Phishing (pronounced as “fishing”) is a type of attack that cybercriminals carry out to get your valuable personal and financial information. Phishing is different from malware or virus attacks that primarily use technology to get this kind of valuable information. Phishing instead tries to fool you into handing over this information. Because phishing relies more on targeting people than technology, it’s sometimes referred to as a type of “social engineering” attack. Since phishing generally doesn’t try to install malware like Trojan horses or keyloggers, regular antivirus and anti-malware may not help protect against it. But more advanced security suites do include “phishing filters” and web reputation services that can help protect you from phishing attempts. Phishing is often sent out to thousands or millions of people as part of a spam attack, very often sent from zombie computers that are part of large botnets.
Phishing is called phishing because a hacker puts “bait” in front of you hoping that you’ll “bite” so they can “hook” you. People in security spell it with a “ph” to distinguish it from real-world fishing and because there’s a tradition of using “ph” rather than “f” when describing hacker activity. In phishing, the bait is something that is meant to convince you to give up important information. The most common way cybercriminals try to bait you is to send you an email that looks real and typically tries to scare you. For instance, you might get an email that looks like it comes from your bank saying that there’s a problem with your account and you need to go to their site and confirm your information with them. When you click on the links in the fake email, it will take you to the criminal’s site, not your bank’s site. And when you enter your information and send it to them, you’ve taken the bait and they’ve hooked you. Now, the information you entered is in the hands of the bad guys and they can sell it or use it however they want.
Phishing is a huge problem and even sophisticated users can fall victim; it can be hard to tell if an email is really from who it says it’s from. This is why security software is so important; it can identify known phishing emails for you and also recognize dangerous websites that aren’t who they say they are.
But because phishing focuses on people rather than technology, you have to be part of the solution too. In addition to running up-to-date anti-phishing and web reputation security software, you should be wary. Don’t assume that an email is from who it says it’s from when it tells you that you have to go enter information on a website. Don’t click on links in emails; go to your bank or other site directly. And if you’re still not sure, ask their customer service team for help. Phishing is ultimately a problem for banks, so they won’t mind helping you verify if there’s a real problem or not.