Mimecast Logo
Get a Quote

    What Is Phishing?

    Phishing is one of the oldest forms of email attack, but it’s still prevalent in organizations of all sizes.
    Start Threat Scan
    WHAT IS PHISHING
    Start Threat Scan
    Key Points

    What you'll learn in this article

    Gain a clear understanding of phishing, its evolving tactics, and how to protect your organization from these persistent email threats:

    • Phishing is a deceptive cyberattack where attackers impersonate trusted entities to trick users into revealing sensitive information or downloading malware, with increasingly sophisticated variants like spear phishing, whaling, smishing, and vishing targeting both individuals and organizations.
    • The impact of phishing can be severe, leading to data breaches, financial loss, and reputational damage, with high-profile industries like finance, healthcare, and retail being frequent targets.
    • Defending against phishing requires a multi-layered approach, including advanced email security solutions like Mimecast, user awareness training, real-time threat analysis, and proactive measures such as multi-factor authentication and DMARC implementation.

    Phishing attacks explained

    Phishing is one of the oldest forms of email attack, but it’s still prevalent in organizations of all sizes. It happens when fraudsters spam users online with emails. These emails sometimes promise prizes or threaten an account suspension, for example, then ask them to click on a link or go to a site to sort things out. Instead of winning a gift or reactivating that frozen credit card, users instead get their identities stolen or their computers infected with viruses.

     

     

    How do phishing attacks work?

    Phishing scams rely on tricking users into taking action — for example, in URL phishing, hackers want users to access a fake website and divulge passwords and sensitive information. The site often asks the user to reset a password, reenter personal and credit information to validate an account, or download a “software update,” which is really malware in disguise.

    Phishing attacks are becoming more sophisticated

    Threats to enterprise security are constantly evolving and growing in complexity, and phishing threats are no exception.

    In a phishing email, attackers masquerade as a reputable entity or a known person to dupe users into sharing important information like login credentials or account information. In a spear phishing email, attackers often pose as an individual within the recipient’s company, while the sender of a whale phishing email might impersonate the CEO or CFO and instruct the recipient to transfer money to a fraudulent account.

    These kinds of phishing threats have been enormously successful. In fact, 91% of all hacking attacks today began with a phishing or spear phishing email. With each breach potentially costing millions in damage to business, productivity and reputation, organizations need sophisticated protection to guard against these ever-evolving attacks.

     

    Infographic explaining how phishing works

     

    Examples of phishing emails

    Phishing emails can take many forms, but all share one goal: to deceive the unsuspecting user into revealing account credentials, contact information, or other sensitive data. These emails often contain a malicious link or malicious attachment, disguised to look legitimate.

    Here are common examples:

    • An email pretending to be from your bank, warning of suspicious activity and prompting you to click a link to "verify your account." The link leads to a fake site designed to steal your account credentials.
    • A message that looks like it's from your company's IT team, asking you to download a "critical update" — which turns out to be a malicious attachment loaded with malware.
    • A seemingly friendly email from a colleague asking you to review an attached document, which is actually part of a phishing scam launched by cyber criminals.

    Each of these emails is crafted to look real, often using logos, names, or even previous email thread formats to make it more convincing.

    The Cybersecurity Awareness Kit

    Mimecast is equipping IT and business leaders with resources that make cybersecurity awareness simple, impactful, and even fun, giving you everything you need to empower your workforce.

    Get The Kit

    Different types of phishing techniques

    Phishing remains the most popular form of cyberattack, and it has endured despite all efforts to fight it off. Phishing remains the most popular form of cyberattack, and it has endured despite all efforts to fight it off. In recent years, phishing has evolved in new directions, such as:

    • Targeted spear phishing – A personalized phishing attempt that impersonates a trusted individual, such as a coworker or vendor. These emails often reference real projects or internal details to trick the unsuspecting user into downloading a malicious attachment.
    • Smsishing(via text message) – Short for SMS phishing, smishing attacks use text messages to lure victims into clicking fraudulent links or providing contact information. These messages often appear to come from banks, delivery services, or HR departments.
    • Vishing (using voicemail) – Scammers pose as tech support, HR, or financial reps in a phone call. They pressure targets to reveal login credentials, reset passwords, or authorize transactions — all under the guise of resolving suspicious activity.
    • Whaling – This form of phishing targets high-profile executives like CEOs or CFOs. Whaling emails typically request wire transfers or sensitive business data under urgent pretenses.
    • Angler phishing – Found on social media, this technique impersonates legitimate customer service accounts to intercept complaints and trick users into sharing account credentials or clicking malicious links.
    • Trap phishing – Attackers send bait emails containing fake job offers, invoices, or prize notifications. Once the user engages, they're led to phishing websites or prompted to download malicious attachments.
    • Pharming – This advanced technique redirects users from legitimate websites to fake ones without their knowledge. Even if the user types the correct URL, they’re taken to a fraudulent site to steal sensitive information like passwords or payment details.

