{"id":28772,"date":"2022-08-23T10:05:06","date_gmt":"2022-08-23T17:05:06","guid":{"rendered":"https:\/\/tpx2025.wpenginepowered.com\/?page_id=28772"},"modified":"2026-01-29T10:16:53","modified_gmt":"2026-01-29T15:16:53","slug":"phishing-101","status":"publish","type":"page","link":"https:\/\/www.tpx.com\/learn\/phishing-101\/","title":{"rendered":"Phishing 101"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t
<\/div>\n\t\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Phishing 101 - What is Phishing?<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Phishing 101 Topics<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"what\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

What is Phishing?<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Phishing is a type of social engineering where cybercriminals send fraudulent email or text messages designed to trick the user into exposing sensitive personal information or data. According to Avanan\u2019s Global Phish Report, one out of every 99 emails is a phishing attack, and research further indicates that 25% of phishing emails bypass standard email security. Phishing is the most common and prevalent cyber threat, and as more and more sensitive data is stored and accessed online, cybercriminals see more opportunities in phishing. Roughly 90% of data breaches are the result of phishing according to CISCO\u2019s 2021 Cybersecurity Threat Trends report. Cybercrime and phishing attacks costs are expected \u00a0to rise to $10.5 trillion by 2025<\/a>.<\/p>

Phishing rose to prominence in the mid-1990s with the rapid popularity of the internet, and since then, phishing techniques have gotten more sophisticated and realistic. Now, cybercriminals can employ tactics that utilize deep fakes and artificial intelligence, making phishing even harder to detect. Even fake virtual meetings, fake world health organizations\u2019 announcements regarding COVID-19, and fake COVID-19 relief and stimulus packages are new tactics being introduced every day.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t
<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Types of Email Phishing<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

By better understanding the types of email phishing being used, businesses can better protect their business against these ever-evolving tactics. There are many different types of phishing, but the most common tactics are<\/a>:<\/p>

Email phishing<\/h3>

Email phishing is phishing in its most recognizable form. The cybercriminal will masquerade as an entity or person and attempt to trick a person into revealing sensitive information or data. Email phishing can also include malicious links with the goal to deploy software on the victim\u2019s infrastructure like ransomware. A common type of email phishing is business compromise email (BEC), typically attacking an employee or someone in the finance department to gain financial information. BEC rose by 14% in 2020<\/a> and alarmingly, increased by 80% in some sectors.<\/p>

Spear phishing<\/h3>

Spear phishing is another more sophisticated type of fishing where a cybercriminal has more detailed info about a specific person such as their name, job title, employer name, email address, or specific info about their job role. Spear phishing is typically more convincing and realistic.<\/p>

Smishing and vishing<\/h3>

In smishing, the attack involves criminals sending text messages, and vishing happens over the phone. A common smishing attack is a fake text message from your bank or a popular retailer like Amazon alerting you to suspicious activity. According to ProofPoint\u2019s State of the Phish, less than 35% of people claim to know what smashing is, which is the main reason it\u2019s causing millions of dollars in losses. The research further goes on to say that smishing has risen 328% in 2020 alone, and COVID-19 was a culprit in this uptick. Also, fake two-factor authentication messages are common in smishing, exposing data for platforms like Amazon, Walmart, banks, social platforms, and more.<\/p>

Mass campaigns<\/h3>

Mass phishing campaigns cast a wider net. Emails are sent to the masses from a knock-off corporate entity insisting a password needs to be updated or credit card information is outdated.<\/p>

Whaling<\/h3>

In whaling, a malicious attacker goes after a senior executive. Criminals are attempting to imitate senior staff, and they commonly look like a senior leadership officer asking an employee for a favor. These scams can be very convincing because they play on the need to immediately and effectively please your boss. Sometimes, whaling actually attacks the senior leadership themselves.<\/p>

Angler phishing<\/h3>

A relatively new phishing style, angler phishing involves social media with fake URLs, blog posts, cloned websites, or messages. Attackers are attempting to trick social media users into exposing sensitive information or downloading malicious software.<\/p>

Other types of phishing attacks include pop-up phishing, pharming, evil twin phishing, watering hole phishing, HTTPS phishing, clone phishing, deceptive phishing, man-in-the-middle attacks, and more.<\/p>

Ambulance chasing phishing<\/h3>

Attackers use a current crisis to drive urgency for victims to take action that will lead to compromising data or information. For example, targets may receive a fraudulent email encouraging them to donate to relief funds for recent natural disasters or the COVID-19 global pandemic. According to Google, it has been reported that cybercriminals have sent an estimated 18 million hoax emails about COVID-19 to Gmail users every day.<\/p>

