Avast Academy Security Phishing The Essential Guide to Phishing: How it Works and How to Defend Against it

The Essential Guide to Phishing: How it Works and How to Defend Against it

Phishing is a cybercrime technique that uses fraud, trickery, or deception to manipulate you into disclosing sensitive personal information. Learn how it works so that you can detect and block phishing scams and keep your data safe from attackers. Stay protected against phishing attacks — and other online threats like viruses and malware — with the award-winning Avast One.

Editors' choice
Top Rated
Written by Ivan Belcic
Published on February 5, 2020

What exactly is phishing?

Phishing is one of the internet’s oldest and most well-known scams. We can define phishing as any type of telecommunications fraud that uses social engineering tricks to obtain private data from victims.

Hamburguer menu icon

This Article Contains:

    There are three components to a phishing attack:

    1. The attack is conducted via electronic communications, such as email or a phone call.

    2. The attacker pretends to be an individual or organization you can trust.

    3. The goal is to obtain sensitive personal information, such as login credentials or credit card numbers.

    This deception is where phishing gets its name: The cybercriminal goes “fishing” with an attractive “bait” in order to hook victims from the vast “ocean” of internet users. The ph in “phishing” comes from the mid-1900s hobby of “phone phreaking,” in which enthusiast “phreaks” would experiment with telecommunications networks to figure out how they worked. Phreaking + fishing = phishing

    Spam vs. phishing

    Spam or phish — in this case, order the spam. The one key difference between spam and phishing is that spammers aren’t out to hurt you. Spam is junk mail: just a bunch of unwanted ads. Phishing attackers want to steal your data and use it against you. Later in this piece, we examine exactly how they do it and what they’re looking to achieve.

    Regardless of whether or not real-life Spam is one of your favorite foods, remember the following fun rhyme: Spam is delicious, but phish is malicious.

    How does phishing work?

    Whether conducted over email, social media, SMS, or another vector, all phishing attacks follow the same basic principles. The attacker sends a targeted pitch aimed at persuading the victim to click a link, download an attachment, send requested information, or even complete an actual payment.

    As for what phishing can do, that’s left up to the imagination and skill of the phisher. The ubiquity of social media means that phishers have access to more personal info on their targets than ever before. Armed with all this data, phishers can precisely tailor their attacks to the needs, wants, and life circumstances of their targets, resulting in a much more attractive proposition. Social media, in these cases, fuels more powerful social engineering.

    What are the effects of phishing?

    Most phishing can lead to identity or financial theft, and it’s also an effective technique for corporate espionage or data theft. Some hackers will go so far as to create fake social media profiles and invest time into building a rapport with potential victims, only springing the trap after establishing trust.

    What’s the cost of phishing? Not just financial damages, but in these cases, a loss of trust. It hurts to get scammed by someone you thought you could count on, and recovery can take a long time.

    What are the different types of phishing scams?

    Let’s dig a bit deeper and get our hands dirty: what is phishing all about? Where might a phishing attack come from, and what could it look like? Time to get some answers.

    Phishing vectors: more than email

    • Email phishing: Far and away the most common method, email phishing uses email to deliver the phishing bait. These emails will often contain links leading to malicious websites, or attachments containing malware. We'll show you later in this piece what a phishing email might look like, so you’ll know which emails to avoid.

    • Website phishing: Phishing websites, also known as spoofed sites, are fake copies of real websites that you know and trust. Hackers make these spoofed sites in order to fool you into entering your login credentials, which they can then use to log into your actual accounts. Pop-ups are also a common source of website phishing.

    • Vishing: Short for “voice phishing,” vishing is the audio version of internet phishing. The attacker will attempt to convince victims over the phone to disclose personal information that can later be used for identity theft. Many robocalls are vishing attempts.

    • Smishing: Smishing is phishing via SMS. You’ll receive a text message asking you to click a link or download an app. But when you do, you’ll be tricked into downloading malware onto your phone, which can hijack your personal info and send it to the attacker.

    • Social media phishing: Some attackers can hack social media accounts and force people to send malicious links to their friends. Others create fake profiles and phish others using these personas — often as part of a romance scam.

