays to be aware.
  4. All of the above

How can a person executing a phishing attack steal someone's identity?

  1. They pretend they are someone else when emailing phishing messages, so that's like stealing an identity.
  2. They ask for personal information on a webpage or pop-up window linked from the phishing email, and they use the information entered to make illegal purchases or commit fraud.
  3. They send a request for the recipient's driver's license and credit cards.
  4. They ask for money to purchase your ID on the black market.

Why would people who send phishing emails be excited about a natural disaster or health scare?

  1. If people are distracted by a hurricane or a flu pandemic, they might be less likely to read emails carefully.
  2. Phishers often take advantage of current events, such as natural disasters, health scares, or political elections, and send messages with those themes to play on people's fears.
  3. Phishing emails reach more people if they are worried about the weather.
  4. If people go without power due to a storm or other natural disaster, they will be excited about communication being restored and they will respond to the emails they receive once power is back.

Unsure whether an email is real or phishing? Which of the following should you do?

  1. An unknown email sender sound vague or generic, and is threatening something about one of your online accounts? Report it as phishing.
  2. An alert email comes from PayPal or your bank. Open a new browser window and go to your account to see if anything is happening with your account.
  3. An offer appears to be from Amazon, but upon closer inspection it's actually from Amzon.co. You should report and delete the email.
  4. All of the above

Get started

Connect with us

Related email security topics