Concerned about VPN vulnerabilities? Learn how you can benefit from our VPN migration offer including 60 days free service.

Talk to an expert

What Is Phishing?

Phishing attacks are a category of cyberattacks that use deceptive “social engineering” techniques to trick users into divulging sensitive information, transferring sums of money, and more. Phishing attempts are usually disguised as harmless interactions that lure victims into trusting the attacker, and they may serve various ends, from simple profit to corporate espionage.

Get the 2023 ThreatLabz Phishing Report

How Does Phishing Work?

The easiest way to commit a robbery is probably to convince the victims they aren’t being robbed at all. That’s the phishing scammer’s basic model.

Phishing attacks begin with an email, phone call, SMS message, social media post, or the like that seems to be from a reputable source. From here, the attacker may have all sorts of end goals, such as tricking the victim into offering up account information, making a PayPal transfer, downloading disguised malware, and so on.

Let’s look at a common example. An attacker gets ahold of a victim’s email address or phone number. Then, the victim gets an email or text message from what appears to be their bank. The phishing message mentions an expiring special offer, suspected identity theft, or similar, and asks the victim to log in to their bank account. It links to a mock login webpage, and the victim unwittingly gives the attacker their login credentials.

The attack in this example, like most phishing attacks, carefully creates a sense of urgency that fools the victim into lowering their guard instead of taking time to consider whether the message is suspicious. That may be more easily said than done, however, as there are quite a few tricks in the attacker’s playbook.

Types of Phishing Attacks

Attackers have invented a wide variety of phishing techniques to exploit different technologies, trends, industries, and users. Here’s a glance at some common types:

  • Email phishing: An email from a seemingly legitimate sender tries to trick the recipient into following a malicious link and/or downloading an infected file. The email address and any URL in a phishing email may use spoofing to appear legitimate.
  • Smishing/SMS phishing: Via text messages sent to mobile devices, attackers try to trick victims into giving out personal information, such as credit card numbers or other account numbers.
  • Vishing/Voice phishing: Essentially the same as smishing but carried out over a phone call, these attacks are after credit card information or other sensitive details.
  • Angler phishing: Posing as legitimate organizations on social media, attackers solicit personal information from victims, often by offering gift cards, discounts, etc.
  • Pop-up phishing: A common attack on Apple, Android, or other smartphones, an offer or warning message appears in a pop-up, generally containing a malicious link to trick victims into divulging personal data.
  • Spear phishing: While many phishing scams seek out victims at random, spear phishing attacks target specific individuals whose personal details the attacker already knows to some extent. This extra detail can greatly increase the odds of successful phishing.
  • Whaling attacks: Attackers phish executives or other important members of an organization in an attempt to obtain information that will give them privileged access to the target environment.
  • Clone phishing: Phishers send victims spoofed emails that seem to be from senders the victim trusts, such as financial institutions or accredited businesses like Amazon. This is closely related to spear phishing and a common tactic of business email compromise (BEC) attacks.
  • Evil twin phishing: Attackers lure victims with a trustworthy-looking Wi-Fi hotspot, and then carry out “man in the middle” attacks, intercepting data victims transfer over the connection.
  • Pharming: Attackers hijack the functionality of a Domain Name System (DNS) server so that it will redirect users to a malicious fake website even if they type a benign URL.

How Dangerous Are Phishing Attacks?

Phishing attacks can be extremely dangerous. Large phishing campaigns can affect millions of people, stealing sensitive data, planting ransomware and other malware as well as gaining access to the most sensitive areas of a company’s systems.

Loss of sensitive data such as financial information, reputational damage, and regulatory issues are among the many possible consequences of a successful phishing attack at the organizational level, Risks for any phishing victim can include loss or compromise of sensitive data, and organizations also face possible reputational damage and regulatory issues.

How Does Phishing Affect Businesses?

At the organizational level, the consequences of a successful phishing attack can be far-reaching and serious. Financial losses can stem from a compromised corporate bank account. Data loss can stem from phishing that leads to a ransomware attack. An organization can sustain major reputational damage from any breach of sensitive data that necessitates public disclosure.

Furthermore, any of these can have even more serious consequences in turn. Cybercriminals may sell stolen data on the dark web, including to unscrupulous competitors. On top of that, many breaches will need to be disclosed to industry or government regulatory bodies that may levy fines or other sanctions. It may even involve the organization in cybercrime investigations, which can be time-consuming and attract negative attention.

How Do I Protect My Organization Against Phishing Attacks?

Fortunately, most types of phishing can be stopped if you take the right precautions. That means:

  • Use effective cybersecurity countermeasures. Modern antivirus and anti-phishing solutions, alongside effective spam filters, will screen out many phishing attempts.
  • Keep operating systems and browsers up to date. Software providers regularly address newfound vulnerabilities in their products, without which your system will be left exposed.
  • Protect data with automatic backups. Implement a regular process of system data backup so that you can recover in the event of a breach.
  • Use advanced multifactor authentication (MFA). Zero trust strategies such as MFA create additional layers of defense between attackers and your internal systems.
  • Ensure your users are educated. Cybercriminals constantly invent new strategies, and email security won’t catch everything. Your users and your organization at large will be safer if all users understand how to identify suspicious email messages and report phishing.