    Common phishing strategies

    Through the primary phishing vectors listed above, hackers can conduct a wide range of attacks ranging from technical wizardry to good, old-fashioned con jobs. Don’t let any of these happen to you:

    • Deceptive phishing: Wait a second — haven’t we been saying the whole time that all phishing is deceptive? Well, yes. Phishing is all about fooling you. But “deceptive phishing” as a term specifically refers to when hackers masquerade as legitimate companies or individuals in order to gain your trust.

    • Spear phishing: Large-scale phishing campaigns are like industrial fishing boats trawling the ocean with massive nets, trying to ensnare anyone and everyone. In contrast, spear phishing is when phishers personalize their attacks to target specific individuals. Professional social networks like LinkedIn have popularized spear phishing for corporate cybercrime, as hackers can easily find all your employment info in one place.

    • Whaling: Completing the set of nautical metaphors is whaling, which is a phishing attack that targets a certain high-value individual. It’s the same as spear phishing, but with much more ambitious targets. Even C-suite execs aren’t immune to whaling attacks.

    • CEO fraud: Phishers will impersonate a company’s CEO or other high-ranking executive to extract either payment or insider info from employees. CEO fraud campaigns are frequent follow-ups to whaling attacks, since the attacker has already obtained the CEO’s login credentials.

    • Pharming: Pharming attacks — phishing and farming — use technological tricks that replace the need to fool you with bait. For example, DNS cache poisoning is a pharming technique that can automatically redirect you away from a legitimate website and instead to the attacker’s spoofed version. If you’re not paying attention, you won’t notice the scam until it’s too late.

    • Dropbox phishing & Google Docs phishing: Popular cloud services are attractive phishing targets. Attackers will whip up spoofed versions of the login screens, harvest your credentials when you enter them, then help themselves to all your files and data.

    • Clone phishing: Attackers can take a legitimate email and then “clone” it, sending the exact same email to all the previous recipients with one crucial twist: the links are malicious now.

    • Link manipulation: Phishers will send links that appear as though they’re leading to one URL, but when clicked go somewhere else. Common tricks include deliberate misspellings (e.g. “only” vs “onIy”; the second one has a capital i) or writing the name of a trusted website as the link’s display text. These are also known as homograph attacks.

    • Cross-site scripting: Sophisticated phishers can exploit weaknesses in a website’s scripts to hijack the site for their own ends. Cross-site scripting is hard to detect because everything on the website appears to be legitimate, from the URL to the security certificates.

    Attackers often pose as employees of popular websites and services to confuse their victims. These kinds of phishing scams include:

    Protect against phishing with Avast One

    Avast One does a lot more than protect you against viruses and other malware. Our intelligent threat detection can spot and warn you against the malicious links and infected attachments phishers love to use against you. If phishers can’t fool you, they can’t steal your data — and we’re dedicated to ensuring that doesn’t happen.

    Get the comprehensive security tool awarded five stars by TechRadar and recognized with an Editors’ Choice award from PCMag.

    What are some examples of phishing attacks?

    The answer to this question could fill a multiple-volume book series, even if we just focused on the highlights. Here’s a sampler platter of phishing’s greatest hits:

    2018 World Cup phishing phrenzy

    During the leadup to the 2018 FIFA World Cup in Moscow, the international football/soccer scene was awash in phishing scams. Victims were tempted with free tickets, last-minute hotel deals, and team merchandise.

    By hacking into the databases of partner hotels associated with Booking.com, one group of attackers was able to smish the site’s users via WhatsApp and SMS. The phishing surrounding the event grew so intense, the FTC was forced to issue an official advisory.

    Operation Phish Phry

    Beginning in 2007, Operation Phish Phry grew over two years to become the FBI’s largest-ever international cybercrime investigation at the time. The operation aimed to disrupt a phishing ring that tricked victims into providing their account numbers, passwords, and PINs using emails and spoofed websites.

    By the end of the investigation, the cybercriminals had managed to transfer approximately $1.5 million from victims to accounts held in the US — but the FBI and Egyptian authorities were able to charge over 100 suspects across the US and Egypt.

    2013 Target data breach (brought to you by phishing)

    Target faced global backlash after a 2013 data breach that compromised 110 million of their customers. While the retail giant has yet to release the full details of the attack, it’s since been concluded that things began with a phishing email sent to one of Target’s third-party vendors.

