What is Phishing and how cyber criminals use it to hurt you and your organization?

Phishing refers to the attempt by the attacker to acquire sensitive information such as username, password, credit card information from a victim to achieve financial gains. The threats of phishing can be identity theft or giving attackers access to your systems.

The attacker usually does this by framing a story to make you panic or super excited so that it motivates you to respond. The action can be clicking on a malicious link, releasing personal information, inputting your username and password in a malicious site, or downloading a ransomware. 

Phishing can be done through several mediums such as email, instant messaging, social media, and telephone.   It’s important to understand the different types of phishing as each type is targeted to a specific group and uses different tactics 

The different types of Phishing are Email Phishing, Cat Phishing, Spear Phishing, Whaling, Vishing, Smishing and Social Media Phishing.

Email Phishing

Email Phishing is done when the attacker sends a generic email to every email address they have. Some of the most common email subject lines to watch out for consist of:  Request, Follow up, Urgent/Important, Warning, Violation, Alert, and Rejected. 

The attacker usually pretends to be from a bank or a financial institution. By nature this will only resonate with a small number of people and has a low engagement rate because the message is not personalized. That being said, there are major losses that are happening through this type of attack. The most common phishing email is the “PayPal” scam. 

To identify whether or not an email is a cyber threat, carefully inspect the domain name of the sender.  Domain name is the name after the @ symbol in the email such as Paypal@DomainName.com.   Just because you see “PayPal” in the email address does not mean that it is from Paypal.  More sophisticated domain name scams will use subdomains that look like they match the correct business they are representing after the @ symbol but have a subdomain listed before the .com.  They would look something like contact@Paypal.DomainName.com.  Always double and triple check the email address of the sender that is requesting information or asking you to click links before you take the action.  

Cat Phishing

is luring someone into a relationship by adopting a fictional online persona. This is usually done on dating sites. When interacting online, make sure you take the time and think if the information that you are getting is too good to be true. Cat Phishing is initiating a relationship under false credentials. This type of phishing often results in crimes such as fraud, blackmail, extortion, cyber bullying, and child exploitation. 

Spear Phishing and Whaling are more sophisticated types of Phishing. 

Spear Phishing

Spear Phishing is sent to a specific person or a group of people. Identity theft usually starts by a spear phishing email. Spear Phishing has a much higher success rate than mass Phishing to everyone. This is because the message is personalized to an individual or a group of individuals that share a common characteristic such as working for the same company or attending the same school. 


Whaling is even a more targeted attack to executives of an organization. Attackers usually identify executives on LinkedIn, press releases, or company websites. The message usually raises concerns on tax returns, a customer complaint, a legal subpoena, or other executive issues. Although the end goal of Whaling is the same as any other Phishing attacks, these types of attacks are more sophisticated because most executives can recognize generic scam emails. 

Phone Phishing

Smishing and Vishing replaces email with telephones as the method of communication. 


Vishing is done either by directly calling your personal cell phone or home number, or via an email that will instruct you to call a phone number. These calls usually use Voice Over IP technology and are recorded voice messages that pretend to be from the government, bank, or a credit card company. The goal of Vishing is to acquire personal information that will be used for identity theft. 


Smishing is very similar to Vishing in the nature of the attack, but the attackers use text messages instead of telephone calls.

Social media phishing

Social media phishing attacks are a relatively new type of phishing that has been on the rise. Criminals trick people to click on fake URLs, cloned websites, posts, tweets, and direct messaging can be used to acquire personal infringement or motivate someone to download malware.

At Reconfig, we offer a cybersecurity awareness training platform that is designed to educate your employees on cyber criminal tactics. Protecting your business by creating a cyber resilient culture. Find out how we help organizations reduce their cyber risk.

Get great content updates from our team to your inbox.