What is phishing and how dangerous is it?

What is phishing?
(Image credit: wk1003mike / Shutterstock)

Phishing is the act of placing a piece of bait in front of an unsuspecting computer user and hoping that they will bite - it's been the bane of antivirus companies for a long time now.

Like someone fishing uses bait on a hook to try to land a salmon, a malicious actor will use virtual bait in the form of an email (usually) with a link to entice the user to click on that link. Unfortunately, once the unsuspecting victim gets "hooked," their device is most likely infected with malware - and a whole world of pain and expense.

A Techradar Choice for Best Identity Theft Protection

<a href="https://aurainc.sjv.io/c/221109/899264/12398?subId1=hawk-custom-tracking&sharedId=hawk&u=https%3A%2F%2Fbuy.aura.com%2Fsave-50" data-link-merchant="buy.aura.com"">A Techradar Choice for Best Identity Theft Protection Aura is an excellent choice thanks to its user friendly interface, antivirus service and detailed reporting dashboard. <a href="https://aurainc.sjv.io/c/221109/899264/12398?subId1=hawk-custom-tracking&sharedId=hawk&u=https%3A%2F%2Fbuy.aura.com%2Fsave-50" data-link-merchant="buy.aura.com"" data-link-merchant="buy.aura.com"">Save up to 50% with a special Techradar discount. 

You’ve got unwanted mail

The most common delivery method for a phishing attempt is email. Still, this kind of attack can be aimed at the unwary via text messages on a phone, on social media sites, or other online avenues.

The common theme is that whatever the chosen channel for delivery, the message will look like it’s coming from a legitimate entity. And if the attacker is well-armed with some knowledge about you – such as the services you subscribe to – it may seem all the more believable because it appears to be from a company you use.

Because the communication is seemingly from a legitimate entity, this might make you less likely to think about the actual message content, mainly when the phishing email combines this with the suggestion that something needs to be done urgently, which is another common tactic.

Phishing message

(Image credit: Shutterstock / DRogatnev)

So how does phishing work exactly?

Often the phishing scammer will make it seem like you must take immediate action, hoping that this may prompt you to act swiftly out of fear rather than considering the content of the email.

So let’s take an example: you might receive a message about an unpaid bill marked as urgent with a warning that your account is about to be canceled if payment isn’t made immediately. The invoice will be attached, and if you open it, curious as to what you owe and why the dummy file (it’s not an actual invoice) will infect your PC with malware.

A second example is an email that says something like: ‘Follow this link to log in and reset your password NOW because your account has been compromised, and your payment details are at risk.’

The irony is that if you do indeed click on that link and fall for the phishing attempt, you’ll be presented with a false (probably quite convincing) login portal. When you do enter your password and other personal details, they’ll be stolen, and your account really will be compromised.

How bad is it if you get phished?

Sticking with our above examples, if phishing tricks you into opening a malware-laden attachment, your system will be infected, and all manner of bad things could happen. For instance, you might fall victim to ransomware, which locks all your files away and demands a large payment to get them back (with no guarantee that will happen, even if you do pay out).

With our second example, the malicious party will have your username and password - possibly even your bank details - and will then be able to log in to your account, perhaps changing the password to lock you out when you next try to log in.

Depending on what service or subscription has been compromised, the fraudster may be able to take any number of actions. If it’s an online shopping site, for example, they could be able to order goods from it under your account.

A further danger is present for folks who engage in the poor security practice of using the same password for different accounts. The attacker may try the pilfered password with other services  – using your email as the username – and be able to log into those as well.

This is why you should never reuse the same password across multiple accounts (and if you’re stuck in terms of thinking up and remembering different passwords, try using one of the best password managers).

Two-factor authentication

(Image credit: Shutterstock / Askobol)

Two factors are better than one

Phishing is dangerous. So, what can you do to protect yourself? 

The most important thing is to exercise common sense and a good deal of caution about any message you receive that looks faintly suspicious. Tell-tale signs include spelling mistakes or odd phrasing, messages saying you must do something "right now," or a link or attachment which seems even remotely dodgy.

Even if a message apparently comes from your boss, or a close friend, don't trust the content more because of this – their email address or details could easily have been spoofed. Indeed, one of the best steps you can take if you're not sure about a message is to contact the email's sender directly and check if it's genuine. Similarly, if you get a message purporting to be from, say, Amazon, you can log in to your account and contact the company directly to check the validity of any communication.

Not only is double-checking your friend when it comes to defeating phishing but so is doubling up on authentication. This means using two-factor authentication or 2FA, which many major services and companies use these days. With 2FA, you set up not just a password but also a second form of verification, so when a login attempt comes from a new device or location, you also have to enter, say, a code that is texted to your mobile phone.

In this case, an attacker may have phished your password, but when they try to log in with it, they don't have your phone (hopefully!) – and so won't be able to get into your account successfully. So 2FA is most definitely a big ally in the battle against phishing.

Finally, it doesn't hurt to have one of the best antivirus software installed on your PC (or phone) to help catch any threats and offer protection to block known phishing sites.

What is phishing and how dangerous is it?

Phishing is one of the most dangerous threats to your online accounts and data because these kinds of exploits hide behind the guise of being from a reputable company or person and use elements of social engineering to make victims far more likely to fall for the scam.

Because of this, you should be extra cautious of anything remotely suspicious in a message you receive and make good use of the security practices we discussed above, including two-factor authentication.

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).