Avast Academy Security Other Threats The Essential Guide to Phishing: How It Works and How to Defend Against It

The Essential Guide to Phishing: How It Works and How to Defend Against It

Phishing is a cybercrime technique that uses fraud and deception to manipulate victims into clicking malicious links or disclosing sensitive personal information. Learn how it works so that you can detect and block phishing scams and keep your data safe. Then, stay protected against phishing attacks and other online threats with industry-leading online security like Avast One.

Editors' choice
Top Rated
Written by Ivan Belcic
Updated on October 06, 2023

What exactly is phishing?

Phishing is when an attacker uses social engineering tricks to deceive victims into revealing private data or clicking a malicious link.

Hamburguer menu icon

This Article Contains :

    There are three components to a phishing attack:

    1. The attack is conducted via electronic communications, like an email or phone call.

    2. The attacker disguises themselves as an individual or organization you trust.

    3. The goal is to obtain sensitive personal information, like login credentials or credit card numbers.

    Phishing is one of the internet’s oldest and most well-known scams. The term phishing is derived from cybercriminals going fishing with an attractive bait in order to hook victims from the vast ocean of internet users. The ph in “phishing” comes from the mid-1900s hobby of “phone phreaking,” in which enthusiast “phreaks” would experiment with telecommunications networks to figure out how they worked. Phreaking + fishing = phishing.

    Spam vs. phishing

    The key difference between spam and phishing is that spammers aren’t always out to hurt you. Spam is often just junk mail: a bunch of unwanted ads. Phishing, by contrast, is nefarious because phishers want to steal your data and use it against you. Of course, phishing attacks can also be carried out using spam messages, so you still want to avoid spam.

    Phishing isn’t the only threat capable of data theft either. You have to watch out for spyware too. Learn how to remove spyware from Android devices, iPhones, or PCs.

    How does phishing work?

    Phishing works by sending a targeted pitch aimed at persuading victims to click a link, download an attachment, send requested information, or even complete an actual payment. Whether conducted over email, social media, SMS, or another vector, all phishing attacks follow the same basic principles.

    Phishing attacks can happen over email, SMS, social media, or a phone callPhishing attacks can take place on any electronic device.

    As for what phishing can do, that’s defined by the imagination and skill of the phisher. The ubiquity of social media means that phishers have access to more personal info on their targets than ever before. Armed with all this data, phishers can tailor their attacks to the specific needs, wants, and life circumstances of their targets, resulting in a much more attractive proposition. Social media, in these cases, fuels more effective use of social engineering to carry out phishing attacks.

    Now that we’ve explained how phishing scams work, let’s explore their impact on you and your data.

    What are the effects of phishing?

    Most phishing attacks can lead to identity or financial theft, and it’s also an effective technique for corporate espionage or data theft. Some hackers will go so far as to create fake social media profiles and invest time into building a rapport with potential victims, only springing the trap after establishing trust.

    What’s the cost of phishing? Not just financial damages, but in these cases, a loss of trust. It hurts to get scammed by someone you thought you could count on, and recovery can take a long time.

    Email phishing 101

    Many phishing attacks are conducted via email. As one of the most prevalent types of email fraud, you’ve probably seen some kind of phishing email in your inbox. Let’s find out what email phishing is and examine some of the most common scams.

    What is a phishing email?

    A phishing email is a fraudulent email that’s designed to deceive you into revealing sensitive information, or infect you via links to malicious websites or malware-ridden attachments. To appear legitimate, phishing emails often mimic the specific language, logos, graphics, and format of genuine email sources.

    What is the purpose of a phishing email? Like other types of phishing, phishing emails use deceptive social engineering tricks to get you to reveal sensitive data.

    What are the most common phishing emails?

    Most phishing emails can be sorted into one of several categories. Here’s a look at some of the ones you’re most likely to see:

    • Billing/Invoice problem: You’ll be told that something you recently bought online can’t be shipped due to a billing issue. If you click through, you’ll be taken to a spoofed landing page that prompts you to enter your financial info, at which point the phishers have it.

    • The government is out to get you: These emails appeal to your willingness to believe (and submit to) requests from authority figures. Usually threatening in nature, this phishing email will typically promise some sort of scary penalty unless you provide the requested personal data.

    • The government wants to give you money: Consider this the inverse of the above example. Seen around tax time, these emails offer you a tax refund if you’ll just quickly confirm your financial details.

    • A plea for help: Phishers will impersonate a friend or relative, explaining that they are in some sort of dire circumstances and begging for your financial assistance. These schemes are often perpetrated against the elderly via phishing phone calls.

