Cyber Attacks Explained – Phishing

Understanding one of cyber security’s most dangerous threats

Introduction

When many people think of cyber attacks, they often imagine sophisticated hackers exploiting technical vulnerabilities in computer systems; and whilst these attacks certainly do occur, some of the most successful cyber attacks don’t target technology first – they target people.

This is where phishing comes in.

Phishing remains one of the most common and effective cyber attack techniques used today. It is responsible for countless data breaches, financial losses, ransomware infections, and account compromises across organisations of all sizes.

What makes phishing particularly dangerous is that it relies on human psychology rather than technical weaknesses. Attackers exploit trust, curiosity, fear, urgency, and authority to persuade victims to take actions they normally wouldn’t.

What is phishing?

Phishing is a type of cyber attack in which an attacker attempts to deceive a victim into revealing sensitive information, downloading malware, transferring money, or performing another action that benefits the attacker.

Typically, attackers impersonate a trusted individual, organisation, or service.

Examples include:

  • Banks
  • Government agencies
  • Technology companies
  • Delivery services
  • Employers
  • Colleagues
  • Senior executives

The goal is to convince the victim that the communication is legitimate.

Common targets include:

  • Usernames and passwords
  • Credit card details
  • Banking information
  • Personal information
  • Multi-factor authentication (MFA) codes
  • Corporate data
  • Financial transactions

Why is it called “Phishing”?

The world of IT is full of alternate wording and phrases – many of which come from pop culture, or are in-jokes, etc. The use of “Ph” instead of “F” is quite common and comes from the term Phreaking which was used in the 1970’s by the subculture of people who explored and manipulated telephone networks.

The word “phreak” is generally understood as a blend of:

  • phone + freak = phone phreakphreak
  • The “ph-“ spelling comes from phone, while freak reflected the counterculture slang of the era for someone intensely obsessed with a subject

As such, the term “phishing” is derived from the word “fishing.” – Just as a fisherman casts a line into the water hoping to catch a fish, cybercriminals cast out large spam messages hoping that some recipients will take the bait.

In many cases this is purely a volume-based attack – If an attacker sends 100,000 messages, they only require a very small percentage to take the bait for it to be very lucrative for the attacker

How phishing works

Most phishing attacks follow a similar process.

Step 1: Preparation – The attacker creates a fraudulent message.

This may include:

  • Fake branding
  • Spoofed email addresses
  • Malicious links
  • Malicious attachments

Step 2: Delivery – The message is delivered through:

  • Email
  • SMS
  • Social media
  • Messaging applications
  • Voice calls
  • QR codes

Step 3: Deception – The attacker attempts to create a sense of:

  • Urgency
  • Fear
  • Opportunity
  • Curiosity
  • Authority

Examples include:

  • Your account has been suspended.
  • A payment has failed.
  • You have received a package.
  • Immediate action is required.

Step 4: Action – The victim is encouraged to:

  • Click a link
  • Open an attachment
  • Enter credentials
  • Approve a login request
  • Transfer funds
  • Share sensitive information

Step 5: Exploitation – The attacker uses the information or access obtained to achieve their objective.

This may include:

  • Identity theft
  • Financial fraud
  • Data theft
  • Ransomware deployment
  • Business compromise

Why phishing is so effective

Phishing succeeds because it exploits human behaviour.

Attackers often leverage psychological triggers such as:

  • Urgency – Victims feel pressured to act quickly.
    • E.G. – Your account will be closed within 24 hours if you do not respond to this message by clicking this link
  • Fear – The attacker creates anxiety or concern.
    • E.G. – Suspicious activity has been detected on your account.
  • Authority – The attacker impersonates someone in a position of power.
    • E.G. – A message appearing to come from the CEO.
  • Curiosity – The victim wants to know more.
    • E.G. – Confidential salary review attached.
  • Greed or Opportunity – The victim believes they may gain something valuable.
    • E.G. – You’ve won a prize.

Common Forms of Phishing

Phishing has evolved significantly over the years, and modern attacks use a variety of techniques depending on their objectives.

Email phishing

This is the most widely recognised form of phishing.

Attackers send emails to large numbers of recipients.

Example subjects:

  • Account Security Alert
  • Payment Failed
  • Package Delivery Notice
  • Password Expiration Warning

The emails often contain:

  • Malicious links
  • Fake login pages
  • Malicious attachments

Because these campaigns target many people simultaneously, they are often less personalised.

Spear Phishing

Spear phishing is a more targeted form of phishing.

Instead of sending generic messages to thousands of people, attackers research specific individuals or organisations.

The message may include:

  • The victim’s name
  • Job title
  • Employer
  • Department
  • Recent projects

Example:

Hi Sarah,

Please review the attached project proposal before tomorrow’s meeting.

Because the message appears relevant and personalised, victims are more likely to trust it.

Whaling

Whaling is a specialised form of spear phishing that targets senior executives and high-value individuals.

Common targets include:

  • CEOs
  • CFOs
  • Directors
  • Board members
  • Senior managers

These individuals often have access to:

  • Sensitive information
  • Financial systems
  • Strategic data

A successful compromise can have severe consequences for an organisation.

Business Email Compromise (BEC)

BEC attacks are among the most financially damaging forms of phishing.

Rather than stealing credentials directly, attackers manipulate employees into transferring money or sharing sensitive information.

A typical example could be where an accounts payable employee receives an email that appears to come from the CFO with the message – “Please process this urgent payment today.”

