Phishing is a type of cybercrime in which an attacker poses as a trusted source to obtain sensitive information from the victim, such as passwords, data, or credit card numbers.

There are several ways in which a hacker can attempt to phish someone. Some examples are: via email, over the phone (vishing = voice), or through text message (smishing = SMS).

This information is used for identity theft, spam, fraud, or corporate espionage.

Phishing includes all attempts made by a hacker to steal sensitive data by posing as a trusted source.

When we talk about phishing, we use it as a general term and specifically refer to email phishing.

When we use the term smishing, we refer to text message phishing. It derives from the abbreviation for SMS phishing.

Vishing is used to refer to phone phishing. It derives from voice phishing.

Spear phishing is targeted at a specific person or group, as opposed to mass phishing campaigns. For example, when someone tries to trick employees of a specific company with an email that impersonates a colleague.

"Whaling" is spear phishing targeted at high-level decision makers in a company.

CEO fraud is phishing disguised as a message from one's boss. Due to the apparent authority of the sender, people are more likely to fall for it.

Phishing is one of the most dangerous forms of cybercrime because it cannot be detected by regular antivirus software. Phishing scammers don't need to infect your computer system with a virus to obtain sensitive information. All they need is a trusting employee to unwittingly reveal the data.

If your organization suffers a phishing incident and that information reaches the media, the company's brand image is immediately affected. Customers become concerned about the security of their personal data handled by the company and lose trust in the brand.

It's no longer as easy to recognize phishing as it used to be. Here are some general tips:

Check the sender's email address: Are there any typos or irregularities? Only trust addresses that are 100% correct. Otherwise, it's likely to be a typosquatting attempt.

Check hyperlinks by hovering over them: Do they lead to the expected website? If not, don't click on it.

Does the content or request go beyond what you would expect from this sender? Don't engage with it, but alert your IT department.

Not sure? Always contact your IT department.

General measures

Try to stay calm and report the attack to your internal IT department. If the attack was a phishing email, you should report it as spam and send it to the relevant authority. Have your computer, tablet or smartphone checked by your internal (or external) IT service.

For data

This step is applicable if you have entered data during the attack: scan your system, change the password of the affected accounts, and stay alert for possible misuse of the data involved. For downloads.

Downloads

This step is applicable if you have downloaded a file during the attack: do not open the installed file and delete it immediately, disconnect your computer from any network (turn off your WIFI or unplug your Ethernet cable) and scan your entire system.