Legal Definitions - phishing

Phishing is a type of online fraud where criminals attempt to trick individuals into revealing sensitive personal information, such as usernames, passwords, bank account numbers, or credit card details. They achieve this by impersonating a trustworthy entity, like a bank, a government agency, a well-known company, or even a colleague, through deceptive digital communications.

The core method involves creating fake websites, emails, text messages, or phone calls that look and sound legitimate. These fraudulent communications often create a sense of urgency, fear, or curiosity to prompt the victim to take immediate action, such as clicking a malicious link, downloading an infected file, or directly providing their confidential information.

Variations of phishing include:

• Smishing: Phishing attempts conducted specifically through text messages (SMS).
• Vishing: Phishing attempts carried out via phone calls, often using technology to make the caller ID appear to be from a legitimate organization.
• Spear Phishing: Highly targeted phishing attacks aimed at specific individuals or organizations, often after extensive research to make the deception particularly convincing and personal.

Here are some examples of how phishing can occur:

• Example 1: Fake Package Delivery Notification

  You receive an email that appears to be from a major shipping company, informing you that there's an issue with the delivery of a package and asking you to click a link to update your delivery preferences or pay a small re-delivery fee. The email uses the company's logo and branding, and the link looks similar to the legitimate company's website address.

  How it illustrates phishing: This is a phishing attempt because the email is designed to impersonate a legitimate shipping company to trick you into clicking a malicious link. The link would likely lead to a fake website designed to steal your personal information (like login credentials or credit card details) or install malware on your device under the guise of resolving a delivery problem.

• Example 2: Vishing for Financial Details

  Your phone rings, and the caller claims to be from your bank's fraud department. The caller ID even displays your bank's official phone number. They state that suspicious activity has been detected on your account and, to prevent further unauthorized transactions, you need to immediately verify your account number, online banking password, and the security code from the back of your debit card over the phone.

  How it illustrates phishing: This is an example of vishing. The criminals are using a phone call and spoofing the caller ID to impersonate your bank. Their goal is to create a sense of urgency and fear (about fraud on your account) to trick you into divulging sensitive financial information that they can then use to access your actual bank account.

• Example 3: Spear Phishing Targeting a Company Executive

  The Chief Financial Officer (CFO) of a technology firm receives an email that appears to be from the company's CEO, who is known to be attending an industry conference overseas. The email urgently requests the CFO to review and approve an attached "confidential acquisition document" and transfer a large sum of money to a new vendor account by the end of the day, citing a critical, time-sensitive opportunity that cannot wait for the CEO's return.

  How it illustrates phishing: This is spear phishing because it's a highly targeted attack. The criminals have likely researched the company and the CEO's travel schedule to make the email seem credible. By impersonating a specific, high-authority individual (the CEO) and creating a strong sense of urgency, they aim to trick the CFO into either opening a malicious attachment (which could install malware) or performing an unauthorized financial transaction, directly benefiting the fraudsters.