Phishing

Not to be confused with Fishing or Pishing. For the rock band, see Phish.
1
2
3
4
5
6
7
Typical components of phishing emails
1
Fraudulent but similar domain name for sender
2
Incorrect branding
3
Generic information
4
Spelling errors
5
Sense of urgency
6
Fake link
7
Incorrect name

Phishing is a form of social engineering and a scam where attackers deceive people into revealing sensitive information[1] or installing malware such as viruses, worms, adware, or ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim navigates the site, and transverses any additional security boundaries with the victim.[2] As of 2020, it is the most common type of cybercrime, with the Federal Bureau of Investigation's Internet Crime Complaint Center reporting more incidents of phishing than any other type of cybercrime.[3]

Modern phishing campaigns increasingly target multi-factor authentication (MFA) systems, not just passwords. Attackers use spoofed login pages and real-time relay tools to capture both credentials and one-time passcodes. In some cases, phishing kits are designed to bypass 2FA by immediately forwarding stolen credentials to the attacker’s server, enabling instant access. A 2024 blog post by Microsoft Entra highlighted the rise of adversary-in-the-middle (AiTM) phishing attacks, which intercept session tokens and allow attackers to authenticate as the victim.[4]

The term "phishing" was first recorded in 1995 in the cracking toolkit AOHell, but may have been used earlier in the hacker magazine 2600.[5][6][7] It is a variation of fishing and refers to the use of lures to "fish" for sensitive information.[6][8][9]

Measures to prevent or reduce the impact of phishing attacks include legislation, user education, public awareness, and technical security measures.[10] The importance of phishing awareness has increased in both personal and professional settings, with phishing attacks among businesses rising from 72% in 2017 to 86% in 2020,[11] already rising to 94% in 2023.[12]

Phishing techniques and vectors include email spam, vishing (voice phishing), targeted phishing (spear phishing, whaling), smishing (SMS), quishing (QR code), cross-site scripting, and MiTM 2FA attacks.

  1. ^ Jansson, K.; von Solms, R. (2011-11-09). "Phishing for phishing awareness". Behaviour & Information Technology. 32 (6): 584–593. doi:10.1080/0144929X.2011.632650. ISSN 0144-929X. S2CID 5472217.
  2. ^ Ramzan, Zulfikar (2010). "Phishing attacks and countermeasures". In Stamp, Mark; Stavroulakis, Peter (eds.). Handbook of Information and Communication Security. Springer. ISBN 978-3-642-04117-4.
  3. ^ "Internet Crime Report 2020" (PDF). FBI Internet Crime Complaint Center. U.S. Federal Bureau of Investigation. Retrieved 21 March 2021.
  4. ^ "Defeating Adversary-in-the-Middle phishing attacks". Microsoft Tech Community. Microsoft. 18 November 2024. Retrieved 14 August 2025.
  5. ^ Ollmann, Gunter. "The Phishing Guide: Understanding and Preventing Phishing Attacks". Technical Info. Archived from the original on 2012-06-29. Retrieved 2006-07-10.
  6. ^ a b Wright, A; Aaron, S; Bates, DW (October 2016). "The Big Phish: Cyberattacks Against U.S. Healthcare Systems". Journal of General Internal Medicine. 31 (10): 1115–8. doi:10.1007/s11606-016-3741-z. ISSN 0884-8734. PMC 5023604. PMID 27177913.
  7. ^ Stonebraker, Steve (January 2022). "AOL Underground". aolunderground.com (Podcast). Anchor.fm.
  8. ^ Mitchell, Anthony (July 12, 2005). "A Leet Primer". TechNewsWorld. Archived from the original on April 17, 2019. Retrieved 2021-03-21.
  9. ^ "Phishing". Language Log, September 22, 2004. Archived from the original on 2006-08-30. Retrieved 2021-03-21.
  10. ^ Jøsang, Audun; et al. (2007). "Security Usability Principles for Vulnerability Analysis and Risk Assessment". Proceedings of the Annual Computer Security Applications Conference 2007 (ACSAC'07). Archived from the original on 2021-03-21. Retrieved 2020-11-11.
  11. ^ Lin, Tian; Capecci, Daniel E.; Ellis, Donovan M.; Rocha, Harold A.; Dommaraju, Sandeep; Oliveira, Daniela S.; Ebner, Natalie C. (September 2019). "Susceptibility to Spear-Phishing Emails: Effects of Internet User Demographics and Email Content". ACM Transactions on Computer-Human Interaction. 26 (5): 32. doi:10.1145/3336141. ISSN 1073-0516. PMC 7274040. PMID 32508486.
  12. ^ "Email Nightmare: 94% of Firms Hit by Phishing Attacks in 2023". Infosecurity Magazine. 16 January 2024. Archived from the original on 2024-11-23. Retrieved 2024-12-08.
This article is issued from Wikipedia. The text is available under Creative Commons Attribution-Share Alike 4.0 unless otherwise noted. Additional terms may apply for the media files.