Phishing

Phishing is a cyberattack technique where attackers use deceptive communication, often via email or messages, to trick individuals into divulging sensitive information like usernames, passwords, credit card numbers, or personal data. Attackers impersonate trusted entities, such as banks, government agencies, or reputable companies, to manipulate victims into taking actions that compromise their security.

Sarah receives an email that appears to be from her bank. The email uses the bank’s logo, colors, and professional language. It warns her that “unusual activity” has been detected on her account and that her account will be temporarily suspended unless she verifies her information immediately. The email contains a button labeled “Verify Your Account.”

Worried, Sarah clicks the button. She is taken to a website that looks exactly like her bank’s login page. Without noticing the slightly misspelled web address in the URL, she enters her username and password.

Within minutes, the attacker uses her stolen credentials to log in to her real bank account and transfer money out of it.

Spear phishing is a targeted cyberattack technique where attackers craft highly personalized and convincing messages to trick a specific individual or organization into revealing sensitive information or performing harmful actions.

Unlike generic phishing, spear phishing uses details about the victim—such as their name, role, workplace, or recent activities—to appear legitimate and trustworthy.

Attackers often impersonate colleagues, managers, partners, or familiar services to manipulate victims into sharing credentials, transferring money, opening malicious attachments, or clicking dangerous links.

Verification

Always verify the legitimacy of the sender or source of emails, especially if they request sensitive information or actions.

Education

Train individuals to recognize phishing attempts. Emphasize the importance of not sharing sensitive information via email or untrusted websites.

Email Filters

Employ email filtering and security solutions to detect and block phishing emails before they reach recipients.

URL Inspection

Hover over links in emails to reveal the actual URL before clicking. Ensure the URL matches the expected website.

Multi-Factor Authentication (MFA)

Implement MFA wherever possible to add an extra layer of security, even if login credentials are compromised.

Software Updates

Regularly update operating systems and software to patch security vulnerabilities that attackers may exploit.

Later, Sarah realizes the email was fake when she contacts her bank and learns they never sent such a message.

Warning signs Sarah missed:

• The sender’s email address was slightly different from the bank’s official domain
• The message created a sense of urgency and fear.
• The URL of the website was misspelled.
• The bank would never ask for login details through email.

David works in the finance department at BlueWave Tech.

One morning, he receives an email that appears to be from his company’s CEO, Emma Roberts. The email address looks legitimate at first glance: [email protected].

The message includes Emma’s real signature, job title, and the BlueWave Tech logo. The attacker had gathered this information from the company website and LinkedIn to make the email look authentic.

Because the request appears to come directly from his CEO and references realistic business activity, David feels pressure to act quickly and discreetly. He follows the instructions in the email and transfers the money to the provided account.

Only later does he discover that the CEO never sent the email—and the money is gone.