Phishing Protection in the Digital Age — Understanding Phishing and How to Protect Against It

5 min. read

When most of the world is spending time online, cybersecurity is more important than ever, and one of most incidents that end in a data breach start with a phishing email.. It is a favorite among cybercriminals because of its versatility and effectiveness, and it is the premier delivery system for most malware like ransomware.

What Is Phishing?

Phishing attacks are a form of social engineering delivered via direct message, often email. Disguised as legitimate communication, the fraudulent message tricks the recipient into responding by enticing them to click a link, open an attachment, or directly provide sensitive information.

Phishing attacks are all variants on a common theme: getting the target to take action. They’re typically classified by the type of target or type of delivery system. The enticement proposition is called a bait or lure. This could be a wide range of things, such as the promise of a prize or a fake call for help hoping to exploit a kind heart.

The most common type of phishing is spear phishing, which accounts for 65% of phishing attacks. Spear phishing is specifically targeted and uses information tailored to its victim, often pulled from social media or other public sources, to appear more like a legitimate message. Other common phishing methods include whaling (high-profile targets), angler phishing (fake replies to social media posts), smishing (SMS phishing), vishing (voice phishing), brand impersonation and business email compromise. Different phishing methods are detailed further below.

Why Is Phishing a Problem?

Phishing attacks have become one of the most prevalent and effective methods of cybercrime because they are able to bypass detection methods and are low-risk for attackers, as there is little chance of capture or retribution. A phishing message is simple to deploy, making it easy to send large quantities of messages in a single attempt. Adding to the ease of deployment is the availability­ of low-cost phishing kits that include website development software, coding, spamming, ­software and content, which can be utilized to create convincing websites and emails.

The image shown above depicts the basic steps an attacker goes through to collect personal information from their victim in a standard phishing attack.

With little effort and little cost, attackers can quickly gain access to valuable data. Those who fall for phishing scams may end up with malware infections (including ransomware), identity theft, and data loss.

Cybercriminals go after high-value data that includes personally identifiable information (PII) – like financial account data, credit card numbers, and tax and medical records – and sensitive business data, such as customer names and contact information, proprietary product secrets, and confidential communications.

Many of the most significant data breaches – like the headline-grabbing 2013 Target breach – start with a phishing email. Using a seemingly innocent email, cybercriminals can gain a small foothold and build on it. Cybercriminals also use phishing attacks to gain direct access to email, social media and other accounts or obtain permissions to modify and compromise connected systems, like point-of-sale terminals and order processing systems.

Experts estimate that more than half of companies go out of business after a cyberattack. The expense of incident response, investigation, remediation and recovery can be catastrophic. Plus, the cost of an incident, like ransomware, doesn’t end when it happens. It can take years to pay the bills and determine the full extent of the damage, which goes beyond monetary.

Companies impacted by a cyberattack lose productivity, take a hit to their reputation and could even face legal troubles. Phishing is particularly devastating when companies lose valuable information like trade secrets or highly sensitive records – especially when that loss also incurs hefty regulatory penalties under legislation like HIPAA or GDPR.

How Phishing Works

In its broadest sense, phishing is intended to trick the target into taking an action that allows an attacker to progress an attack. This could include tricking a target into providing information, including credentials, or installing malware. Cybercriminals make use of social engineering, psychology, stress, and disruption to create powerfully tempting lures.

One of the most tempting lures is the impression of familiarity. Bad actors can obtain specific information about their targets from the dark web to make phishing attempts appear legitimate. Billions of records filled with information about people and businesses are available in dark web data markets and dumps, with more added daily – 22 million more in 2020 alone.

You don’t even need tech skills to run a phishing operation. It is possible to fully outsource a phishing operation to freelance operators or simply purchase a complete plug-and-play ‘phishing kits’.

All backend components of a phishing campaign are included in a kit, such as the web server, elements of the website (e.g., images and layout of the official website), and storage used to collect user credentials. Another component is registered domains. Criminals register dozens of domains for campaigns, so when spam filters detect one as malicious, they can quickly change the domain in the phishing URL and resend messages to additional targets.

A phishing kit is also designed to avoid detection. Domains used in phishing will look like legitimate harmless sites to security researchers, but they will display phishing content to a targeted user. The backend scripts will block large ranges of IP addresses belonging to security researchers and organizations offering antivirus, such as McAfee, Google, Symantec and Kaspersky, so that they cannot find phishing domains.

What Happens During a Phishing Attack?

Take a look at a basic overview of a standard phishing attack in figure 2.

The image shown above describes the various steps an attacker or bad actor will take to accomplish their specific phishing goals and objectives.

How Sophisticated Is the Attack?