    The impact of phishing attacks on businesses

    The impact of phishing on businesses is harsh. According to annual reports by the Ponemon Institute, the average total cost of a data breach to a business, inclusive of damages like lost sales due to downtime, runs about $3.86 million. And as breaches get larger, so do the costs.

    Industries most targeted by phishing emails

    Phishing affects nearly every industry. Some are more frequently targeted due to the nature of the data they handle or their reliance on digital communication.

    • Financial Services: Banks and credit unions are top targets due to the sensitive financial data they store. A single phishing message can lead to massive fraud.
    • Healthcare: Hospitals and clinics often store vast amounts of personal data, making them vulnerable to attacks involving stolen contact information and account credentials.
    • Retail and E-commerce: These businesses often fall victim to phishing scams that mimic customer support emails or shipping notifications containing malicious links.
    • Education: Universities and schools may experience phishing attempts targeting staff or students, especially during enrollment or financial aid periods.

    Defending against a phishing virus

    A phishing virus typically starts with an email that seems to be from a legitimate source like a bank, a credit card company, a social website, an online payment processor or an IT administrator. The email directs the recipient to click on a link for a website that turns out to be malicious, and where the user is asked for some personal information like a passcode, credit card number, or account information. That info is then used to gain access to the user's accounts and to commit identity theft.

    A spear-phishing virus is a more targeted phishing directed against a specific individual or role at the organization. This type of phishing virus attack uses social engineering techniques and information gathered about the individual to make the email more believable and increase the likelihood that the recipient will act on it.

    Preventing phishing virus attacks requires sophisticated solutions that combine powerful email security technology with dynamic user awareness training. That's where Mimecast can help. 

    How Mimecast technology prevents a phishing email attack

    Mimecast's AI-powered Advanced Email Security defends against every type of phishing email threat.

    Mimecast's impersonation protection capabilities a whaling attack that uses social engineering to trick employees into divulging confidential data or wiring funds to a fraudulent account.. Mimecast scans all inbound emails in real-time, searching for specific signs of fraud in the header, domain and content of the message.

    Mimecast's URL protection capabilities prevent a phishing email attack by scanning all URLs within incoming and archived emails on every click and opening websites only if they have been determined to be safe.

    Mimecast's attachment protection capabilities defend weaponized attachments by sandboxing attachments and allowing only safe documents to be sent to the user.

    Benefits of Mimecast’s human-centric security solution for phishing attacks

    With Mimecast's AI-powered Advanced Email Security, organizations can:

    • Prevent a phishing attack, spear phishing attack or whale phishing threat without the need for additional infrastructure or IT overhead.
    • Add instant protection for all devices with no disruption to end-users.
    • Activate the service quickly through Mimecast’s cloud platform.
    • Improve insight with end-to-end, real-time threat analysis and granular reporting.

    Learn more about stopping a phishing attack or CEO Fraud and about Mimecast’s solution for spam email protection and ransomware detection.

    Phishing FAQs

    A phishing email is an email that pretends to be from a trusted organization and attempts to trick the recipient into divulging sensitive information like passwords, bank account numbers or credit card details. Phishing emails may also attempt to get users to click on a link that will download malware to their computer.

    Spotting a phishing email requires a keen eye for details that don’t add up. Here are a few signs to look out for:


    • Suspicious sender email addresses : Phishing emails often come from addresses that closely mimic legitimate ones but have slight variations, such as an extra letter or different domain.
    • Generic greetings : Phishing emails often use generic greetings like "Dear Customer" instead of addressing the recipient by name.
    • Urgent or threatening language : Emails that create a sense of urgency, warning you about an account problem or security breach, are often designed to make you act quickly without thinking.
    • Poor grammar and spelling mistakes : Many phishing emails contain obvious spelling and grammatical errors that legitimate organizations wouldn’t have in their communications.
    • Suspicious links or attachments : Always hover over links before clicking to see where they actually lead, and avoid downloading unexpected attachments.

