Phishing is a common tactic used by online scammers and hackers to trick users into sharing their online credentials or other sensitive information. It is a type of “Social Engineering” that is usually done by sending a genuine and trustworthy looking message (E-mail, SMS, social media etc.) containing a link to a deceptive website. Once there, users are asked to provide their authentication credentials to log in, without suspecting they’re actually proving an attacker with their precious password.
Once the attacker has the credentials in hand, it can immediately be used to login to the real service and easily steal data or funds, damage online assets, impersonate the victim and so on. Since this “hack” is done without ever employing sophisticated cyber attacks against the breached system, it can take a while to detect and by the time it is, irreparable has been done to the user and/or the organization.
In order to increase their success rates, attackers try to perfectly imitative the appearance and user experience of the real service. This can become complicated as users get more educated about the dangers of phishing, but attack methods are constantly developing in response. Online scammers have a growing range of tools to imitate email addresses, web domains and even SMS and phone calls that are used as a 2nd factor authentication mechanism.
In many cases it can be very hard to distinguish between a phishing message and a genuine one. Moreover, scammers tend to design and phrase these messages in a way that will prompt an immediate action by the user, typically demanding a “periodical password change” or a “security audit”. It is not unusual to see fraudulent messages threatening users with account lock or deletion unless immediate action is taken, hurrying them to act without sufficient attention. The same can be said about the web domains used in many attacks – both email addresses and destination URLs can be very similar to the official versions and trick even the keenest eye.