Phishing is the attempt to obtain personal information, such as sign in credentials, addresses, financial information, etc. through methods that give the appearance of originating from a trusted source. Phishing is a general term usually used to refer to emails that are attempting to obtain personal information about an individual. There is more than one type of phishing and some do not involve email.
Phishing is typically carried out by email or instant messaging (refer to Smishing listed below) and often directs individuals to fake websites via links, or have the look of an email coming from a legitimate source with whom you do, or may, have some association and requests you respond to the message.
The purpose of these mailings are to obtain sensitive / personal information such as sign in credentials to various accounts or online sites, credit card, financial information to name a few. Once obtained this information is then used for malicious reasons.
In addition to attempting to gain information, any links included in these messages may also direct you to sites that are infected with malware (viruses) which are then downloaded to your device once the site is accessed. This malware is then designed to run, without your knowledge, on the device and, depending on how it is coded, may do anything from simply causing your device to fail, up to recording all activity that occurs on the device, including all web sites you visits and all accounts you access. As this information is obtained it is automatically sent to other individuals who then can use it to their own ends.
This form of a Phishing attempt is directed at specific individuals or companies. Attackers may gather personal and/or professional information about their target from social media sites, or even a company's web site to increase their probability of success. The purpose of this is to send the mail and make it appear as if it originated from and individual(s) that are associated with, either personally or professionally, the recipient.
The general format of these messages are one of urgency, usually requiring immediate action upon the recipient's part. An example of this type of Phishing is the administrative assistant to the president of a company will receive an email, that appears to have originated from the president of the company, requesting that the assistant send the W2 information related to all employees back to the president immediately due to an audit that is occurring.
This form of Phishing involves your phone / mobile device in an attempt to obtain personal information. It is similar to a Phishing attack except the recipient will receive a Short Message Service (SMS) text message on their phone / mobile device, from what appears to be a legitimate source, that usually requests the recipient to reply with personal information. The text message may also include a link that will redirect the individual to a legitimate looking site where they will be requested to enter the information that is being search for by the spammers.
If you ever receive such a text message, the best defense is to simply delete the message and not to respond or select any links.
This form of phishing involves the use of a telephone, it is referred to as Voice Phishing, or Vishing for short. Voice phishing is intended to exploits an individual's trust in landline telephone services, which have traditionally terminated in physical locations known to the telephone company, and associated with a bill-payer. Voice phishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.
Some fraudsters use features available to them via Voice over IP (VoIP) such as the ability to display a number of their choosing, usually a legitimate number, on the recipient's phone.
The spammers / scammers will use this form in an attempt to obtain a person's credit card number, or other personal information such as bank number, SSN, etc. The may also attempt to convince the recipient to send a pre-paid card to a specific address.
These calls usually use some form of fear, such as you are being audited by the IRS and need to pay a certain amount immediately to avoid being arrested, or someone is attempting to access your bank account and you need to provide them with the account information to verify who you are, or something as simple as you are behind on your electric bill and need to pay a certain amount via pre-paid cards to avoid having your electricity turned off. They also attempt to get the recipient to sign onto their computer to provide access for various reasons, such as to "correct an issue" that was detected by Microsoft, in this case the caller may claim to be a representative of Microsoft or the company that makes computers.
When in doubt, calling a company's telephone number listed on billing statements or other official sources is recommended. However, sometimes hanging up and redialing is insufficient: if the caller has not hung up, the victim might still be connected, and the fraudster spoofs a dial tone down the phone line to entice the victim to dial. Then the fraudster's accomplice answers and impersonates whomever the victim is trying to call. This is known as a 'no hang-up' scam. When possible use a different phone when contacting the company or wait a few minutes to ensure the scammers / spammers are not keeping the line "alive".
The best defense against this type of attck is to not answer calls from numbers you are not familiar with, and let them leave a voice mail message, or simply hang up.