    • The bank alert: Many banks will alert customers if they detect any suspicious activity or if their account is about to be overdrawn. Phishers take advantage of these helpful services to try and convince targets to “confirm” their bank account information.

    • You’re the big winner: Phishing emails often promise that you are the very special winner of an incredible prize. All you need to do to claim your prize is enter your details.

    • Urgent business: Phishers love to use urgency to rush you through bad decisions. Whether they’re offering a temporary deal that’s too good to be true, or threatening to close your account unless you act now, their aim is to scare you into disclosing your personal info ASAP.

    An Amazon phishing email scamAn example of a phishing email purporting to be from Amazon.

    What does a phishing email look like?

    Though they come in many shapes and sizes, you can learn how to recognize phishing emails. Look out for the following warning signs to serve as your first line of phishing defense:

    • The email isn’t addressed to you: Many types of phishing, including the standard “deceptive phishing” mode, cast a wide net. As such, the email won’t be personalized with the recipient’s name, but instead will greet you with something vague, such as “Dear Customer,” or maybe even your email username. Official correspondences from legitimate companies will address you by name.

    • An offer you can’t refuse: If an offer or deal comes your way that seems too good to be true, it probably is. Don’t let these swindlers dupe you with tempting offers. Whatever it is they’re promising, don’t fall for it.

    • Immediate action required: As mentioned above, phishers are big on urgency. Don’t cave into the FOMO, don’t believe the threats, and most important, don’t get rattled. No legitimate entity, whether government or corporate or otherwise, will give you just one sliver of a chance to act before closing the door.

    • Shortened links: Look out for malicious links hiding behind link-shortening services. As a rule, hover over all links before clicking. Since most mobile interfaces don’t provide this functionality, be doubly suspicious of links while checking emails on the go.

    • Misspelled links: Hackers host spoofed versions of legitimate sites with URLs that are almost the same, and they’ll encourage you to click these links in their phishing emails. Watch for typosquatting — when hackers deceive you by using a slightly incorrect version of the legitimate URL — or deliberate misspellings that make use of similar-looking letters and characters. Read links carefully before clicking!

    • Written poorly: Your bank isn’t going to send you an email that’s riddled with typos and grammatical mistakes. A phisher, on the other hand, can and often will. Careless errors like these are dead giveaways of a phishing email.

    • Attachments: There’s nothing wrong with attachments in general — if you’re expecting them, and if they’re coming from someone you trust. Outside of this context, steer clear of unknown attachments. Scammers can even hide malware in rich-content files like PDFs.

    • Personal info requested: Phishers are after your data. If you’ve received an email asking you to confirm your account info, login credentials, or other personal information, you’re likely being phished.

    • You don’t use this company or service: Phishers don’t usually have access to the user databases of the companies they impersonate, so they blast their phishing emails out to anyone they can find. If you’ve received an email from Content Streaming Service A, but you’re a diehard loyalist to Content Streaming Services B and C, that’s likely phishing.

    A phishing email that is attempting to convince victims that their Google account has been breached

    The above email is one that I actually received in my personal inbox. I imagine that if I’d fallen for this ruse and replied to the email, I would have been asked to provide my Google account login credentials. Note how it contains many of the warning signs discussed here:

    1. Informally written subject line

    2. Sent from a suspicious email address

    3. Recipient is not your actual email address

    4. Email not addressed to the recipient

    5. Grammatical and other language errors in the email content

    6. Immediate action requested

    7. Missing the typical signature content you'd expect in an official email

    What the experts say

    “We recommend anyone receiving these emails to delete them. If you have doubts about whether a message is real or fake, do not click on any links or attachments. Instead, reach out to the company from which the message appears to be, directly, by visiting their website and using the contact information listed on the site.”

    Pavel Novák, Junior Threat Operations Analyst

    Avast Threat Labs

    What are the different types of phishing scams?

    Let’s dig a bit deeper to find out what exactly phishing is all about. Where might a phishing attack come from, and what could it look like? Time to get some answers.

    Phishing vectors: more than email

    You can be phished on any communications platform, meaning that email, websites, phone calls, and text messages are all viable and active phishing vectors.

    • Email phishing: The most common method, email phishing uses email to deliver the phishing bait. These emails will often contain links leading to malicious websites, or attachments containing malware.

    • Website phishing: Phishing websites, also known as spoofed sites, are fake copies of real websites that you know and trust. Hackers make these spoofed sites to fool you into entering your login credentials, which they can then use to log into your actual accounts. Pop-ups are also a common source of website phishing.

