Phishing is focused on exploiting the lack of knowledge or gullibility of the target and is mostly done by email. It is commonly used for various scams, such as the famed “Nigerian Prince”, infecting devices with malware or gaining access to sensitive information, such as financial data or login credentials. Potential targets are sent a fraudulent message which is made to look authentic and as if it was coming from someone from the position of authority, such as a bank or police. The recipient is then asked in the email to open the attached file or click on a link in order to do something very important, e.g. to update bank account information or review a received payment.

Types of phishing emails

Phishing attacks represent a cybersecurity threat that can manifest not only through email but also through phone calls or text messages. Attackers pose as a legitimate institution or a trusted person to deceptively extract sensitive information from their potential target. This could include identity information, banking, and credit card data, or passwords for accessing protected resources through which the attacker can compromise devices and entire information systems. Phishing is often used as an introduction to various types of cyber attacks, such as ransomware attacks or the installation of spyware (malicious programs for device espionage).

There are different types of malicious emails, broadly classified into two groups: targeted phishing emails and phishing campaigns. Targeted phishing involves specifically crafted emails for specific employees of a particular organisation to obtain desired information. Phishing campaigns rely on mass distribution, with emails composed to be sent randomly to a larger number of people. Targeted phishing messages are more challenging to detect because they are carefully crafted to appear authentic, while mass-sent emails are easier to recognize due to typical characteristics. However, in both cases, email forensics is a valuable skill.

Common characteristics of a phishing email:

• Typically demands urgent action.
• Contains either a link or an attachment.
• Inconsistency in the sender's email address with the email address of the person or organisation the attacker is impersonating.
• Inconsistency in the URLs of websites and domains.
• Inconsistency in the extensions of documents attached.
• Requests disclosing credentials, sensitive data, personal information, credit card information, etc.