    Beginning two days before Black Friday, the hackers tapped into Target’s point-of-sale card readers to glean a whopping 11 GB of customer credit and debit card info. As a result, Target paid out a record-smashing settlement of $18.5 million.

    Email phishing 101

    The vast majority of phishing attacks are conducted via email. Want to find out how phishing emails work? Let’s get to it.

    What are the most common phishing emails?

    Most phishing emails can be sorted into one of several categories. Here’s a look at some of the ones you’re most likely to see:

    • Billing/Invoice problem: You’ll be told that something you recently bought online can’t be shipped due to a billing issue. If you click through, you’ll be taken to a spoofed landing page that prompts you to enter your financial info, at which point the phishers have it.

    • The government is out to get you: These emails appeal to your willingness to believe (and submit to) requests from authority figures. Usually threatening in nature, this phishing email will typically promise some sort of scary penalty unless you provide the requested personal data.

    • The government wants to give you money: Consider this the inverse of the above example. Seen around tax time, these emails offer you a tax refund, if you’ll just quickly confirm your financial details.

    • A plea for help: Phishers will impersonate a friend or relative, explaining that they are in some sort of dire circumstances and begging for your financial assistance. These scams are often, and sadly, perpetrated against the elderly via vishing calls.

    • The bank alert: Many banks will alert customers if they detect any suspicious activity, or if the account is about to be overdrawn. Phishers take advantage of these helpful services to try and convince marks to “confirm” their bank account information.

    • You’re the big winner: As luck would have it, you are the very special winner of an incredible prize. All you need to do is enter your details. See the World Cup scam above for further reference.

    • Urgent business: Phishers love to use urgency to rush you through bad decisions. Whether they’re offering a temporary deal that’s too good to be true, or threatening to close your account unless you act now, their aim is to scare you into disclosing your personal info ASAP.


    What does a phishing email look like?

    Though they come in many shapes and sizes, it is possible to learn how to recognize phishing emails. Next, we provide an overview of their most commonly shared traits. Dependable cybersecurity solutions will carry most of the load when it comes to protecting against phishing, but by looking out for the following warning signs, you can serve as your own first line of phishing defense.

      • The email isn’t addressed to you: Many types of phishing, including the standard “deceptive phishing” mode, cast a wide net. As such, the email won’t be personalized with the recipient’s name, but instead will greet you with something vague, such as “Dear Customer,” or maybe even your email username. Official correspondences from legitimate companies will address you by name.

      • An offer you can’t refuse: You can, and you should. If an offer or deal comes your way that seems too good to be true, that’s probably because it is. Don’t let these swindlers get under your skin with tempting offers. Whatever it is that they’re promising, you will get by absolutely fine without it — because either way, you’d have to. Phishing offers aren’t real, ever.

      • Immediate action required: As mentioned above, phishers are big on urgency. Don’t fall for the FOMO, don’t believe the threats, and most importantly, don’t get rattled. No legitimate entity, whether government or corporate or otherwise, will give you just one sliver of a chance to act before closing the door.

      • Shortened links: Look out for malicious links hiding behind link-shortening services. As a rule, hover over all links before clicking through. Since most mobile interfaces don’t provide this functionality, be doubly suspicious of links while checking emails on the go.

    • Misspelled links: Hackers host spoofed versions of legitimate sites with URLs that are almost the same, and they’ll encourage you to click these links in their phishing emails. Watch for typosquatting — when hackers deceive you by using a slightly incorrect version of the legitimate URL — or deliberate misspellings that make use of similar-looking letters and characters. Read links carefully before clicking!

    • Written poorly: Your bank isn’t going to send you an email that’s riddled with typos and grammatical mistakes. A phisher, on the other hand, can and often will. Careless errors like these are dead giveaways of a phishing email.

    • Attachments: There’s nothing wrong with attachments in general — if you’re expecting them, and if they’re coming from someone you trust. Outside of this context, steer clear of unknown attachments. Scammers can even hide malware in rich-content files like PDFs.

    • Personal info requested: Phishers are after your data. If you’ve received an email asking you to confirm your account info, login credentials or other personal information, you’re likely being phished.

    • You don’t use this company or service: Phishers don’t usually have access to the user databases of the companies they impersonate, and so they blast their phishing emails out to anyone they can find. If you’ve received an email from Content Streaming Service A, but you’re a diehard loyalist to Content Streaming Services B and C, that’s phishing.