    • Vishing: Short for “voice phishing,” vishing is the audio version of internet phishing. The attacker will attempt to convince targeted individuals over the phone to disclose personal information that can later be used for identity theft. Many robocalls are vishing attempts. Along with vishing, learn how to stop phone spoofing.

    • Smishing: Smishing is phishing via SMS. You’ll receive a text message asking you to click a link or download an app. But when you do, you’ll be tricked into downloading malware onto your phone, which can hijack your personal info and send it to the attacker.

    • Social media phishing: Some attackers can hack social media accounts and force people to send malicious links to their friends, followers, or other social groups. Other attackers create fake profiles and phish using these personas — often as part of a romance scam.

    If you end up with malware on your device, learn how to remove a virus from iPhone, Mac, and PC.

    Phishing vectors include SMS, known as smishing scamsAn example of a smishing attack.

    Common phishing strategies

    Through the primary phishing vectors listed above, hackers can carry out a wide array of attacks. Here are some common phishing strategies used to get to your data or hijack your devices:

    • Deceptive phishing: Yes, phishing is all about tricking you — but there are several ways to do so. “Deceptive phishing” may seem redundant, but the term specifically refers to when hackers masquerade as legitimate companies or individuals in order to gain your trust.

    • Spear phishing: Unlike large-scale phishing campaigns, which are like industrial fishing boats trawling the ocean with massive nets, spear phishing happens when an attacker personalizes their attack to target a specific individual. Professional social networks like LinkedIn have popularized spear phishing for corporate cybercrime, as hackers can easily find all your employment info in one place.

    • Whaling: Whaling is a phishing attack that targets high-value individuals. Even C-suite execs are at risk of whaling attacks.

    • CEO fraud: Phishers will impersonate a company’s CEO or other high-ranking executive to extract either payment or insider info from employees. CEO fraud campaigns are frequent follow-ups to whaling attacks, especially if the attacker has already obtained the CEO’s login credentials.

    • Pharming: Pharming attacks — phishing and farming — use technological tricks that replace the need to fool you with bait. For example, DNS cache poisoning is a pharming technique that can automatically redirect you from a legitimate website to an attacker’s spoofed version. If you’re not paying attention, you won’t notice the scam until it’s too late.

    • Dropbox phishing & Google Docs phishing: Popular cloud services are attractive phishing targets. Attackers will whip up spoofed versions of the login screens, harvest your credentials when you enter them, then help themselves to all your files and data.

    • Clone phishing: Attackers can take a legitimate email and then clone it, sending the exact same email to all the previous recipients with one crucial difference: the links are malicious now.

    • Link manipulation: Phishers will send links that appear as though they’re leading to one URL, but when clicked go somewhere else. Common tricks include deliberate misspellings (e.g., “only” vs “onIy”; the second one has a capital i) or writing the name of a trusted website as the link’s display text. These are also known as homograph attacks.

    • Cross-site scripting: Sophisticated phishers can exploit weaknesses in a website’s scripts to hijack the site for their own ends. Cross-site scripting is hard to detect because everything on the website appears to be legitimate, from the URL to the security certificates.

    Attackers often pose as employees of popular websites and services to confuse their victims. These kinds of phishing scams include:

    Protect against phishing with Avast

    Avast One does a lot more than protect you against viruses and other malware. Our intelligent threat detection can spot and warn you against the malicious links and infected attachments phishers love to use against you. If phishers can’t fool you, they can’t steal your data — and we’re dedicated to ensuring that doesn’t happen.

    What are some examples of phishing attacks?

    Ever since the 1990s, there have been plenty of notable phishing attack examples. Here are some historic and recent examples of phishing attacks:

    AOL (the first notable attack)

    The first recorded example of a phishing attack happened in 1994, targeting America Online (AOL) users. This scam used a hacking toolkit called AOHell, which enabled hackers to send direct messages to users in the guise of AOL representatives. These messages requested users to verify their accounts by revealing their passwords or other details.

    Facebook and Google invoice scam (one of the most costly)

    Between 2013 and 2015 a Lithuanian man named Evaldas Rimasauskas was able to dupe both Facebook and Google to the tune of over $120 million using a phishing scheme that forged email accounts of the Taiwan-based company Quanta, which does business with both companies.

    Rimasauskas and his associates would send the tech giants meticulously crafted phishing emails containing fake invoices and contracts, billing them for many millions of dollars.

    Twitter VIP breach (one of the most high-profile)

    The 2020 Twitter (now known as X) breach was notable for the high-profile nature of its victims. Hackers used social engineering to get credentials from certain employees. The hackers were then able to gain control of several high-profile Twitter accounts, including those of Barack Obama, Elon Musk, and Joe Biden.

