What is Phishing?

October 01, 2021
a red envelipe is being lifted on a fish hook from an ominous sea

What is Phishing?


Phishing is a term that when reading about cybercrime, but it is used as a catch-all for many things. That’s what makes “What is phishing?” a more complex inquiry than it looks like. At its root, phishing is a cybercrime operation in which the main goal is to acquire access, credentials, passwords, money or information through a fraudulent message. You may encounter a phishing message through email, text, direct messages, or even a phone call. Sometimes this is also called a phishing attack or phishing scam.

In a phishing scam, the perpetrator masquerades as a legitimate business or reputable person to coax the victim into taking an action that furthers the goal of the operation, like giving the bad actor their password, downloading a malware-laden attachment or clicking on a malicious link. Most phishing campaigns start with bad actors gathering information about their targets like email addresses, personally identifying information (PII) and other pertinent details from dark web markets and credential dumps. Sometimes, phishing practitioners also use pre-existing messages from reputable brands and clone them in order to seem trustworthy, a process called spoofing. Ultimately, phishing is a type of fraud. Phishing is also illegal in many countries including the United States.


Looking for a security rockstar? Get 5 superstar benefits at 1 low price! SEE THE BENEFITS>>


How Can Phishing Impact a Business?


Phishing can impact a business in a wide variety of ways – especially your budget. Falling victim to just one phishing attack can have consequences that your business may have a hard time recovering from, if it ever does. Phishing can cost a fortune as you shell out for additional payroll hours and expert assistance you‘ll need for investigation, mitigation and recovery. Plus, you may be subject to regulatory penalties if the phishing results in a data breach. Unfortunately, An estimated 60% of all companies go out of business within six months of experiencing a cyberattack due to the high costs and lost revenue.

What is phishing’s impact on business security?

Phishing has a tremendous impact on business security. The gateway to an array of cybercrimes, phishing is the cybersecurity risk that your employees will come into contact with the most – and that can lead to disastrous consequences. An estimated 75% of organizations around the world experienced some kind of phishing attack in 2020.

Employees are notoriously overconfident in their ability to spot phishing messages. In a cybersecurity threat awareness survey, 92% of employees said that they feel at least moderately confident in their ability to sniff out a scam email. But in the same survey, only 84% felt that their colleagues could do that too

In fact, most of the major cyberattacks that you see in the news, like the Colonial Pipeline attack, started with a phishing message that enabled cybercriminals to get their foot in the door at the victim’s business. Unfortunately, phishing risk can be hard to explain and understand, creating circumstances where many business owners don’t take threats like phishing seriously. An IBM report noted that  60% of SMB owners feel that their business will not face any kind of cybersecurity incidents in the next year, a dangerously incorrect assumption.


Learn the secret to ransomware defense in Cracking the RANSOMWARE Code. GET BOOK>>


What Is the Purpose of Phishing?


Cybercriminals undertake phishing campaigns for profit. They may be aiming for immediate profit, which is something that they can reap from phishing-related cybercrimes like BEC, CEO fraud and invoice spoofing. Or they might be searching for a point of entry into a company’s IT environment through credential theft. Bad actors will also use phishing to deploy ransomware, whether it’s through the actions of an employee who clicks on a poisonous link or directly by using a compromised credential to gain access to systems and data.

Most phishing operations are carefully designed to coax employees into taking that action based on fear, confusion, inattention and other mind games. Complex and sophisticated phishing scams will use social engineering to lure unwary victims into interacting with the messages or taking another action that will further the bad actor’s goals – more than 80% of socially engineered cyberattacks like phishing are effective.


Common Cyberattacks That Start with a Phishing Email


Almost all of today’s nastiest cybersecurity dangers come to businesses through phishing, including:

  • Ransomware
  • Business email compromise (BEC)
  • Identity theft
  • Credential compromise
  • Data breach
  • CEO fraud
  • Whaling
  • Smishing/vishing
  • Brand impersonation
  • Spoofing
  • Social engineering

Learn more about the types of cyberattacks that start with a phishing email in our eBook Phishing 101 READ IT>>

What are the consequences of phishing attacks?

The consequences of a successful phishing attack are dire. There’s a reason why phishing is the weapon of choice for cybercriminals of every stripe from freelance hackers to nation-state threat actors: it works. Phishing enables them to pry open the door to businesses and undertake trickier operations that do major harm to businesses like unleashing ransomware or forcing a data breach.

The added expense and financial damage of phishing is also a substantial negative consequence. Every year, phishing costs businesses around the world a pretty penny, something no business needs in a time of economic challenges. The cost of phishing attacks has almost quadrupled over the past six years, with large US companies losing an average of $14.8 million (or $1,500 per employee) to phishing every year.


Add to your security team without adding to your headcount! LEARN MORE>>


How Common is Phishing Today?


Phishing is the most common cyberattack that your business (and your employees will face). It easily tops the list as the undisputed king of data breach risks in  The Verizon/Ponemon Institute Data Breach Investigations Report 2021 . Phishing was cited as the top cause of a data breach for the third year in a row in that report, even after ransomware was moved into its own category. More than 80% of reported security incidents are phishing-related.

Remote work has opened up new vistas of opportunity for phishing. Cybercriminals know that about 55% of remote workers rely on email as their primary form of communication and they did not hesitate to take advantage of the opportunity. By Q2 2020, Google estimated that it was blocking 18 million COVID-19 phishing scam emails a day through Gmail and that the pandemic was the biggest phishing topic in history.

