Defining phishing is simple, right? Not exactly.
With more than 18,400,000 results appearing on Google when trying to find the definition there is a lot for you to choose from. Even Wikipedia has its own version, which may be more accurate, but still misses a few key elements. As a company, PhishLabs has seen the scope of how phishing is changing since first being named, which is why it’s time to properly address the fluidity of its nature.
Phishing | Noun | Pronounced as fi·shuhng
Social engineering using digital methods for malicious purposes.
Why Phishing Has and Will Continue to Change
The above definition is how PhishLabs defines phishing. It is purposely fluid due to constantly changing technology, does not narrowly focus on any specific digital medium, does not exclude who may become a victim, and most importantly it addresses social engineering as the key component. This is because ultimately phishing attacks may include a technological component, but the attack itself is fully based on humans manipulating humans through psychological means.
Further, practically all definitions we have seen go beyond what phishing is in an effort to make a claim about its purpose, which is an inherent flaw. This isn’t the right approach, because phishing can be used for many different purposes. It's used to trick the user into taking an action that benefits the attacker. Entering credentials, opening an attachment, wiring funds, etc.
Here is a brief breakdown of where this definition comes from:
Fundamentally all phishing attacks are a human tricking a human
Not all social engineering is malicious. For example, marketing (though still questionable at times). It’s necessary to highlight the very nature of these psychological attacks.
The methods used for phishing are inextricably linked to how we use technology to communicate and do business. The digital landscape is constantly evolving, and phishing evolves with it. It happens across email, web, mobile apps, SMS or text, and the list goes on and on. Further, there are all kinds of techniques and variations of phishing, which is fluid in nature and grows based on a threat actor’s success.
What’s Missing? Technology
Yes, there may be technical subterfuge involved to make the con more believable, but at its core, phishing is about exploiting people, not technology. This is why we prefer digital methods.
Let’s take a look at some other prominent definitions of the word phishing:
Dr. Elmer Lastdrager of SIDN Labs
In his 2014 research paper that compiles and analyzes the definition of phishing from 113 unique sources, Dr. Elmer Lastdrager offered the following definition:
Phishing is a scalable act of deception whereby impersonation is used to obtain information from a target.
This may be one of the most efficient and logical ways to define phishing, which was the intention, but as an organization, PhishLabs posits that social engineering (in place of deception) needs to be a key element of the definition. The reason being is that the word deception implies that information being used against its target is false; however, some of the most vicious and targeted phish use well-researched facts to both increase the likelihood of action and add legitimacy to the attack. Therefore social engineering, which goes a layer deeper, can use deception as a tactic, but the key element is the psychology involved.
Anti-Phishing Working Group’s Definition of Phishing
APWG’s definition is a mouthful, perhaps even a few mouthfuls, but does highlight a few key elements that we took into account. However, specifically highlighting that this impacts only consumers or uses a specific digital medium (email) narrows the scope of the definition too greatly. On the flipside, the also acknowledge the important role social engineering plays as well as some of the technical components, too.
Phishing is a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials. Social engineering schemes use spoofed e-mails purporting to be from legitimate businesses and agencies, designed to lead consumers to counterfeit websites that trick recipients into divulging financial data such as usernames and passwords. Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using systems to intercept consumers online account user names and passwords – and to corrupt local navigational infrastructures to misdirect consumers to counterfeit websites (or authentic websites through phisher controlled proxies used to monitor and intercept consumers’ keystrokes).
Merriam-Webster’s Definition of Phishing
Merriam-Webster is closer to achieving a more robust definition of who is likely to be impacted, but even the term internet user is off. That is because phishing doesn’t just happen on the internet anymore. Vishing is phishing conducted through voice chat or the phone, and SMiShing is phishing conducted through text or SMS messages. They also miss out on the use of social engineering, and narrowly focus on email rather than all digital mediums.
A scam by which an Internet user is duped (as by a deceptive e-mail message) into revealing personal or confidential information which the scammer can use illicitly
Below is a growing list of modern phishing attack types:
- Fake or Spoofed Sites
- Data Leakage
- Vishing (voice-based phishing)
- SMiShing (text or SMS-based phishing)
- Rogue Mobile Apps
- Credential Theft
- Fake Profiles
- Malware Delivery
- Online Fraud
- BEC Attacks
As noted from the above, only a few of these techniques rely on technology to gain the intended results. And for each of those, social engineering or psychological manipulation is the true threat. It’s for these reasons, and the fluidity of digital mediums, that PhishLabs is defining phishing in the specific scope as presented in this post.