Phishing is a scam or cybercrime in which criminals attempt to trick an usupecting user into interacting with a malicious website, URL or piece of software. It's a form of Social Engineering, which attempts to appear to originate from a trusted source to trick a user into entering valid credentials or attempt to lure you into revealing your username, password and other personal identifying information.
The major source of phishing is spam emails. These are well-crafted manipulative emails that are designed in a way to ditch the spam filter of your email account and manage to show in your inbox.
A phishing email may have a malicious attachment, like a PDF or Word document, which once opened will harm the user's computer by installing malware. Another form of phishing attempt may have a malicious URL link in its body, when clicked will bring the user to a site that appears legitimate, but in actuality it is used to collect confidential information such as usernames and passwords, or to install malware onto their device.
This is the most common type of phishing scam, where criminals impersonate a legitimate company or domain, and attempt to steal personal information or login credentials. The criminal uses the email addresses similar to that of the authentic websites and big businesses, with just a slight variation in the address, which often goes unnoticed by the regular internet users. The email asks for clicking on an attached link which leads to a fake webpage or installs malicious software.
Spear phishing is a targeted phishing strategy which attacks a unique person or organsation. Unlike generic phishing emails, spear phishing emails contain an abundance of personalization. The sender customizes the attack email to contain the target’s name, company, or title, or mention the recipient’s colleagues and business connections.
This type of phishing targets a business’ leadership team with the goal to spear phish a “whale,” or an executive, and collect their login credentials. The attackers do some intensive research before sending the emails. These emails are written in a personalized tone mentioning the essential details of the organization.
First, and most important line of defense again phishing, is stay vigilant and think critically about communication you receive. Were you expecting to receive an email from someone about the subject in question? Look out for common phishing language in emails like "Verify your account." Legitimate businesses will not send you an email to ask for your login information or sensitive personal information. Look out for emails that try to convey a sense of urgency, warnings that your account has been compromised are a common way to lure victims. If there's a doubt, do your best to contact the sender through a different means.
If the email contains a link, don't click on it. Deceptive links that try to look like legitimate URL addresses are a common tools criminals use in phishing scams. Check URLs closely for misspellings, unusual characters, and other irregularities.
Most services today allow to set-up second layer of security during login known as 2-factor, or multi-factor, authentication. Multi-factor authentication makes it harder for scammers to log in to your accounts if they do get your username and password.