The combination of content, context, and emotional motivators drives the success of a phishing attack. The attacker composes messages of varying levels of sophistication, and if the recipient takes the desired action, the attacker will gain access to their personal information or the ability to penetrate the network and access vital information.

The levels of sophistication in a phishing message are:

  • Low: These emails are untargeted and deployed in bulk, casting a wide net in an effort to successfully victimize at least one recipient. These emails contain several “tells” that indicate an attack, such as improper grammar, plain text, poor formatting or design, or they are sent from an unknown or improbable source.
  • Moderate: More believable, these emails contain real branding from real websites. They have legitimate formatting and proper grammar but remain impersonal.
  • Complex: These types of phishing attacks are the most difficult to identify. They are realistic and highly personal, coming from (apparently) known or trusted sources. The ­attackers utilize specific, known details about the recipient gathered from internal and ­public sources to trick the recipient into taking the desired action. The email will also contain a malicious element necessary to execute the attack and compromise­ the user.

Some examples of phishing messages include:

  • Click-only: This is a one-step process in which the email urges the recipient to click an embedded link.
  • Data entry: This email includes a link to a customized landing page that requires the user to enter sensitive information.
  • Attachment-based: This message type contains a seemingly legitimate attachment that could be in varying formats (Word, Excel, PDF, etc.).
  • Double-barrel: This utilizes two messages: One is benign and doesn’t contain anything­ malicious, nor does it require a response; the second is a follow-up that contains the malicious element in either of the above forms. The purpose of the first email is to make the follow-up look like it’s from a familiar source.

What Are Different Types of Phishing Attacks?

The image shown above lists the ever-growing types of phishing attacks available to cybercriminals today.

Phishing has grown beyond simple credential and data theft. The type of phishing attack utilized defines the way an attacker carries out the attack campaign. The different types of phishing attacks include:

  • Email phishing: These messages impersonate legitimate companies and attempt to steal private and personal information.
  • Spear phishing: Personalized messages are sent to specific people within an organization, usually highly privileged account holders.
  • Clone phishing or link manipulation: A message of this sort contains a link to a malicious site that looks like official business, often replicating a commonly received email.
  • Whaling or CxO fraud: This is a type of spear-phishing attack directed at high-level executives, in which attackers masquerade as legitimate, known and trusted entities.
  • Pop-up phishing content injection: An attacker injects malicious content into an official site to show users a malicious pop-up or redirect them to a phishing website.
  • Malware: A phishing link or an attachment leads to a download of malware.
  • Smishing: A phishing attempt is sent via SMS messages.
  • Vishing: Attackers scam users by calling or leaving a message on the victim’s phone, telling them they must call the given number where they can be scammed.
  • “Evil twin” Wi-Fi: Disguised as free Wi-Fi, attackers trick users into connecting to a malicious hotspot to perform meddler-in-the-middle exploits.

Phishing Protection 101

Primary Phishing Mechanisms

Cybercriminals have evolved significantly over the years. They are capable of producing fraudulent messages and attachments that can convince anyone, and even the most seasoned cybersecurity professionals find these hard to detect. However, potential targets can look for some common signs to spot a potential phishing message.

Cybercriminals use three primary mechanisms in phishing emails to steal information: malicious web links, malicious attachments, and fraudulent data-entry forms.

The best way to protect yourself against phishing is by being able to quickly identify and spot when a phishing email lands in your inbox, using the top 3 identifiers shown above.

Malicious Web Links

Most phishing emails have links or URLs that are malicious and take the user to an imposter website or sites infected with malware. Malicious links are created to look like trusted links, often using a spoofed address or a look-alike domain, and may be hidden by being embedded in logos and other images in an email.

Malicious Attachments

Malware can find its way into computers and files through file attachments that look legitimate. In the case of ransomware, all files on a PC could become locked and inaccessible. Malicious attachments can install a keystroke logger that tracks everything a user types, including passwords. Additionally, ransomware and malware infections can spread from PC to other network devices, including cloud systems, servers and external hard drives.

Fraudulent Data Entry Forms

These emails look like legitimate forms, or link to landing pages that look like legitimate forms, and prompt users to fill in sensitive information, such as login credentials and email account access. Cybercriminals convince users to submit user IDs, passwords, multifactor codes, credit card data, and phone numbers. Once that information is submitted, it can be used by cybercriminals for their personal gain.

How to Spot The Common Signs of a Phishing Email

The best protection against phishing attacks is to understand and identify the common giveaways of a phishing email that may or may not look suspicious. For example, the subject of an email determines if a user will open the message, so a subject line will often play on user emotions or impart a sense of urgency. Attackers use messages detailing problems with accounts, bank details, financial transactions, and shipments. This last type of phishing message is especially prevalent during the holidays, when most people are expecting a delivery.

