What is… phishing?

Phishing is the word used when a cybercriminal sends you some sort of electronic message to trick you into doing something insecure.

The “fishing” metaphor refers to the idea of getting you on the hook and then reeling you in.

The crooks behind this sort of crime, who are known colloquially as phishers, usually use email, because it is surprisingly easy to mock up messages to look realistic.

But phishing attacks may also arrive via social media, SMS or other instant messaging platforms.

Here are some examples of the sort of treachery used by phishers:

• You receive an invoice detailing a modest purchase from a well-known online site, complete with ripped-off logos and text copied from a genuine invoice. At the bottom is a legitimate-looking link or button to [Contest this charge] or [Query this purchase]. You know you didn’t make the purchase, so your inclination is to click through and log in. But if you do, you end up on an imposter login page, and your password ends up in the hands of the crooks.
• You receive an email from someone apparently applying for a job that’s currently advertised on your company website. Attached to the email is a file that looks like a document containing a CV (résumé). Your inclination is to open it, but if you do, you inadvertently run a booby-trapped file that allows the crooks to implant malware on your computer.
• You receive a marketing email inviting you to take a realistic-looking survey in return for a chance to win a shopping voucher, or an iPhone, or a holiday. Your inclination is to fill it in, but along the way you are asked to provide personal data that you would normally keep to yourself, such as your birthday, your home address or your credit card details.

What to do?

Phishing can be hard to spot, because phishers don’t always make telltale speeling errorrs or gammatrical misteaks.

The phishers may know your real name and address, so they don’t always start with giveaways like Dear Sir/Madam, or use a vague address such as Arizona.

Here are some tips to avoid getting sucked in:

• Don’t enter passwords into login pages that show up after you click on a link in an email. Bookmark the official login pages of your favourite sites, or type the URLs into your browser from memory.
• Avoid opening attachments in emails from recipients you don’t know, even if you work in HR or accounts and you use attachments a lot in your job.
• Set up an “ask the experts” email address inside your organisation, e.g. security@example.com. That gives your users a quick way to ask for advice about unexpected emails and unsolicited attachments.
• If in doubt, don’t give it out! Your personal data simply isn’t worth the vanishingly small chance of winning an iPad from a marketing company you’ve never heard of.

Phishing gets its curious spelling from a 1970s crime known colloquially as phreaking. Hackers figured out how to make free calls using a variety of illegal tricks to “freak out” the telephone system, for example by playing special musical tones down the line. Freaking the phone system morphed into phreaking, and by analogy, fishing for user’s passwords and other personal data became known as phishing.