Phishing is a form of attack that attempts to trick you into giving up certain sensitive information - username / password, social security number, financial info. Gaining access to credentials (username and password), account for about 3/4 of all phishing attacks. The primary account targets are SaaS (hosted software programs) accounts.
Phishing is a massively common form of attack and, due to the scale of it, accounts for 80% or more of all security incidents. This is an incredible statistic and speaks to the reason phishing is a category of threat to which all people need to be educated.
Software packages, sold and distributed on the dark web, are used by malicious groups to automate and scale these attacks. Email blasts of millions of phishing messages can be sent at once. These messages will typically have a link to a bogus website that appears to be legitimate or an attachment. Statistics show that roughly 1/4 of recipients will open a phishing email and roughly 1/10 will open a phishing attachment. These are staggering statistics given the fact that phishing campaigns often send thousands or even millions of messages. And, the recent trend is towards email targeting employees at small to medium size companies.
And phishing attacks are getting more and more targeted. As more information is available about people online through social networks or other public places, this is being combined with public information about companies to launch highly customized phishing attacks, often called spear-phishing attacks.
Phishing attacks are by and large email attacks. They can take other forms, including messages through SMS and even Slack, but these are much, much less common. It is imperative that you be suspicious of emails you get, regardless of how "real" they look. Phishing attacks can look like legitimate emails from services like Netflix of Salesforce.
Some email warning signs to look for are below.
Some of the most common phishing email subjects are below. Look out for emails with these subjects.
Phishing is prevalent. You will get phishing emails. You have likely gotten phishing emails in the past. When suspicious, to any degree, ask questions of the sender. But, do not ask by replying to the suspicious message. Ask the sender on a different channel such as phone or chat.
Be suspicious of all emails you get, especially those that request some form of action (clicking a link or opening an attachment).