Phishing 101: How Phishing Attacks and Scam Emails Work

Post hero image

Table of contents

See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.
Get a Demo

Phishing is a form of cybercrime, where an attacker poses as a legitimate institution and uses their fraudulent authority to lure information from their target. In this article, we go through some of the most common phishing schemes and attack methods and give you advice on how to detect phishing attempts.

How does Phishing work?

The most common type of phishing is the attacker approaching their target, usually by email, posing as a legitimate company and through this, attempting to pry personal information or login information from the target. The emails often rely on invoking a sense of alarm or (ironically), loss of security. The phishing attack could be a pretend message from your “bank” or a place where you keep your information, such as Google Drive. The phishers can tell you there has been a data breach, and will ask you to log in through their website to ensure “you are you”, or to change your password. This site is then a fake website, only used to gain the targets’ login details for the said instances, such as the bank or their Google accounts.It could also be that the phishing email is camouflaged as a routine password change or updating one’s information. For example, you could receive an email from the software you use, telling you that your subscription is running out, asking you to continue the subscription by entering your credit card details. The party asking for your credit card detail is a scammer, who will use your credit card information.

The phishing email could also “warn” you that your password to a software or application is getting out of date, and they will ask you to create a new password. As you add in your old and new password, the phishers gain access to your old (aka, real) password in the software or program and use this to log in and gain your private information.Most phishing attacks still come via email, but they aren’t the only medium for phishing attacks anymore. They can also occur via instant messages, social media or even search engine ads, such as Google Ads. What all of the scams have in common is that they include a link to a website, which then tries to get you to give away your login credentials to a specific website, or to surrender your private data such as social security details or bank card number.

Phishing Scams to Avoid

Spear Phishing Attacks

Spear phishing refers to a more personalized form of phishing. In spear-phishing attacks, the hacker seeks to find out as much as they can about you – your name, company, position, number, anything they can find. They then use this information to their advantage to pretend to be someone you know and trust, to get you to perform the requests the attacker asks for.

Phishing and Whaling

Whaling is a type of phishing attack, targeted specifically to those in high positions of power in a company. This usually means a CEO, a CFO or some other senior-level manager who has access to or knowledge of company sensitive data. The term “whaling” refers to the fact that the targets are the “big fishes” in the phishing pool. Whaling attacks are usually especially well thought of and have the objective of gaining sensitive company data for the phisher’s financial gain. Whaling attacks have usually been planned for a long time and they are highly personalized and very elaborate.

Phishing vs Pharming

Phishing and pharming are different ways of manipulating targets on the internet. The object of phishing is to get the target to give their information to a fake website. Pharming includes modifying DNS entries, which means that when the user enters a web address, they will be directed to the wrong website. This means that a DNS server that is responsible for translating the website address into the real IP address is changed, and the website traffic is redirected to another site. Pharming attacks occur due to vulnerabilities in DNS server software, and a pharming attack can be difficult to detect. The best way to detect a possible pharming attack is to raise alarm if a usual website looks significantly different than it used before. Pharming attacks may affect many people at once, so if you encounter a pharming attack, you should always notify of it forward. Even major companies such as Snapchat have fallen victims of pharming attacks.

Phishing vs Spoofing

Spoofing refers to the scammer posing as someone else, to get the target to perform a specific action. Many phishing attacks thus use spoofing – a phisher may pose as someone from your IT department, asking you to go to a website and re-confirm your login details for your computer. This site is then a fake website, and the phisher has gained access to your login details without you knowing anything was wrong. Many phishers then use spoofing as a method of manipulation, but not all spoofing attacks are necessarily phishing. A spoofing attack could be for example a hacker posing as your coworker and asking you to download a file, but this file is actually a trojan or a piece of ransomware used to hurt you or your company. However, as the method is not to get you to give away your private details, it is not a phishing attack, but another type of cybercrime.

Phishing and Vishing

Vishing is the phone counterpart of phishing, meaning that scammers call the targets to solicit information. Vishers pose as a legitimate entity and ask you for your personal information, using different methods of manipulation or “social engineering”. Be very wary of giving any private information away over the phone, especially if the phone number is blocked or you don’t recognize the area code or number. If possible, ask for the number you can call back, and check it from the source they claim to be, or call the party’s customer service and ask if they need to contact you. If you have received an email providing a specific number and asking you to call it, you can Google the name or forward the email to the instance the email’s sender claims to be from, and ask if the email is legitimate.  

Phishing Attacks: Warning Signs

A phishing website (or a spoofed website) usually tries to appear at least somewhat legitimate. It may be devised to look like an existing legitimate website, and mimic for example your bank’s or health care center’s website. The website is created so you would give away your login credentials or other private information. You are most likely to receive a link to this website via email or an instant message, but you could land into the page by mistyping a URL or clicking the wrong website in your search bar. The first thing is then to be wary of the sender of the email or instant message and make sure you know the sender, or that the sender is who they claim to be.