    Activision data breach (a recent example)

    In early 2023, the video game publishing company Activision announced that it suffered a data breach in late 2022, caused by a smishing attack on an Activision employee. Attackers gained access to employee data, including emails, phone numbers, and work locations. Activision claims that they quickly quashed the breach, but the information gained could still be used in future social engineering attacks.

    How do you deal with phishing emails?

    It’s simple: report and delete! Your email provider of choice should have an option that allows you to report phishing scams directly to them.

    Then, forward the emails to the FTC at spam@uce.gov and to the Anti-Phishing Working Group at reportphishing@apwg.org. Also report your phishing experience at the FTC’s complaint website.

    Lastly, contact the company being spoofed to help raise awareness that a phisher is using their brand to try and rip people off.

    The data stolen from phishing scams can lead to identity theft. If you’ve fallen victim, learn how to report identity theft to reduce the potential damages and how to prevent identity theft in the future.

    If you receive a phishing email, report it and delete itIf you receive a phishing email, report it and delete it.

    Top tips to prevent phishing

    Comprehensive internet security education and anti-phishing software make for a strong two-pronged defense against phishing at the organizational level. Companies should invest in teaching their employees how to spot phishing attacks. Security teams can bolster these guidelines with effective software countermeasures to block phishing scams.

    On a personal level, here’s what you can do to help ward off phishing scams:

    • Educate yourself: The good news is that, by reading this piece, you’ve already covered this step. Stay one step ahead of phishers by continuing to educate yourself about the latest scams and schemes. Also raise awareness to employees, co-workers, and others close to you.

    • Be a skeptic: Err on the side of caution with any suspicious email. Before clicking any links or downloading any attachments, run through the phishing warning signs mentioned earlier in this article. If any of them apply to the email at hand, report and delete it.

    • Confirm before you act: Authentic companies will never contact you to request personal details via email or over the phone. If this does happen, call the company yourself, using the contact information provided on their legitimate website, to confirm anything said in an email or call. Don’t reply directly to suspicious emails. Always begin a new communication via the company’s official service channels.

    • Verify websites: Don’t submit any personal info that you wouldn’t want a hacker to have unless you are sure that a website is secure. Web tracking and data brokers can leech your data. Nearly three-quarters of phishing attacks involve a URL beginning with HTTPS, so this is no longer a safety guarantee — use the best encryption software to help protect your online data.

    • Change passwords regularly: Phishers can’t do much with your password if it’s no longer valid. Update your passwords periodically, using a password manager to create strong passwords and store them securely.

    • Use two-factor authentication: 2FA strengthens the security of your accounts by requiring a second method of verification to log into your account.

    • Check your accounts: Scrutinize your financial statements, otherwise you may miss a fraudulent charge. Banks and credit cards are usually pretty good at detecting fraud, but you should pay close attention to your accounts and statements as well.

    • Use an ad blocker: This tip could read “don’t click pop-ups,” but if you use one of the best ad blockers, it’ll stop most pop-ups before you see them. Pop-ups are common phishing vectors, and if you do see one, never click anywhere in the ad, even if there’s a big “close” button. Always use the little X in the corner.

    • Read emails as plain text: This is a nifty trick to help you detect phishing email schemes. Convert an email to plain text, and you’ll be able to spot hidden image URLs that wouldn’t be visible in HTML mode.

    • Use security software: The best internet security software will have a good antivirus tool and a secure web browser to automatically detect phishing attacks and prevent you from engaging with them. Just using Windows Defender isn’t enough. And even iPhones are at risk, so keep safe with the best privacy and security iPhone apps.

    • Stop spam: Unsolicited emails and texts are mostly just annoying junk, but they can be used by scammers to deliver phishing emails. Learn how to change your privacy settings to stop spam emails and block spam texts.

    • Watch what you post: Limit what you reveal online and remove personal information that can potentially be used for attacks.

    Get industry-leading protection to help avoid phishing attacks

    You’ll have a lot less work to do if you let a dependable anti-phishing tool shoulder the brunt of the responsibility. Avast One detects phishing attempts and blocks them before they have a chance to reach you. Plus, it’s automatically updated any time a new attack is discovered, protecting you in real time against the internet’s ever-evolving threat landscape.

    Get ironclad online security that defends against phishing attacks, malware, and other online threats.

    Protect your Android against phishing attacks and other threats with Avast One

    Free install

    Protect your iPhone against phishing attacks and other threats with Avast One

    Free install
    Other Threats
    Ivan Belcic