As indicated by the headlines below, phishing – the activity of defrauding an online account holder of financial and/or personal information by posing as a legitimate company or institution – and its criminal sidekicks spearphishing (targeted phishing) and whaling (targeted phishing at high-profile individuals) is one of the most popular forms of malware. 

Phishing involves sending out fake emails or directing respondents to a fake website where they are tricked into entering account information, which can result in loss of personal or corporate data, breaches or worse. You may recall some of these stories in 2016:

GoDaddy customers target of phishing scam

Brutally efficient phishing scam takes advantage of PayPal's awfulness

Dropbox breach may be fueling phishing campaigns

American Express customers phished using phishing prevention scam

Yahoo breach leaves more than 1 billion accounts compromised

According to a recent report from the Anti-Phishing Working Group (APWG), phishing surged by 250 percent in the first quarter of 2016. The anti-cybercrime coalition observed more phishing attacks in Q1, including detecting a record 289,371 unique phishing websites, than in any other three-month span since it began tracking data in 2004. “Globally, attackers using phishing techniques have become more aggressive in 2016," said Chairman Dave Jevans in the APWG release, "with keyloggers that have sophisticated tracking components to target specific information, and organizations such as retailers and financial institutions that top the list."

The US continued to be the nation hosting the top number of phishing sites, while China was the most malware-infected country. The retail industry was the most targeted sector.

In addition to its growing popularity, phishing is also changing into a much more dangerous threat. As of the end of March, 93 percent of all phishing emails contained encryption ransomware, which represented a huge spike, up from 56 percent in December 2015. The number of phishing emails hit 6.3 million in Q1, a 789 percent jump over the fourth quarter.

An integral component of phishing is social engineering. Humans are the weakest links in any security chain and it is generally much easier to fool someone into revealing their password than it is to hack it. Phishers appeal to people’s vanity, greed, curiosity, altruism, or respect for or fear of authority in order to steal information or allow access to an IT system.

We have met the enemy and he is us

People are the weakest link in security, and that’s especially true when it comes to phishing. According to a recent German study, almost 50 percent of the 1,700 test subjects clicked on links from strangers in emails and Facebook messages – even though 78 percent of them claimed to be aware of the risks. “It is commonly recognized that normal, everyday users just trying to get their work done can be the weakest links in the digital security chain,” said Khushbu Pratap, principal research analyst at Gartner.

Phishing can be very complex, but defeating it need not be. The secret is simple: practice safe computing and you won’t have to worry about becoming another phishing victim.

How to prevent phishing

• Have good habits and don't respond to links in unsolicited emails or on Facebook.
• Don't open attachments from unsolicited emails.
• Protect your passwords and don't reveal them to anyone.
• Don't give sensitive information to anyone – on the phone, in person, or through email.
• Look at a website's URL (web address). In many phishing cases, the web address may look legitimate, but the URL may be misspelled or the domain may be different (.com when it should be .gov).
• Keep your browser up to date and apply security patches.