Phishing is a fraudulent practice that lures people into giving up sensitive information. It's most commonly executed via email but can also be carried out through SMS messages, voice calls (vishing), WhatsApp, Slack, social media, and more. For the purposes of this article, we’ll focus on email phishing as the primary example.
There are many types of phishing bait, depending on the type of “fish” the attacker is trying to catch. Here are some common examples:
- Love bait → Targets people looking for romance.
- Bank bait → Poses as a legitimate bank to extract personal information.
- "You’re a winner!" bait → Promises a prize in exchange for registration.
- Pleading bait → Claims someone is in trouble and needs your help.
- Boss bait → Appears to come from your boss or a senior executive.
- Package bait → Claims a delivery is pending and asks you to confirm your details.
- Virus warning bait → Pretends your machine is infected and offers a fake fix.
- Whale bait → Targets high-level individuals like CEOs or other executives.
- Social media bait → Tricks users into revealing login credentials.
- Validation bait → Asks you to validate your account urgently.
What do these have in common? They either try to trick you into revealing sensitive information or getting you to click a malicious link that downloads malware. Victims may unwittingly give hackers access to machines, bank accounts, corporate networks, or even turn their devices into part of a botnet used in future cyberattacks.
Phishing can target individuals or corporate employees alike.
Phishing vs. Spear Phishing
Although phishing comes in many forms, it generally falls into two main categories:
Phishing
This type is broad and generic. The attacker sends the same bait to a large number of recipients, hoping that a few will take the bait. While the success rate is relatively low, the volume makes it effective. These attacks typically require minimal effort and rely on the fact that there are plenty of "fish in the sea."
Phishing attacks have become more sophisticated in recent years. For example:
- After a news story breaks about a bank breach, you receive a fake email asking you to verify your bank account.
- You see news about millions of passwords leaked on the dark web. Later, you receive an email asking you to "check" if your credentials were among them—just click a link and enter your login details.
Spear Phishing
Unlike broad phishing, spear phishing targets specific individuals or organizations. These attacks are tailored using detailed information the attacker has already gathered, such as:
- Names of coworkers or managers
- Details of ongoing internal projects
- Customary business practices (e.g., seasonal donations)
- Organizational structure and reporting relationships
Because these emails seem to come from trusted sources and often contain legitimate-looking details, they are highly effective. Up to 30% of recipients fall for spear phishing attacks.
Why Is Phishing So Effective?
Because it works—and it's simple. It’s easier to get someone to hand over their credentials than it is to hack a secured system.
Creating and sending a phishing email takes minutes and could yield dozens of passwords or credit card numbers. Cracking encrypted systems takes time, effort, and may still fail.
Common Tactics Used in Phishing
Attachments
Today’s mail servers filter many malicious scripts, but not all attachments are safe. Always verify the sender and origin. Ask yourself:
- Was I expecting this document?
- Does it seem unusual or suspicious?
Be especially cautious with files that have extensions such as .exe, .vbs, .bat, .docm, .xlsm, or .zip. Use antivirus tools to scan files before opening them.
What to Do If You Suspect a Phishing Email
- Look for red flags (poor grammar, unusual links, urgent language).
- Do not click on any links or download attachments.
- Never share your username or password.
- Take a screenshot and report it immediately to your IT or security team.
- If asked by your CISO, forward the email as an attachment for further investigation.
Conclusion
Phishing is one of the most common and dangerous cyber threats. Almost 90% of all successful cyberattacks begin with a phishing attempt.
The best defense is awareness. Learn how to spot phishing emails, educate your team, and build a culture of cybersecurity.
DON’T CLICK THAT BAIT.
