Sophos tell us that 41% of IT Professionals report phishing attacks on a daily basis, and that 30% of phishing emails are opened by users, so the need for education and prevention when it comes to phishing is as necessary as ever.
The content on this page and accompanying articles will give you a comprehensive overview of what phishing is, different types of attack, how to spot an attempt at phishing, technical and human ways to prevent phishing, and a handy Phishing Flowchart to help you turn the tide on scammers.
What is Phishing?
Phishing is an attempt by a cyber-criminal to obtain information from a user, usually by sending the user an email or message directing them to click links and to provide information at the website the links take them to.
The emails (and websites) are typically designed and stylised to look like a genuine email from a legitimate sender.
Phishing is a type of ‘social engineering’: attempting to manipulate someone into performing actions they otherwise wouldn’t.
Is the email I just received a phishing email?
It’s Monday. You check your email, as you normally do, and there’s an email from your bank, as there sometimes is. But this one threatens that your account will be closed in 48 hours if you don’t verify your details. All you need to do is click the link in the email and your account will be fine.
This is an example of ‘phishing’, a type of online identity theft that usually uses emails to trick the user in to doing something.
Of course, the email isn’t actually from your bank, and your account isn’t going to be closed in 48 hours, and you haven’t won a prize in a competition you knew nothing about, and there isn’t an order waiting for you at a depot. Sorry.
Phishing is devious and deceptive, playing on some of our base emotions and manipulating us when we're vulnerable.
Use our Knowledgebase Articles below to explore ways you can spot and stop phishing.
Email Phishing Explained
The ins and outs of phishing - answering who, what, why, how, where, and when
What is Social Engineering?
Social engineering is when someone attempts to manipulate someone else into performing actions they otherwise wouldn’t, like opening an email, clicking a link in an email or text message, or downloading an attachment.
The theory behind social engineering is based on Robert Cialdini’s work on ‘influence’, setting out six key principles. Click the icons below to learn more about these principles:
A user is more likely to perform an act (e.g. provide sensitive information) if the attacker claims they will or need to perform a related act (e.g. deliver goods).
Commitment & Consistency
A user, having committed to something (e.g. clicking a link in an email) is likely to continue (e.g. enter the information requested).
A user is more likely to trust something (e.g. an email making a request) when it appears to come from a person or organisation they trust (e.g. their bank).
A user is more likely to perform an act (e.g. open an attachment) if it appears that others, who are generally trustworthy or knowledgeable, are doing the same.
A user is more likely to perform an act if it appears to come from a person or organisation they like (e.g. a contact on LinkedIn).
A user is more likely to perform an act if it appears to be exclusive or time-limited (e.g. an email needing action now to avoid consequences).