    Example of phishing email

    The above email is one that I actually received in my personal inbox. I imagine that if I’d fallen for this ruse and replied to the email, I would have been asked to provide my Google account login credentials. Note how it contains many of the warning signs discussed here:

    1. Informally written subject

    2. Sent from a suspicious email address

    3. Recipient is not your actual email address

    4. Email not addressed to the recipient

    5. Grammatical and other language errors in the email content

    6. Immediate action requested

    7. Missing the typical signature content you'd expect in an official email

    What the experts say

    “We recommend anyone receiving these emails to delete them. If you have doubts about whether a message is real or fake, do not click on any links or attachments. Instead, reach out to the company from which the message appears to be, directly, by visiting their website and using the contact information listed on the site.”

    Pavel Novák, Junior Threat Operations Analyst

    Avast Threat Labs

    How do you deal with phishing emails?

    It’s simple: report and delete! Your email provider of choice should have an option that allows you to report phishing scams directly to them.

    Then, forward the emails to the FTC at spam@uce.gov and to the Anti-Phishing Working Group at reportphishing@apwg.org. Also report your phishing experience at the FTC’s complaint website.

    Lastly, contact the company being spoofed to let them know that a phisher is using their brand to try and rip people off.

    Top tips to prevent phishing

    Comprehensive user education and anti-phishing software make for a strong two-pronged defense against phishing at the organizational level. Companies should invest in thorough educational programs to teach their employees how to recognize phishing and why they should be wary of it. Security teams can bolster these guidelines with effective software countermeasures to block phishing scams, regardless of whether or not a target falls for the ruse.

    On a personal level, here’s what you can do to help ward off phishing scams:

    • Educate yourself: The good news is that, by reading this piece, you’ve already covered this step. Stay one step ahead of phishers by continuing to educate yourself about the latest scams.

    • Be a skeptic: Err on the side of caution with any suspicious email. Before clicking on any links or downloading any attachments, run through the phishing warning signs mentioned earlier in this article. If any of them apply to the email at hand, report and delete it.

    • Confirm before you act: Authentic companies will never contact you to request personal details via email or over the phone. If this does happen, call the company yourself, using the contact information provided on their legitimate website, to confirm anything being said in an email or call. Don’t reply directly to suspicious emails. Always begin a new communication via the company’s official service channels.

    • Verify security certificates: Don’t submit any personal info that you wouldn’t want a hacker to have unless you are sure that a website is secure. Verify that the URL begins with HTTPS, and look for a padlock icon near the URL.

    • Change passwords regularly: Phishers can’t do much with a password of yours if it’s no longer valid. Update your passwords from time to time, using a password manager to create hard-to-crack passwords and store them securely.

    • Check your accounts: Be that person who scrutinizes all their financial statements. Otherwise, you may miss a fraudulent charge. Banks and credit cards are usually pretty good about detecting fraud, but you should be paying close attention to your accounts and statements as well.

    • Use an ad blocker: This tip could read “don’t click pop-ups,” but if you use an ad blocker, it’ll stop most pop-ups before you see them. Pop-ups are common phishing vectors, and if you do see one, never click anywhere in the ad, even if there’s a big “close” button. Always use the little X in the corner.

    • Read emails as plain text: This is a nifty trick to help you detect phishing email scams. Convert an email to plain text, and you’ll be able to spot hidden image URLs that wouldn’t be visible in HTML mode.

    • Use security software: A good antivirus tool and a secure web browser will automatically detect phishing attacks and prevent you from engaging with them.

    • Stop spam: Unsolicited emails and texts are mostly just annoying junk, but they can be used by attackers to deliver phishing emails. Learn how to change your privacy settings to stop spam emails and block spam texts.

    Prevent phishing with cybersecurity software

    You’ll have a lot less work on your plate if you let a dependable anti-phishing tool shoulder the brunt of the responsibility. Avast One detects phishing attempts and blocks them before they have a chance to reach you. Plus, it’s automatically updated any time a new attack is discovered, protecting you in real time against the internet’s ever-evolving threat landscape.

    Get industry-leading antivirus that defends against phishing attacks, malware, and other online threats.

    Protect your iPhone against phishing attacks and other threats with Avast One


    Protect your Android against phishing attacks and other threats with Avast One

    Ivan Belcic