Defining phishing sounds simple, until you try to do it.
A quick Google search returns more than 18 million results, each offering a slightly different take. Even Wikipedia’s definition, while helpful, still misses a few critical elements. As a company, we’ve seen firsthand how phishing has evolved since the term was first coined, which is why it’s time to acknowledge — and properly define — the fluid nature of phishing today.
Definition: Phishing
Phishing | Noun | Pronounced as fi·shuhng
Social engineering using digital methods for malicious purposes.
Why Phishing Has and Will Continue to Change
The definition above reflects how we view phishing. It is intentionally flexible to account for constantly evolving technology, avoids limiting phishing to a specific digital medium, and recognizes that anyone can be a victim. Most importantly, it emphasizes social engineering as the core element. While phishing attacks may involve technology, they ultimately rely on people manipulating people through psychological tactics.
Many existing definitions go a step further by trying to define phishing based on its purpose, which is a fundamental flaw. Phishing can serve many different ends—it is simply a means of tricking users into taking actions that benefit the attacker, whether that’s entering credentials, opening a malicious attachment, or transferring funds.
Following is a brief explanation of how this definition was developed:
Social Engineering
Fundamentally all phishing attacks are a human tricking a human
Malicious
Not all social engineering is malicious. For example, marketing (though still questionable at times). It's necessary to highlight the very nature of these psychological attacks.
Digital Methods
The methods used for phishing are inextricably linked to how we use technology to communicate and do business. The digital landscape is constantly evolving, and phishing evolves with it. It happens across email, web, mobile apps, SMS or text, and the list goes on and on. Further, there are all kinds of techniques and variations of phishing, which is fluid in nature and grows based on a threat actor's success.
What's Missing? Technology
Yes, there may be technical subterfuge involved to make the con more believable, but at its core, phishing is about exploiting people, not technology. This is why we prefer digital methods.
Let's take a look at some other prominent definitions of the word phishing:
Dr. Elmer Lastdrager of SIDN Labs
In his 2014 research paper that compiles and analyzes the definition of phishing from 113 unique sources, Dr. Elmer Lastdrager offered the following definition:
Phishing is a scalable act of deception whereby impersonation is used to obtain information from a target.
This may be one of the most efficient and logical ways to define phishing, which was the intention, but as an organization, PhishLabs posits that social engineering (in place of deception) needs to be a key element of the definition. The reason being is that the word deception implies that information being used against its target is false; however, some of the most vicious and targeted phish use well-researched facts to both increase the likelihood of action and add legitimacy to the attack. Therefore, social engineering, which goes a layer deeper, can use deception as a tactic, but the key element is the psychology involved.
Anti-Phishing Working Group's Definition of Phishing
APWG's definition is a mouthful, perhaps even a few mouthfuls, but does highlight a few key elements that we took into account. However, specifically highlighting that this impacts only consumers or uses a specific digital medium (email) narrows the scope of the definition too greatly. On the flipside, the also acknowledge the important role social engineering plays as well as some of the technical components, too.
Phishing is a criminal mechanism employing both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials. Social engineering schemes use spoofed e-mails purporting to be from legitimate businesses and agencies, designed to lead consumers to counterfeit websites that trick recipients into divulging financial data such as usernames and passwords. Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using systems to intercept consumers online account usernames and passwords - and to corrupt local navigational infrastructures to misdirect consumers to counterfeit websites (or authentic websites through phisher-controlled proxies used to monitor and intercept consumers' keystrokes).
Merriam-Webster's Definition of Phishing
Merriam-Webster is closer to achieving a more robust definition of who is likely to be impacted, but even the term internet user is off. That is because phishing doesn't just happen on the internet anymore. Vishing is phishing conducted through voice chat or the phone, and SMiShing is phishing conducted through text or SMS messages. They also miss out on the use of social engineering and narrowly focus on email rather than all digital mediums.
A scam by which an Internet user is duped (as by a deceptive email message) into revealing personal or confidential information which the scammer can use illicitly
Phishing Examples
Following is a growing list of modern phishing attack types:
- Fake or Spoofed Sites
- Data Leakage
- Vishing (voice-based phishing)
- SMiShing (text or SMS-based phishing)
- Rogue Mobile Apps
- Whaling
- Credential Theft
- Fake Profiles
- Malware Delivery
- Online Fraud
- BEC Attacks
Only a few of these techniques rely on technology to gain the intended results. And for each of those, social engineering or psychological manipulation is the true threat. It's for these reasons, and the fluidity of digital mediums, that we define phishing in this specific scope.