Email from Unfamiliar Sender

When receiving an email, there are several details you can go over to determine, if you might have been targeted for a phishing attack. First, take a look at the sender's email details. The phishing attack could be from an email you've never seen before and which doesn't seem legitimate. Fortunately, if you have doubts, there are forums and online resources which can help you determine if the source is reliable or not. Simply copy the sender's email and google it with a keyword such as "phishing attempt", "hacking" or "scam". If other people have flagged the email, you will likely see that the email is indeed from a cyber-criminal. There are issues with this technique, however, since phishers are very aware of the forums and change their emails often and easily. They can also use these help forums as a form to support their own scam, by giving themselves good reviews and claiming the email offer was indeed legitimate.

Sender’s Email Seems Off

The phishing attempt can also come from a company that seems absolutely reliable and an actual company but is instead not coming from the company it claims to be. For example, you can see an email coming from "susan.hills@logo.dn" and actually look up a Susan Hills and see that they do indeed work at Logo, and assume the email is coming from a real source, without realizing that it could be that either Susan's email has been hacked, or an email has been created to resemble Susan's email, but it isn't the correct email form. The company name could be misspelled or it could have the wrong ending (such as logo.dn as opposed to logo.com).

Writing Tone Is Odd

If the email address looks familiar but the content or the style looks odd, this is another big red flag. If the email is full of grammatical errors or spelling errors your contact is unlikely to make or doesn't usually make, it is possible the sender is, in fact, a phisher. As phishing scams become more sophisticated, their language, as well as their layout, may also be very well thought out and look very reliable. However, people usually have a very distinct type and style of communication, and you are likely to take note of it, either consciously or subconsciously. If an email feels "fishy", it could be that you subconsciously noticed the sender is using a style and choice of words not usual to them. Trust your instincts and if something feels off, investigate the email before responding.

Greeting Oddly Generic

Phishing scammers send thousands of phishing emails, so you are likely to be greeted with a very generic email, such as "Dear Customer", referring to "Your Company" or "Your Bank". This is especially alarming if the email seems to be coming from someone who should have more details on you, such as someone from your company or a partner you have met before.

How to Spot a Phishing Website​

If you do click on a link in a phishing email, do not log in with your credentials on anything if you have any doubts. Phishing scams and scammers are becoming very sophisticated, and the phishing websites may strike a very real resemblance to the website they are trying to mimic, and the website might use the correct colors, typefaces, and fonts to make the targets unalarmed. There might even be hyperlinks to the real website’s included in the email you received to make you believe you have received the email from an authoritative source. There are a few things you can do to investigate if you are on a phishing website.

The web address is misspelled

Make sure the name of the company is spelled correctly and it is the official format of the website. Especially with more complex brand names, phishers might purposely use a spelling error to create a website that looks real but isn't. They could also mix letters and numbers, such as use "1" instead of the letter L, or mix up letters such as "g" and "q". If in doubt, you can copy the name from the address bar and paste it into a search engine, which will then provide you with the correct style of spelling for the company's address bar.

Unsecure Connection

Again, all legitimate and secure web pages which might have your security concern at heart should come with the “https://”, signaling a secure connection. If other pages of the company are in the form of “https://” but the webpage you have been directed in through an email has the form of “Http://”, you are likely to be in a phishing website.

Unprofessional Visuals and Tone

A legitimate website is unlikely to include bright visuals and non-professional tone, such as claiming “YOU ARE IN DANGER” with a red caps lock. This is only meant to scare you so that you would give away your details without giving it much thought. Legitimate pages are also unlikely to include pop-ups, sudden audio or opening of several pages next to the page you opened.

Phishing Protection Is About Continuous Training

Accidentally opening a phishing email or a phishing website is not the end of the world. Unless you give the website your login credentials or other private information, there isn’t much the scammers can do. If you accidentally download an attachment in an email or download something from a webpage, there is a chance your computer might get infected with malware, such as a computer virus or spyware, which will track your internet activities on your computer.

Your antivirus software should protect you against this type of malware – it is, in fact, the human-assisted malware that is much more difficult to protect against. This is because phishing attempts rely on people’s unawareness of these types of social engineering attacks, and results in people willingly giving away their information. This is why the best way to protect yourself and your company against phishing is training yourself, your coworkers and your employees about what phishing attacks are, what they look like and what warning signs there are. Phishers rely on people not being educated and alert against them, and paying constant attention and training against the evolving ways of phishers is the best way to keep you safe from the attacks your antivirus software cannot protect you against, meaning, the attacks which take advantage of human vulnerabilities.

How to Recognize and Avoid Phishing Attacks

Learn the basics of phishing

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this