Day 1 – Phishing Attack Explained

SURYA VARDHAN SINGH SOLANKISURYA VARDHAN SINGH SOLANKI
4 min read

Table of contents

Phishing is a type of cyber attack where cyber attackers use deceptive tectics and strategies to trick individual into sharing sensitive information, sunch as passwords, credits card numbers or personal details.

1. Definition of Phishing

  • What it is: A way for criminals to trick you into giving up private data (passwords, bank details) by pretending to be someone you trust. (NIST Computer Security Resource Center)

  • Where it happens: Email, text messages (SMS), phone calls, social media, or fake websites. (IBM - United States)

2. How Phishing Works

  1. Bait (Initial Contact): You receive a message that looks real—often claiming urgent action (“Your account will close!”). (Zscaler)

  2. Hook (Deception): The message contains a link or attachment. You click because it appears from a trusted source. (Zscaler)

  3. Catch (Data Harvest): The link goes to a fake page that captures your login info or installs malware on your device. (usecure Blog)

In simple words:-

Preparation: Attacker create fake website,emails, or messages resembling legitimate sources.

Delivery: Victim receive emails, text or message with encticing offers, urgent alerts, or fake claims.

Deception: Victim are prompted to click malicious link or download files.

Exploitation: Victim are tricked into providing sensitive information or unknowingly installing malware.

7 Ways to Recognize a Phishing Email: Examples of Phishing Email Scams

3. Types of Phishing

  • Email Phishing: Bulk emails with malicious links or attachments. (Zscaler)

    → Fake email: Designed to look like they come from legitimate organization(ex- bank, tech. company)

  • Malicious Links: Link redirect users ton phishing sites or download malware

  • Clone Website: Fake website mimic legtimate one to capture login credentials.

  • Social Media Scams: Fake account or message target user to gain trust.

  • Spear Phishing: Targeted at a specific person using personal details. (Zscaler)

  • Smishing (SMS Phishing): Text messages that lure you to click a bad link. (Zscaler)

  • Vishing (Voice Phishing): Phone calls pretending to be from a bank or government agency. (Zscaler)

  • Whaling: Aimed at high‑level executives to gain corporate access. (Zscaler)

  • Phishing Kits: Pre-made tools that allow attackers to quickly set up phishing campaigns

4. Common Phishing Tools (Short)

  • Gophish: Open‑source framework for creating email‑phishing campaigns. (vaadata.com)

  • Evilginx: Reverse‑proxy kit that bypasses two‑factor authentication by stealing session tokens. (vaadata.com)

  • Evilgophish: Combines Evilginx and Gophish, adding SMS‑based phishing via Twilio. (vaadata.com)

5. Psychological Techniques Used in Phishing

  • Pretexting: Inventing a believable story (e.g. fake IT support) to gain trust. (Trellix)

  • Baiting: Playing on curiosity or greed (“Click to claim your reward”). (Trellix)

  • Urgency & Fear: Creating panic (“Your payment failed—act now!”) so you don’t think carefully. (Packetlabs)

  • Authority: Pretending to be a boss, bank, or government official to intimidate you. (Packetlabs)

6. How to Protect Against Phishing

  • Security Software: Use up‑to‑date antivirus/anti‑malware and email filters. (Microsoft Support)

    use anti-phishing tool

  • Multi‑Factor Authentication (MFA/2FA): Even if passwords leak, MFA blocks account takeover. (Microsoft Support)

  • Verify Links: Hover over URLs to check the real web address before clicking. (Consumer Advice)

    → check senders address and hover over the link before clicking

  • Software Updates: Keep your operating system and apps patched to close security holes. (Consumer Advice)

  • Training: Teach yourself and others to spot red flags (misspellings, odd sender addresses). (Consumer Advice)

7. Simple Example of Phishing

  • You get an email saying, “Your bank account was locked—click here to unlock.”

  • The link goes to a fake login page that looks real.

  • You enter your username and password—and the attacker now has your credentials. (homepage)

8. Real‑World Examples

  • Google & Facebook Invoice Scam (2013–2015): Fake Quanta invoices cost them over $100 million. (BlueVoyant)

  • Colonial Pipeline (2021): One phishing‑stolen password led to a ransomware shutdown of U.S. East Coast fuel supply. (BlueVoyant)

  • AI‑Driven Phishing: Attackers use generative AI to craft error‑free, personalized messages and deepfake voices. (Zscaler)

  • Phishing‑as‑a‑Service: Kits like Evilproxy let low‑skill criminals run advanced attacks. (vaadata.com)

By following these nine steps in order, you’ll understand phishing end‑to‑end—from how attackers set the bait to how you can defend yourself.

0
Subscribe to my newsletter

Read articles from SURYA VARDHAN SINGH SOLANKI directly inside your inbox. Subscribe to the newsletter, and don't miss out.

phishing#PhishingAttacks Phishing ProtectionPhishing mailcyber security#cybersecuritycybersecurityCyberSecinformation securityinfosecSecuritysecurityawarenessMalwaredaily attack

Written by

SURYA VARDHAN SINGH SOLANKI
SURYA VARDHAN SINGH SOLANKI