What Are the Signs of Phishing?

When it comes to phishing, the safest users are the ones who know how to avoid getting hooked. While a short summary no substitute for focused security awareness training, here are a few key warning signs of attempted phishing:

  • Discrepancies in domain names: Email addresses and web domains may have inconsistencies. For example, if you receive an email claiming to be from a well-known brand, the email address may not match it.
  • Spelling errors: Although phishing attacks have become much more effective, the messages still often contain spelling or grammatical mistakes.
  • Unfamiliar greetings: Sometimes, the style of a greeting or signoff can be a clue that something isn’t right. Take note of someone who always opens messages with “Hi!” suddenly says “Dear friend” instead.
  • Short and sweet: Phishing emails often keep information sparse, relying on ambiguity to throw off victims’ judgment. If too many important details are missing, it may be a sign of a phishing attempt.
  • Unusual requests: An email asking you to do something unusual, especially without explanation, is a big red flag. For example, a phishing attempt could claim to be from your IT team, asking you to download a file without specifying a reason.

Phishing and Remote Working

In a 2021 survey of enterprise IT security leaders, 80% believe remote workers are at greater risk of falling victim to phishing attacks. Even so, many organizations are still relying on weak security protocols. With most expected to continue facilitating remote or hybrid work for at least some of their workforce after the COVID-19 pandemic subsides, this could expose them to vulnerabilities.

Remote workers often rely on less sophisticated security software at home than they do in the office. They also may be using personal emails or other accounts not under the control of their organization’s IT team. Moreover, because they are away from internal business controls, remote employees aren’t always forced to practice good security hygiene, and it can be difficult, if not practically impossible, for IT managers to monitor or enforce.

To stay safe in the age of remote work, you need security that can account for the needs of your more mobile, distributed workforce.

Phishing Protection with Zscaler

Because it relies on exploiting human nature to succeed, user compromise is one of the most difficult security challenges to overcome. To detect active breaches and minimize the damage successful breaches can cause, you need to implement effective phishing prevention controls as part of a broader zero trust strategy.

The Zscaler Zero Trust Exchange™ platform, built on a holistic zero trust architecture to minimize the attack surface, prevent compromise, eliminate lateral movement, and stop data loss, helps stop phishing by:

  • Preventing attacks: Features like full TLS/SSL inspection, browser isolation, and policy-driven access control prevent access from malicious websites.
  • Preventing lateral movement: Once in your system, malware can spread, causing even more damage. With the Zero Trust Exchange, users connect directly to apps, not your network, so malware can’t spread from them.
  • Stopping insider threats: Our cloud proxy architecture stops private app exploit attempts and detects even the most sophisticated attack techniques with full inline inspection.
  • Stopping data loss: The Zero Trust Exchange inspects data in motion and at rest to prevent potential data theft from an active attacker.

Learn more about the Zero Trust Exchange to see how a complete zero trust architecture can help protect your organization against phishing attacks.

Suggested Resources


How Do You Recognize a Phishing Email?

Phishing emails may have spelling errors, mismatched email or web domains, or slightly odd or clunky language. They may also include unusual requests.

How Do You Report Phishing Emails?

Internally, it’s a good idea to have a reporting mechanism through which staff can notify IT and security teams of new threats. These teams can then determine the next appropriate action, which can include reporting to service providers who may be able to patch the vulnerability, and in serious cases can even warrant reporting to an agency such as the US Federal Trade Commission.

How Common Is Phishing?

Phishing is extremely common. With the rise of remote working phishing attacks have reached an all time high. Around a quarter of all incidents of cyber crime come from some form of hacking.

Which Brands Do Hackers Most Often Use?

According to a recent report, top brands such as Microsoft, DHL, LinedIn and WhatsApp are the most likely to be used in phishing attacks.

Who Are the Victims of Phishing?

Victims can be anyone from individuals to large scale organizations. Cybercriminals may also target senior executives in order to access financial details such as company credit cards.

What Are the Common Reasons for Phishing Attacks?

Most of the time, the ultimate reason for a threat actor to launch a phishing attack is to steal money and/or data (e.g., PHI, intellectual property, or other proprietary information). Theft of login credentials, account numbers, credit card information, and so on is a means to gain the elevated access they need to reach these things.

What Is Spear Phishing?

Spear phishing attacks target specific individuals whose personal details the attacker already knows to some extent, unlike untargeted phishing scams that seek out victims at random. The extra details typically included in a spear phishing effort can greatly increase the odds that the phishing attempt succeeds.

What Is Clone Phishing?

In clone phishing attacks, victims receive messages (e.g., via text, email, or social media message) that seem to be from senders they trust, such as financial institutions or business services. This is closely related to spear phishing and a common tactic of business email compromise (BEC) attacks.

What Is Whaling?

Whaling is a specific type of phishing in which attackers phish targets who have elevated privileges, such as executives or other important members of an organization, in an attempt to obtain information that will give them privileged access to the target environment.