The request may appear entirely legitimate, and so the junior staff member acts accordingly

In reality, the funds are being transferred to a criminal-controlled account.

BEC attacks often involve extensive research and social engineering.

Smishing (SMS Phishing)

Smishing combines:

  • SMS
  • Phishing

Attackers use text messages rather than email.

Examples include:

Your parcel could not be delivered. Click here to reschedule.

Your bank account has been locked. Verify your details immediately.

Because people often trust text messages more than emails, smishing can be highly effective.

Vishing (Voice Phishing)

Vishing uses voice communication.

Attackers may call victims while pretending to be:

  • Bank representatives
  • Technical support staff
  • Government officials
  • Law enforcement officers

The attacker attempts to persuade the victim to:

  • Reveal sensitive information
  • Transfer funds
  • Install remote access software

Modern attackers increasingly use caller ID spoofing to make calls appear legitimate.

Quishing (QR Code Phishing)

Quishing is a relatively new phishing technique involving QR codes.

The attacker provides a QR code that directs victims to a malicious website.

Examples include:

  • Fake parking payment notices
  • Fraudulent invoices
  • Fake event registrations
  • Public posters containing malicious QR codes

The challenge with quishing is that users often cannot easily see the destination URL before scanning.

This removes one of the traditional methods used to identify suspicious links.

Clone Phishing

In a clone phishing attack, a legitimate email is copied and modified.

The attacker:

  1. Obtains a genuine email.
  2. Creates a near-identical version.
  3. Replaces legitimate links or attachments with malicious ones.
  4. Resends the email.

Because the message resembles a known communication, victims may trust it.

Social media Phishing

Attackers increasingly use social media platforms to contact victims.

Examples include:

  • Fake customer support accounts
  • Direct messages
  • Fraudulent job offers
  • Investment scams

These attacks often attempt to move the conversation to another platform where further manipulation occurs.

Angler Phishing

Angler phishing targets users seeking customer support online.

Attackers create fake support accounts on social media and respond to users requesting help.

Example:

A customer posts – I’m having trouble accessing my bank account.

A fake support representative responds and requests login information.

The victim believes they are speaking with the organisation’s support team and provides the relevant information

MFA Phishing

Many organisations now use multi-factor authentication (MFA), as such, attackers have adapted accordingly.

Modern phishing sites can:

  • Capture usernames
  • Capture passwords
  • Capture MFA codes

Some advanced phishing frameworks even relay authentication sessions in real time.

This allows attackers to bypass certain MFA implementations.

Signs of a phishing attempt

While phishing attacks continue to evolve, several warning signs remain common.

Look for:

  • Unexpected requests
  • Urgent language
  • Poor grammar or spelling
  • Unusual sender addresses
  • Requests for credentials
  • Requests for financial transfers
  • Suspicious links
  • Unexpected attachments
  • QR codes from unknown sources

When in doubt, verify the request using an independent communication channel.

The impact of phishing attacks

Successful phishing attacks can lead to:

  • Financial loss – Fraudulent payments and theft.
  • Data breaches – Sensitive information is exposed or stolen.
  • Ransomware infections – Phishing remains one of the leading causes of ransomware incidents.
  • Identity theft – Personal information may be used for fraud.
  • Reputational damage – Organisations may lose customer trust following an incident.

How organisations defend against phishing

Effective phishing defence requires multiple layers of protection.

  • Security awareness training – Employees learn how to recognise phishing attempts. Email Security Solutions
    Advanced filtering helps block malicious emails.
  • Multi-Factor Authentication – MFA reduces the impact of stolen passwords.
  • Domain protection – Technologies such as SPF, DKIM, and DMARC help reduce email spoofing.
  • Reporting mechanisms – Employees should be encouraged to report suspicious messages.
  • Verification procedures – Financial and sensitive requests should always be verified through separate communication channels.

How Individuals Can Protect Themselves

Practical steps include:

  • Think before you click – Do not automatically trust emails, texts, or messages.
  • Verify requests – Contact organisations directly using trusted contact details.
  • Check links carefully – Hover over links where possible before clicking.
  • Be cautious with QR codes – Treat unknown QR codes as you would suspicious links.
  • Use Multi-Factor Authentication – Enable MFA on important accounts.
  • Keep devices updated – Security updates help protect against malware delivered through phishing campaigns.

The future of phishing

Phishing continues to evolve alongside technology – AI is becoming a major tool for attackers to use in their phishing campaigns.

Attackers are increasingly using:

  • Artificial intelligence
  • Deepfake audio
  • Automated reconnaissance
  • Highly personalised targeting
  • Multi-channel attacks

As a result, phishing emails and messages are becoming more convincing and harder to identify.

While technology can help reduce risk, human awareness remains one of the most important defences.

Conclusion

Phishing is one of the most common and effective cyber attack techniques because it targets people rather than technology. By exploiting trust, urgency, fear, and authority, attackers can persuade victims to reveal sensitive information, transfer money, or compromise their own systems.

Modern phishing attacks come in many forms, including email phishing, spear phishing, whaling, business email compromise, smishing, vishing, quishing, clone phishing, and social media phishing. Although the delivery methods vary, the objective remains the same: manipulating individuals into taking actions that benefit the attacker.

Understanding how phishing works and recognising its many forms is a critical cyber security skill. Whether you’re an individual protecting personal accounts or an organisation safeguarding sensitive data, awareness and vigilance remain your strongest defence against this ever-evolving threat.