Phishing Campaign

A phishing campaign is an email scam designed to steal personal information from victims. Cybercriminals use phishing, the fraudulent attempt to obtain sensitive information such as credit card details and login credentials, by disguising as a trustworthy organization or reputable person in an email communication.

Typically, a phishing campaign is carried out by email spoofing; an email directs the recipient to enter personal information at a fake website that looks identical to the legitimate site. Phishing emails are also used to distribute malware and spyware though links or attachments that can steal information and perform other malicious tasks.

Phishing is popular with cybercriminals because it enables them to steal sensitive financial and personal information without having to break through the security defenses of a computer or network. Public awareness about phishing campaigns has grown considerably in recent years, as many incidents have been covered by a variety of media sources. In addition to technical solutions, user security awareness is one of the cyber security measures being used to help counter attempted phishing incidents.

How a phishing campaign works

A phishing campaign uses social-engineering techniques to lure email recipients into revealing personal or financial information. For example, during the holidays, an email pretending to be from a well-known company tells you to go to its website and re-enter your billing information or your package won’t be shipped in time to make it your gift recipient. The only problem is that the fake email is directing you to a fake site, where the information you enter will be used to commit identity theft, fraud and other crimes.

Types of phishing campaigns

As businesses continue to deploy anti-phishing strategies and educate their users about cyber security, cybercriminals continue to improve phishing attacks and develop new scams. Here’s more information about some of the most common types of phishing campaigns.

Spear phishing attacks are targeted at an individual or small group, typically with access to sensitive information or the ability to transfer funds. Cybercriminals gather information about the intended target in advance and leverage it to personalize the attack, create a sense of familiarity and make the malicious email seem trustworthy. Spear-phishing emails typically appear to come from someone the target knows, such as a co-worker at their company or another business in their network.

Whaling is a spear-phishing attack that specifically targets senior executives at a business.

Vishing, or voice phishing, uses a telephone message to try to get potential victims to call back with their personal information. Cybercriminals often use fake caller-ID information to make the calls appear to be from a legitimate organization or business. Smishing, also known as SMS phishing, uses text messages to try to lure victims into revealing account information or installing malware.

While spam filters and other technology solutions can help prevent them from reaching inboxes, educating users about the dangers of phishing campaign emails is a critical component of cyber security for any organization. User security awareness training helps every employee recognize, avoid, and report potential threats that can compromise critical data and systems. As part of the training, mock phishing and other attack simulations are typically used to test and reinforce good behavior.