What Is Phishing? A Guide to Understanding Online Scams

Picture this: An employee in the finance department receives an urgent email that appears to be from the company’s CEO. The email reads:

Subject: Urgent Payment Request

Hi [Employee’s Name],

I need you to process a wire transfer of $50,000 to a new vendor immediately. This is a time-sensitive deal, and I’m currently in a meeting, so I can’t take calls. The payment details are attached. Let me know once it’s done.

Best,

[CEO’s Name]

At first glance, there are no obvious signs of phishing, given the employee works in the finance department and the email looks legitimate - it uses the CEO’s name and a similar email address (ceo@company.com vs. ceo@c0mpany.com). The employee, feeling pressured by the urgency and a request from leadership, processes the payment - only to realize later that it was a phishing attack.

Unfortunately, advances in techniques and technology have made it easier for scammers to create convincing email deepfakes to reap financial reward. This was a classic example of phishing.

What is Phishing?

Phishing is a type of social engineering attack used by hackers to trick individuals into giving them personal, business and financial information. It can severely impact businesses, including direct financial loss, damage to reputation, disruption of operations, and businesses will even get hit with regulatory fines. It comes in various forms, including email, spear phishing (more targeted approach of phishing), smishing (SMS messages), vishing (voice phishing) and whaling (aimed at high-level executives.)

Let's Dive into the Different Forms

Email Phishing

Email phishing has historically been the most common type of phishing, and it's been around since the 1990s. An attacker will write an email under false pretenses with a sense of urgency or threat in order to have the user comply quickly without authenticating the sender or source of the email. The hacker's ultimate goal is either to have the user reply with personal data, or click on a provided malicious website link that will either install malware on the user's device, or collect sensitive personal data which can affect personal or business finances.

Spear Phishing

Spear phishing is similar to email phishing, but rather than sending emails to a large group, this phishing attack targets specific individuals. Scammers will thoroughly research their potential targets and use that information to kick start their attack. Utilizing the data they collected, the scammer will pretend to be a legitimate source and manipulate the recipient to share sensitive details with them, such as login credentials and credit card information. Attackers may embed an attachment or link to a fake website impersonating the victim's bank or an e-commerce site where they will be able to easily obtain the victim's information.

Smishing

Smishing is when an attacker uses SMS (short message service) texts instead of conducting an attack over email. Scammers will send a deceptive text that looks legitimate (such as pretending to be a notification from banks, carrier services, or government agencies) that directs the victim to click an illegitimate link. The most recent example of this is a Pay Your Toll scam, where scammers have been using fraudulent text messages to trick people into thinking they are late on an “unpaid toll." The direct links in these texts send victims to a page that prompts the victim to enter their account number, payment information, or passwords, which are then shared with the attacker.

Vishing

As generative AI becomes more sophisticated, vishing attacks are becoming more prevalent. Vishing refers to voice phishing, which is when attackers will impersonate trusted organizations or even family members over the phone, and prompt victims into sharing personal information. For example, scammers are able to make their phone number appear to be from a legitimate source (such as the IRS), and once the victim answers, they claim that there is a problem with the victim's tax returns and that they need additional account details to help resolve the “issue.”

Whaling

Whaling is a form of spear phishing that targets high-ranking individuals such as executives or CEOs. These attacks can take place through emails, texts, or even phone calls, and are made to manipulate the recipient into authorizing large payments. Scammers will go to the extent of even spying on conversations between a target and a sender. Ubiquiti Networks, a Silicon Valley computer networking company, is a great example of whaling. In 2015, scammers pretended to be the CEO and Chief Counsel in order to convince the Chief Accounting Officer to make a series of wire transfers, which they claimed were meant to finance a quiet acquisition. This resulted in major financial losses for the company - within the span of 17 days, the company lost nearly $47 million.

How Phishing Works

Each of these tactics exploit human vulnerabilities to compromise security. They also provide less of a digital footprint, making it harder for organizations to detect or prevent these attacks. So how does it work? Let's look at another example:

Subject: Urgent: Your Email Password Expires Today

Hi [Employee’s Name],

We’ve detected unusual login attempts on your company email. To secure your account, please reset your password immediately by clicking the link below:

[Reset Your Password]

If you don’t update your password within 24 hours, your access may be restricted.

— IT Security Team

Baiting the Victim: With traditional email phishing, scammers will start by sending fake but legitimate looking emails to targets. These emails mimic trusted companies such as parcel carriers, trusted vendors, or even another department at your company.

Creating Urgency: Hackers use language that entices you to act quickly, so you don’t have time to think critically. Words and phrases such as “immediately” and “if you don’t update within 24 hours, your access may be restricted” are two perfect examples. Rather than double checking to see if the source of the email is legitimate, the email recipient panics and hits the link to resolve the issue as soon as possible.

Harvesting Credentials: Once the employee clicks on the provided link, they are led to a fake login page that looks identical (or nearly identical) to the real one. As the employee enters their credentials, the scammer steals that information in real time.

Executing the Attack: Once the scammer has their credentials, they can do a multitude of things, including but not limited to:

• Putting a ransom on the company’s internal systems

• Using the login information to steal money or more sensitive information, or even

• Installing malware on the victim's computer to track their every move.

How to Prevent Phishing Attacks

It used to be much easier to spot phishing attacks - in the not-too-distant past, phishing emails were filled with noticeable grammatical and punctuation errors. Nowadays, generative AI tools such ChatGPT can churn out flawless text at rapid speeds, enabling more sophisticated and personalized attacks. As interactions with these tools become more frequent, these tools become more efficient at creating deceptive content.

While it's still important to pay attention to the content of your emails and texts, there are other ways to be proactive:

Always verify the sender: reach out to the sender another way, to see if the sender is really who they say they are. If you get an email from the CEO, ask them (or their EA) about it via Slack.

Double-check links: before clicking on suspicious links, hover over the link to get details on the URL.

Enable multi-factor authentication (MFA) to accounts: this will provide an extra layer of security and will help reduce the risk of a breach.

Implement security software such as anti-phishing tools and spam filters: this can help detect and block suspicious emails before they reach employees.

Most importantly, phishing exploits human error, so providing the right security awareness training is crucial to ensuring employees can recognize and respond to these evolving threats.

Training the Herd: Our Approach to Prevention

At Herd Security, we believe effective phishing prevention starts with understanding that cybersecurity is fundamentally a human challenge. Our training approach goes beyond traditional "click-or-don't-click" simulations to focus on building genuine security instincts. We create realistic scenarios that mirror the sophisticated attacks your employees actually face, then guide them through the decision-making process in real-time. Rather than punishing mistakes, we use them as learning opportunities to strengthen your team's collective security awareness. Our programs are designed to evolve with the threat landscape, ensuring your employees stay ahead of increasingly sophisticated attacks while building the confidence to trust their instincts when something feels off.

To learn more about our security training platform, contact us here to book a demo.