Pretexting<\/h3>

Pretexting involves an attacker doing something via a non-email channel, for example voicemail, to set an expectation that they\u2019ll be sending something seemingly legitimate in the near future only to send an email that contains malicious links.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Recommended Reading<\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tCheck out this article on The Best Defense Against Phishing Emails<\/a>.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

The Rise of Email Phishing Attacks<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

As you can see, phishing is incredibly prevalent as the number one attack vector for cybercriminals. Cybercriminals have developed several sophisticated, realistic ways to trick users into revealing sensitive information. The financial impact of phishing attacks has quadrupled over the last six years with enterprise organizations losing roughly $1,500 per employee<\/a>. Additionally, the rise of remote work has allowed even more data to be transmitted over email, offering criminals even more chances to trick and infiltrate emails.<\/p>

Phishing consequences are severe, too; the cost to contain malware, productivity losses, and the cost to contain credentials all cause a flurry of expenses that contribute to damages for the average business. Also, the main reason phishing is so relevant is simple \u2014 it works.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t
<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Phishing vs. Spear Phishing<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The two most popular methods of phishing are email phishing and spear phishing. These two types of attacks have a lot in common (like coercive language or a sense of urgency), they\u2019re delivered via email, hackers are after some type of sensitive information, and they rely on impersonation.<\/p>

However, a key difference between the two resides in how targeted the message is. Email phishing is often low-effort and not tailored to every victim. Hackers are casting a wide net in hopes of landing a handful of victims. On the other hand, spear phishing is highly targeted and only sent to one person or organization. This type of attack requires much more effort but is more rewarding when it\u2019s successful.<\/p>

Additionally, spear phishing can target something more sensitive than simple login information. Cybercriminals might be after trade secrets or customer data they could sell for a large sum of money. According to Symantec\u2019s Internet Security Threat Report, 65% of targeted attacks are spear phishing, and intelligence gathering was the main goal in 95% of those cases.<\/p>

To protect your organization from spear phishing, email scanning and detection help prevent and block attacks. However, as Stanford Research reported, 88% of data breaches are caused by human error, and the best tool is employee security awareness training<\/a>. Educating team members to be the first line of defense is the most effective technique, helping them expand their awareness to reduce threats. Empower employees to be a part of the solution instead of the problem.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Implement a Security Awareness Program<\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tCheck out our guide on Seven Ways to Enable a Successful Security Awareness Program<\/a>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Phishing Email Examples<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The best way to protect against phishing emails is through education and familiarizing yourself and your staff about how to identify phishing email tactics. Below are a few phishing email examples:<\/p>

Email Phishing Example:<\/h3>

Typically found in high-volume spam emails to hundreds or thousands of people, email phishing generally includes malicious links or attachments.<\/p>

Sender:<\/strong> HR Department<\/p>

Subject Line:<\/strong> Sign Updated Employee Handbook<\/p>

\u201cEffective today there is a new employee handbook that requires your signature. 20% of employees have acknowledged the handbook, and we\u2019re looking to get to 100% by Friday! Please click the link below to sign.<\/em><\/p>

(malicious link)\u201d<\/em><\/p>

Often, an email like this will appear like it\u2019s from a trusted entity like the HR department, but the actual email address does not match the domain. The attacker will claim the target needs to sign a new employee handbook, and the link will be a malicious link that will lead them to a screen to input sensitive information, or it will download malicious software onto their device.<\/p>

Spear Phishing Example:<\/h3>

In these targeted attacks, cybercriminals play on the authority of trusted organizations like Microsoft Teams, Google Business Suite, Slack, Amazon, or your bank to trick you into revealing sensitive information.<\/p>

Sender:<\/strong> Google Business<\/p>

Subject Line:<\/strong> Your Boss Requested Information<\/p>

\u201cHi FIRST NAME,<\/em><\/p>

Your boss, NAME, is requesting you update your information in your organization\u2019s directory.<\/em><\/p>

Click here to update your credentials.\u201d<\/em><\/p>

In this spear phishing example, the cybercriminal has a wide depth of knowledge about the employee and the organization, which unfortunately makes it quite effective. Often playing on the authority of a boss or leadership, an employee might feel a sense of urgency and duty to quickly complete the request.<\/p>

Other common phishing tactics include hyperlinks with a malicious site when you hover over the link, fake credit card websites, malicious attachments, and more.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t
<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Learn More<\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tRead this article to learn more on how to improve email security<\/a>.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Common Indicators of a Phishing Attempt<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

What should employees look for when staying proactively alert about phishing scams? With ineffective security awareness training, employees can search for these common indicators of a phishing attempt.<\/p>