    Even with a third-party email security service in place, users must remain proactive to block phishing emails effectively. Here’s how:


    • Stay vigilant: Always be cautious when dealing with unexpected emails, especially those asking for personal or financial information. Check for red flags such as unusual language, suspicious links, or requests for urgent action.
    • Verify sender details: If an email seems suspicious, don’t rely solely on its display name. Check the full email address, and if in doubt, contact the sender through another channel to verify the message’s legitimacy.
    • Urgent or threatening language: Emails that create a sense of urgency, warning you about an account problem or security breach, are often designed to make you act quickly without thinking.
    • Avoid clicking on links or downloading attachments: Never click on links or download attachments from unfamiliar or unexpected emails, even if they seem legitimate. Hover over links to preview the URL and ensure they lead to trusted sites.
    • Mark suspicious emails as spam: If a suspicious email makes it through your filters, mark it as spam to prevent future messages from that sender. This can also help your email security service learn to better detect such emails.
    • Leverage your email security service’s advanced features: Your email security service likely scans for phishing threats in real time, analyzing incoming messages for dangerous links, malicious attachments, or spoofed domains. Ensure that features like URL protection and attachment scanning are enabled to provide comprehensive protection.
    • Enable multi-factor authentication (MFA): If you or your organization hasn't implemented MFA, it's a crucial step to protect against phishing. Even if credentials are compromised, MFA adds an additional layer of defense, preventing unauthorized access to accounts.
    • Keep software updated: Ensure your security software, browsers, and email clients are up to date. Many phishing attempts exploit vulnerabilities in outdated software, so regular updates help close those security gaps.
    • Implement DMARC (Domain-based Message Authentication, Reporting & Conformance): If your business handles email, setting up DMARC policies will help prevent email spoofing and phishing attempts by ensuring only legitimate emails are sent from your domain.

    Phishing attacks can target anyone, but there are specific groups that are more vulnerable:


    • Individuals: Everyday users are common targets, especially those who may be less familiar with recognizing phishing attempts.
    • Businesses: Companies, particularly those handling sensitive information or financial transactions, are frequently targeted by spear phishing and whale phishing attacks.
    • Executives: High-level executives, especially CEOs and CFOs, are prime targets for "whaling" attacks due to their access to large financial assets and sensitive information.
    • Employees in sensitive departments: Employees working in HR, finance, or IT are often targeted because they handle critical information like payroll, personal data, or access credentials.
    • Customers of financial institutions: Banks and payment platforms are commonly impersonated in phishing emails targeting individuals to steal their account information.

    A phishing virus is a form of malware that is installed on a user’s computer as part of a phishing attack. Phishing is a type of cybercrime where attackers pose as a trusted or legitimate business to dupe an individual into sharing information such as bank account numbers, credit card details, login credentials and other sensitive data, and/or to download a phishing virus onto the user’s computer.

    Successful phishing attacks generally play on several factors:


    • Trust: By appearing to originate from a source that the user knows and trusts, phishing attacks bypass any suspicion about incoming email.
    • Fear: Many successful phishing attacks trick users into clicking a link by making them think there’s a problem that needs to be resolved quickly or that there will be consequences from a higher authority or a superior if they don’t respond quickly.
    • Lack of time: Attackers know that most users are short on time and that they want to read and respond to an email as quickly as possible – which makes it more likely they won’t look closely at its content.
    • Volume: It’s very inexpensive to mount phishing attacks by sending large volumes of email, and attackers only need a few people to “take the bait” to make it worth their while.
    • Phishing attacks are increasingly sophisticated and more difficult to spot: Advanced attacks such as spear-phishing and whaling use social engineering techniques to convince recipients that an email is legitimate.

    Preventing phishing attacks requires a multi-layered approach to cybersecurity.


    • Implement security awareness training for users to defend against human error – one of the leading causes of security breaches – by helping users spot the signs of phishing
    • Implement DMARC authentication to block emails that use domain spoofing and brand hijacking, which are common in phishing
    • Deploy anti-phishing and anti-malware programs on endpoint devices and networks.
    • Encourage users to require multi-factor authentication when logging into accounts.

    If you believe you have received a phishing email, you can forward it to the Federal Trade Commission (FTC) at spam@uce.gov and to the Anti-Phishing Working Group at reportphishing@apwg.org. You may also report the attack to the FTC at ftc.gov/complaint, to your email provider (e.g., Outlook or Gmail) and to the actual company that the email is impersonating.

    Related Phishing Resources

    Resources_34.jpg
    Email & Collaboration Threat Protection

    Email Security: Mimecast & Microsoft

    Whitepaper
    Resources_49.jpg
    Email & Collaboration Threat Protection

    The Cost and Risk of Email Attacks: Mimecast vs. Competition

    Infographic
    Resources_05.jpg
    Email & Collaboration Threat Protection

    Unlocking ROI with Mimecast: A Forrester Total Economic Impact™

    Infographic
    Back to Top