A phishing attack is a type of social engineering tactic that is used by hackers to gain sensitive data such as passwords or credit card details. This is usually achieved through fraudulent communication (most commonly via email) whereby they pretend to be someone else, often an authoritative figure or well-known company. They use this persona to then manipulate users into giving up their data.

In emails they may insert links which when clicked will install malware into your computer. Alternatively they may add attachments, which serve the same purpose. Once the malware is installed they are able to access your device and potentially the whole network to gain the information they want. Previously, we’ve discussed what is phishing in more detail and how to prevent social engineering attacks.

The overall goal of a phishing attack is usually to gain sensitive data such as logins and passwords from their victims in order to access the targeted network or company . 

One of the main purposes of doing this is to get a foothold into the device/network to gather and find the information they want. This is mainly for financial gain so it could be credit card details, or something more sinister such as personal information for them to sell on the dark web. Sometimes they may directly try to manipulate users into providing them with their bank details, or they may go down the malware route.

Phishing attacks are one of the simpler social engineering tricks that hackers use as less work is involved. There is no complex  hacking needed, and like many other social engineering tactics, it relies on the manipulation of human nature to provide access without the user realising it.  This means that your computer/device/network can have the strongest cyber security software from antivirus and anti-malware to end to end security,  and still be a victim of a phishing attack. This is because they target the weakest link in the chain; the users.

There are many reasons why criminals would choose phishing attacks over other social engineering methods. These include:

• Email is widespread - users with little to no cyber security awareness will use email and they’re easy to target

• It’s an easy and simple method of targeting - as it doesn’t require technical skills, criminals don’t need to hack into systems or work out a password to succeed. Once the email has been sent, all they need to do is wait for replies, clicks, downloads of attachments - their main job is purely to only send the email itself then access networks through the malware

• Fewer complications - they don’t need to bypass strict security protocols 

• Potential for wide net - phishing can lend itself to targeted attacks (spear phishing) or non-targeted, wide net attacks to gain as many footholds as possible

• Versatile technique with many variants - phishing, spear phishing, internal spearphishing and these can be used to deliver various types of malicious code like ransomware