Think of a standard phishing attack occurring in three stages: bait, hook and catch.
In this first stage, hackers prepare the "bait" for their attack.
Most phishing attempts are “quantity over quality,” attacks. This means attackers simply scrape the internet for email addresses to create bulk lists.
Phishers can become more targeted and research more involved in behaviors, hobbies, known associates, or determining where their victims work or live.
If attackers want to perform a quick financial scam, they might only need access to your and thousands of other email addresses. If initiating a social engineering scheme, attackers can spend weeks doing research to imitate a reputable contact. The more believable the act, the greater chance the scheme will work.
For example, let's assume you operate a B2B business that ships medical equipment to urgent care centers. While preparing the bait for a phishing attempt, an attacker discovers a list of suppliers you frequently work with and then imitates one of those suppliers.
Phishers will use an email address similar to that supplier, use a similar branding header or footer, email signature, etc.
Once an attacker has prepared the bait, it's time to prepare the hook.
Phishing attempts usually require targets to perform a specific action like clicking a link, downloading a file, replying to an email, etc. In an effort to get them to respond immediately, attackers will create a false sense of urgency. The intent is to manipulate their victims to act quickly without thinking.
Most phishing attacks are broadly targeted at thousands of people, so often hooks are as simple as “you have a payment past due” or “you have yet to reclaim your refund”. These emails can look like something from vendors you’ll recognize and utilize often.
Let's assume in the phishing scam above, that the attackers effectively imitate one of your suppliers and send an email indicating there's a problem processing a payment on file.
In order to get the shipment out the door for on-time delivery, they need you to re-enter your billing information via a "secure page" (that they also created based on their background research to mimic your actual supplier’s website).
After the attackers performed their research and baited their hook, they wait for their targets to take the bait. The attacker's next steps depend on the nature of the phishing attempt.
Most of the time, this means simply waiting for a few thousand targets to click a link in their bait email.
They’ll either get credit card numbers, banking information, or secretly install malware on targets’ computers to get personal information when the victim enters it into a legitimate site later.
Some phish to gain access to your email inboxes or company databases or might be seeking banking information in order to perform financial fraud.
To conclude our supplier phishing scam exmple, say you receive the email from the fake vendor. After quickly reading through the email, you recall that the urgent care location mentioned in the email had recently placed an order.
Without thinking about it, you click the link in the email and enter your credit card information to ensure on-time delivery. With this information captured, the hacker can now make fraudulent purchases using your corporate credit line.
While it seems overly simplistic, almost all phishing attacks follow the "bait, hook, and catch" pattern. This basic approach to phishing schemes is all that it takes for an attacker to easily gain access to sensitive information.