Phishing ranks low on the list of cyberattacks in terms of technological sophistication. Even more sophisticated phishing variants like spear phishing (focused and often personalized phishing attacks) and whaling (phishing attacks focused on high-profile or high-dollar targets) are focused more on social engineering than on technology.
Yet phishing remains one of the most effective types of attacks because it bypasses many network and endpoint protections. End-user training helps, but so can tools that detect and prevent phishing attacks.
Why phishing is successful
Phishing and its variants are ultimately social engineering attacks, intended to convince end users of either the requestor’s trustworthiness, the request’s urgency, or both. Trustworthiness is established through things like official-looking emails, login pages or even contact names the user will recognize and trust. Phishing attempts often try to influence the victim’s judgement by manipulating their emotional state, making claims about accounts that are already compromised or suggesting that business or financial disaster is imminent if timely action is not taken.
A 2019 FBI public service announcement calls out business email compromise (BEC) as the source of over $26 billion in losses over a three-year span. Phishing attacks frequently result in compromised system credentials, which can then become a significant attack vector against a range of business systems. Financial information (or even money transfers) are also a target of many phishing attacks.