A major indication of phishing is the sender’s email address or username, in the case of social media attacks. In most cases, users may not pay attention to the domain in the sender address, so they won’t notice if it is legitimate or not.

Here are a few other telltale signs that a message is probably a phishing attack:

  • The language is off or the message doesn't seem like it was created by someone who is a native speaker of the target's language, including misspellings and poor grammar or usage.
  • The message looks like it is from a trusted brand, but it contains things that look unfamiliar, like not-quite-right colors, formats, or fonts.
  • The message seems very unprofessional, but it is being presented as communication from an executive or other powerful person.
  • It's a U.S. federal government agency asking you to provide personally identifiable information (PII) via email or follow a link to a URL that does not end in .gov.
  • The sender asks for your Social Security or tax identification number out of the blue.
  • The sender's address, name or email address looks strange.
  • It's a message from someone you don't know well asking for gift cards, money transfers, banking, or credit card information.
  • There's a link for you to click or an attachment to download, but the address or filename seems unusual.

How Do I Know if a Link Is Malicious

With the growing awareness that most users have about malicious attachments, cybercriminals have moved on to malicious links. A bogus link can be just as bad as an infectious attachment – and sometimes worse. Faux links may have odd spellings, substituted characters, unexpected suffixes, strange mashups of a company's name, and similar details that aren't quite right.

For protection against this kind of phishing, always check a link before you click on it to see if it actually goes where it says it is going. One way to check if a link is malicious is to use a tool such as a link scanner, which can be a website or plugin that lets you enter the URL of a suspicious link and check it for safety.

How Can I Identify a Malicious Attachment?

Phishing emails use malicious file attachments as the payload or infection source for the attack. Malicious attachments can be in various formats, like Word docs or PDFs, or they might be malicious scripts made to look like a familiar format. Unexpected attachments or files with unusual or unfamiliar names are telltale signs they are malicious.

Employee Training

Robust training in security awareness can help employees look for signs of an attack before it happens. By preventing phishing attacks from the get-go, companies can prevent a significant amount of damage to their employees and organization.

Real-world examples and exercises will help users identify phishing. Organizations can work with experts to send simulated phishing emails to employees and track which ones open the email and click the link. These employees can be trained further so that they do not make the same mistake in future attacks.

It's also important for organizations to always communicate with employees and educate them on the latest phishing and social engineering techniques. Keeping employees aware of the latest threats reduces risk and generates a culture of cybersecurity within the organization.

Even so, since user behavior is unpredictable, training alone is not enough. Whether it's having up-to-date email security settings or anti-phishing protection protocols in place, investing in a phishing detection solution is critical.

Minimize Risk with a Strong Defensive Posture

Successful phishing attacks can be minimized with a comprehensive security platform that focuses on people, processes, and technology.

In the case of technology, using security tools like sandboxing will analyze the unknown link or file and implement a policy to prevent access if it is determined to be malicious. Other processes like URL filtering will block known malicious websites and unknown websites to prevent attacks early on. Access to a threat intelligence cloud provides the combined knowledge of the global community, enabling protections if a similar attack has been seen before.

Email gateway reputation-based solutions have the ability to catch and classify phishing emails based on the known bad reputation of the embedded URLs. However, well-crafted phishing messages with URLs from compromised legitimate websites will not have a bad reputation at the time of delivery of email and will be missed by these tools.

The most effective systems identify suspicious emails based on analytics, such as unusual patterns in traffic. It then rewrites the embedded URL and maintains a constant watch on the URL for in-page exploits and downloads. These monitoring tools quarantine suspicious email messages so that administrators can research ongoing phishing attacks. If a high number of phishing emails are detected, administrators can alert employees and reduce the chance of a successful targeted phishing campaign.

Why Protecting and Responding to Phishing Is Hard

Common problems related to phishing attack response

At the end of the day, phishing protection and response is hard, which is why phishing attacks are as much of a problem today as they were decades ago:

  • Phishing attacks account for a large proportion of alerts SOCs see daily because they are frequent, easy to execute, and act as the entry vector for further attacks.
  • Security teams can’t follow set processes while responding to phishing alerts because this requires coordination across multiple products, whether these are email inboxes, email security gateways, threat intel feeds, firewalls, ticketing, or other tools needed for phishing response.
  • Security teams must open multiple tool consoles, often in parallel, to enrich these phishing alerts. For example, they check indicator reputation through threat intel feeds, collect context from the SIEM if there's an attachment, detonate files in malware analysis tools, quarantine endpoint, block the firewall, open and close tickets, etc. Each tool has different consoles, data conventions and contexts, making it difficult for security teams to fill in the gaps while minimizing errors.
  • The triage is often manual. After deciding whether the email is malicious, the analysts have to then perform manual response actions to raise the severity, and this is all done on multiple siloed tools that analysts have to constantly pivot across. These actions mentioned are all high-quantity, repetitive and don't require human nuance.
  • Spear phishing attacks are sophisticated and sometimes indistinguishable from real email messages, and a recent industry study showed that 95% of all attacks on enterprise networks are a result of spear phishing.

