What in God’s name is PHISHING?

Smells phishy...

Author

Sead Fadilpasic
January 02, 2025

Phishing.

We hear that word all the time.

It sounds like a made-up word. Something the kids use these days.

Like “No Cap”. Or “Finsta”.

Or “Clout”.

But phishing is not a trendy slang term - it’s a term that describes one of the most devastating, wide-spread, successful forms of cyberattack in the history of the internet. 

It means “fishing”, but the letter F was replaced with PH because that was the trend in the hacking community back in the 90’s, when it was invented. They used to say “phile” instead of “file”, “phat” instead of “fat”, and so on. 

Do you feel like a phish? Because you are a phish

The goal of phishing is to “phish” for information or malware. You get tossed a bait, and if you take it - you lose your data, or you get served a virus. It’s super successful because it’s cheap, relatively easy to pull off, and can easily be scaled to target hundreds of thousands of people, very quickly.

Phishing usually happens via email, but it can also happen on social media, through instant messaging platforms like WhatsApp, on Teams, and basically on any conceivable communications platform. That’s what makes it cheap and scalable, because sending thousands of messages through these platforms usually doesn’t cost much and can be automated. 

Criminals send you an email. They make it as if the email is coming from DHL, Instagram, Apple, or anyone else.

They make it sound urgent: “You have a pending parcel and we’ll destroy it if you don’t do XY in 2 hours,” or “Your Instagram account violated our terms of service, download this or we’ll delete all your stuff by the end of the day”. 

This is what makes it successful and devastating. The sense of urgency makes people act impulsively, without thinking about the consequences, or considering if the email is legitimate. It puts people under psychological pressure (fight or flight, essentially), pushing them to make a quick (and rash) decision. It makes them put their guard down and exploits the fear of loss (or missing out).

Here are a few examples:

I pulled these screenshots from a Usecure blog. I highly recommend reading it, since it has great phishing examples which could save you one day.

What’s the point?

Hackers use phishing for two things: 

  • To get you to share login credentials, credit card information, or other sensitive data

  • To get you to install malware (to add your computer to a DDoS network, to move further into a corporate network, to use you as a proxy, etc.)

There are a couple of easy methods to spot, and prevent, phishing attacks:

  1. Are you expecting the email? If not, be careful.

  2. If the email claims to come from DHL, Amazon, Apple, or any other tech company - are you a user? If not, delete the email.

  3. If you’re expecting such an email, make sure to double-check the sender address. Hackers tend to break into people’s emails and use them to send lures.

  4. If the sender address is okay, there’s one more thing to double-check - the links in the email. Phishing lures usually come with a “click here” button (or similar). If you hover your mouse over the button, it will show you where it leads. If the link looks unfamiliar, don’t click it (for example, if an email came from Amazon.com, but the link is not amazon.com/xyz)

  5. Finally - reach out to the sender via other means. A phone call usually works.

Pro tip #1: 

Hackers will sometimes use URL shorteners to hide malicious links, so you might see Bit.ly, Ow.ly, or TinyURL links. 

  1. Reputable companies will not use these services in their emails.

  2. Use a link checker to analyze the URL and make sure it’s safe. NordVPN has a great option.

Pro tip #2

Some security pros will tell you that you can spot phishing emails by hunting for spelling and grammar errors, wording inconsistency, logical fallacies, and such. Let me tell you - that worked five years ago, but it doesn’t work today.

ChatGPT and other generative AI tools have completely changed the game. Russian hackers, Korean, Iranian, Nigerian, with even rudimentary English knowledge, can create phishing emails SO CONVINCING you’ll never spot the difference.

Pay attention to the sender address. 

Pay attention to the link they want you to click.

Pay attention to the sense of urgency in the email - a legitimate company will never demand urgent things via email.

That’s how you defend against phishing.

Until next time!

  • Sead from SmallBiz CyberWiz

P.S.

If you enjoyed this newsletter and appreciate these tips, please share this newsletter with your friends and colleagues, it would help a lot!

Image credit: Pxhere.com