Why phishing works and how to avoid it

Phishing is the most developed form of Internet scamming. Let’s explore the topic in order to better understand why it became so prominent and what measures one can take to avoid a phishing attack.

Phishing attacks are by far the most popular form of cybercrime in the 21st century. The media regularly reports lists of organizations whose customers fell victim to phishing attacks. Phishing scams increase in quality and quantity every day. Whereas spam tends to be merely an annoying distraction, phishing frequently leads to real financial losses. If the threat is so real, why don’t people learn to avoid it?

Why phishing works

There are many ways to take advantage of a user’s trust

There are numerous reasons why phishing works so well, starting with the ability of the scammers to play mind tricks on victims, in order to lure them into trouble. Phishers can use tempting offers, like complimentary giveaways, in order to bait users. This is a very efficient method, as many people would likely take advantage of a free offer.

A complimentary offer is the best way to lure a victim into a phishing scam.

A scammer can also use the buzz around a certain topic or event – take, for example, the large-scale scam that occurred after the FIFA World Cup. In the summer of 2014, a phishing site imitating the official FIFA web page, prompted users to sign a petition in defense of Luis Albert Suarez, the star forward on the Uruguay national team. In order to sign the petition, a user had to fill out the online form, which required one’s name, country, mobile phone number, and email.

Another scam website offered its visitors an opportunity to download an e-ticket to the championship. Clicking the link would then download a Trojan, which would hijack critical personal and financial data.


In order to reach those users who are wise to phishers’ tricks, cybercriminals use another efficient tool with an immense reach originating from the victim’s friends’ accounts – for instance, on social networks.

According to Kaspersky Lab, over 35% of the anti-phishing module alerts in 2013 reacted to phishing websites faking social media pages. Out of over 600 million attempts to access a phishing site that we were able to detect, 22% of cases dealt with fake Facebook pages.

Another extremely fruitful method that is used to fool a victim into clicking on a phishing link is creating a sense of urgency and panic. This could be done in a scenario where a scammer threatens his victim with blocking their user profile or even a bank account. To enhance the efficiency of such an approach, the criminals also resort to so-called ‘vishing’ (or voice phishing, performed over the phone). Not everyone is so cautious in such a ‘critical’ situation that they will think to decline the requests of an extra-assertive ‘ban security officer’ asking for credit card data in order to prevent an account from being blocked.

Phishing is constantly evolving

One of the main reasons why phishing has been so successful is because of the constant technical evolution of phishing instruments, which are becoming increasingly sophisticated.

Visually, fake websites are hardly distinguishable from legitimate pages; moreover, many of them have convincing domain names and, in some cases, even employ a secure HTTPS connection with genuine certificates.

Mobile phishing has also become more and more prominent. Due to the technical peculiarities of smartphones and tablets (smaller screen size, for instance), it can be even harder to tell a phishing site apart from a legitimate one.

One should always bear in mind that when performing a phishing attack, a cybercriminal does not necessarily need to break into your system. This is why no existing platforms are capable of fully protecting you from phishing, making it a truly universal threat.

It is extremely profitable for cybercriminals

The overall popularity of phishing will not fade away as it is a highly profitable form of cybercrime. Phishing tools are easily accessible, and their reach is tremendous thanks to highly populated social networks (600 million, remember?). Also, the act of phishing requires little effort froBustedDobruna (1)m the criminal, as the majority of actions performed by phishers are automated.

With all of that in mind, a cybercriminal can get a very decent paycheck. In the majority of cases, phishers hunt financial data. There is no need for sophisticated schemes to monetize the harvest.

Furthermore, phishing tends to be used alongside other criminal methods, creating efficient synergies for the culprits. Say you get a phishing email via spam, and as soon as the criminals are in possession of your contacts, the phishing email is then transferred on. With the creation of an extensive database of live contacts, hackers can send out malware in bulk and use the resulting botnet as they deem appropriate.

Phishing tends to be used alongside other criminal methods, creating efficient synergies for the culprits.

Ultimately, do not assume that the only thing scammers seek is your credit card or financial data. Many phishers would be perfectly happy with getting access to your user credentials in an email service or social network.

How to avoid phishing?

So what tips and tricks can users arm themselves with? First of all, use common sense.


Keep calm and do not fall victim to provocations that are acting as an agent for online scams and ‘vishing’. Take a thorough look at the links and websites that they direct you to. If you receive a suspicious link from a friend or colleague, make sure that they are indeed the ones on the other side of the connection before clicking on the link. When facing a ‘vishing’ attack, remember that no bank employee would ever urgently require your credit card details.

Ideally, do not go to a website through links; input the address manually. It goes without saying that all websites should be accessed with robust protections and networks in place. Do not forget to regularly update your antivirus software, especially if it offers antiphishing capabilities. For instance, a built-in antiphishing module in Kaspersky Internet Security can run website checks against a list of known scam websites, as well as detect potentially dangerous pages having evaluated them through a list of over 200 criteria.