Automate Your Phishing Response with Cortex XSOAR

With phishing attacks being one of the most common security threats bombarding security teams today, organizations must implement tools that can automatically investigate and respond to an email-based phishing incident without adding more tedious, manual work.

With Cortex XSOAR, you can use automated scripts and commands to create a customized, structured and automated incident response to access, and manipulate context data within an incident. With automation, a process that would typically take hours, sometimes days, can be cut down to mere minutes.

Learn how to deploy XSOAR with our hands-on self-paced Security Orchestration and Automation Use Case workshop

The image shown above captures what a phishing incident looks like in the Cortex XSOAR platform.

The image shown above shows a phishing incident playbook work plan within the Cortex XSOAR platform.

Automating Phishing Investigation and Response with Cortex XSOAR

In this scenario, your SecOps team has set up a phishing mailbox that is monitored using Cortex XSOAR. They request that users forward all suspected phishing messages to that mailbox.

A user has forwarded one such email.

When the new email arrives, Cortex XSOAR retrieves it as an event and creates an incident. Cortex XSOAR then automatically executes a playbook to analyze the email and, optionally, to respond if the email contains phishing or malware content.

Cortex XSOAR starts the basic analysis by retrieving the original message that the end user forwarded.

In addition to extracting the email headers, which include domain and IP address indicators, the analysis extracts URL indicators, Cortex XSOAR submits unknown URL indicators to WildFire to determine they are malicious.When the analysis completes, the assigned SecOps analyst can review the attack information automatically gathered by Cortex XSOAR.

If instead you want Cortex XSOAR to take actions based on the results, this automation scenario includes some advanced options. The first option is to search the email system for all recipients of the original message, and if the analysis determines that the message contained a malicious phishing URL, remove the message from all mailboxes system-wide.

The second option assumes that users at your organization connect to the network through Prisma Access. Cortex XSOAR searches the Prisma Access logs stored in Cortex Data Lake to determine if any users tried to access the malicious URL in the original message. If the logs confirm that users did try to connect, then you can notify the users.

Although it is beyond the scope of this guide, you could use this information to create new incidents to interact with users who might need further attention, such as attending a training session focused on phishing awareness or initiating a forensic examination of their computer system.

To learn more about how Cortex XSOAR automates phishing investigation, download the Cortex XSOAR Phishing Investigation: Operations Guide here.

Why Should I Automate My Phishing Response?

Automating your phishing response wields instant benefits, as seen above.

When considering any automation scenario, you should ask the following questions:

  • Automating mundane tasks: How cumbersome is the current manual process? How important is manual intervention? How much can be automated? Are current staffing levels sufficient for completing tasks in a reasonable time frame? Are security analysts using their time efficiently? Are security analysts able to use their advanced skills, or are they just performing rudimentary data collection?
  • Responding rapidly: How critical is it that the organization can respond quickly? How much time can you save through automation? Are responses currently delayed due to a lack of resources? Does the current manual process meet the required service-level agreement?
  • Integrating across multiple components: How many different systems are involved? What level of expertise do you require to master individual systems? Do security analysts have the appropriate permissions to access the required systems? Is the data properly formatted and compatible across systems?
  • Reducing errors: Is the current manual process error-prone? Are processes followed consistently? Is all data accessible within a single system?


With an automated response tool like Cortex XSOAR, the entire phishing enrichment and response process can be coordinated and automated through out-of-the-box playbooks. These playbooks codify processes across security products and teams while automating high-quantity actions that usually waste time, including the following:

  • Cortex XSOAR can ingest phishing alerts from email inboxes and phishing detection tools through integrations.
  • Once an alert is ingested, a playbook is triggered and can have any combination of automated or manual actions that users desire, including automated indicator reputation checks from threat intel, context collection from SIEMs and malware analysis from sandboxes.
  • The playbooks can have filters and conditions that execute different branches depending on certain values. For example, if the phishing alert is malicious, the playbook can automate ticket creation, setting severity and sending an email to the analyst to come in and investigate.

To learn more about the Cortex XSOAR platform and test it out for yourself, download the Cortex XSOAR Free Community Edition here.