Altogether, cybercriminals are keeping busy cooking up new scams even without the initial chaos and uncertainty of the global pandemic to work with, especially phishing with malicious links. Google had registered 2,145,013 malicious web pages that cybercriminals could use to conduct phishing campaigns as of Jan 17, 2021. This is up 27% over the 1,690,000 logged on Jan 19, 2020, – and a clear indicator that phishing will remain a common threat to businesses.

Why are phishing attacks popular?

Phishing attacks are popular because they are effective while also being very cheap to run. Even inexperienced cybercriminals can get their feet wet with phishing relatively inexpensively by buying premade phishing campaign kits that require very little skill to use. As a cybercrime phishing has the lowest barrier to entry but still offers putative cybercriminals an excellent opportunity to reap substantial profits.

Or it’s simple to farm out the phishing component of a major cyberattack. That’s commonly done by the larger ransomware and cybercrime gangs. Those groups usually subcontract work like running an initial phishing campaign out to an affiliate organization, If the affiliate is big enough, they might hire freelancers themselves to run the phishing operation, like spear phishing specialists.

How much damage does phishing cause?

Phishing can also lead to a data breach, and that’s a really expensive disaster. In the IBM/Ponemon annual Cost of a Data Breach Report, the average cost of a breach in 2021 is estimated at $4.2 million per incident, the highest ever. That’s a serious risk for every business. An estimated 74% of organizations in the United States have fallen victim to a successful phishing attack that resulted in a data breach in the last 12 months. In the UK, 73% of organizations have suffered at least one data breach caused by phishing attacks since March 2020  


What’s next in phishing? Find out in the 2021 State of Email Security Report! GET IT NOW>>


What is The Relationship Between Phishing and Ransomware?


Phishing and ransomware go hand in hand. The most common way that ransomware hits a business is through a phishing email. Experts estimate that 65 % of active cybercriminal gangs use phishing as their favored method of delivery for ransomware. Ransomware groups turn to phishing to do their dirty work because it is an affordable and effective way for them to get the job done. Even nation-state threat actors prefer to traffic in ransomware. That means that protecting a business from ransomware starts with protecting it from phishing.

Of course, the devastation of ransomware can also be the outcome of a phishing disaster. An estimated 94% of ransomware and other nasty malware arrives at businesses through a phishing email. The risk of falling victim to a ransomware attack is growing risk for every business no matter how big or small. Ransomware attacks are up by 150% over record-breaking numbers in 2020.

What is phishing and ransomware’s relationship to other cybercrime?

Phishing is the springboard for myriad other cybercrimes. It’s typically just the opening salvo in a much nastier attack. In the 2021 IC3 Report, the US Federal Bureau of Investigation estimated that businesses lost $4.2B to cybercrime in 2020 led by phishing.

The Verizon/Ponemon Institute Data Breach Investigations Report 2021 showed that the path from phishing to ransomware to a data breach is very clear. The number of breaches studied that included ransomware doubled, a confirmation of just how dangerous this phishing-related threat is for every organization. Ransomware is already up by more than 100% in 2021 over record numbers in 2020 and it’s still climbing, making this the top data security concern for 2021.


Make sure you’re on the road to ransomware readiness with this risk-reduction checklist! GET IT>>


Can You Stop Phishing Emails?


No security solution or strategy will entirely stop phishing messages from reaching your organization. However, smart automated solutions do spot and stop 40% more phishing messages than conventional security solutions or a secure email gateway (SEG). That’s a crucial edge in reducing the number of phishing messages that land in an employee inbox.

Solutions that enable your employees to report suspected phishing messages to a network administrator for a deeper analysis can be a company’s saving grace. Cybersecurity researchers studied over 200,000 emails that were flagged as potential phishing messages by employees from organizations in an array of sizes and industries worldwide in the first half of 2021. In the end, they found that 33% of the suspicious message reports that employees made could be classified as phishing. The employees submitted an average of 2.14 emails each during the period of the research. Researchers also estimate that employees at organizations with 1,000 seats report an estimated 116 emails per month.  

How do I protect my business from phishing attacks?

Using a combination of strong solutions and employee education, you can dramatically reduce the chance that your business will become the victim of a phishing attack. Security awareness training is effective in reducing your company’s chance of suffering a damaging phishing-related incident. Companies that conducted regular security awareness training that included phishing resistance reduce their risk of falling victim to a phishing disaster by up to 70%.

Choosing an innovative, modern email security solution to defend a business from phishing attacks is the other half of the equation. That sounds daunting, but the process of migrating to a solution that offers every business cutting-edge functionality that puts powerful, multi-layered protection isn’t nearly as long and stressful (or as expensive) as it used to be.

In the past, email security was often a complicated proposition. Overburdened tech staffers had to spend precious hours configuring the new software, deploying it across the organization, integrating it with the company’s email client, feeding it threat reports, adjusting the safe sender list or whitelist and ensuring that everything was just right before they could even turn it on. Today’s smart solutions don’t require all of that fuss, with a setup that takes minutes and AI that gathers its own threat intelligence, drastically reducing the amount of time that techs have to spend tending to it.

Why build a strong defense against phishing?

Building a strong defense against phishing is a vital component of any defensive strategy because phishing can lead to so many cybersecurity nightmares. Phishing threats haven’t shown signs of slowing down in 2021 either – risk is up almost 300% over 2020’s record-breaking numbers in May and June, and ransomware risk is also climbing. That means that phishing is on track to notch record-breaking growth numbers again in 2021, creating a cybersecurity crisis that no business can afford to overlook.  


Still relying on an old-fashioned SEG? See why Graphus is better! SEE THE COMPARISON>>


What is The Best Protection Against Phishing?


Deploying a high-quality email security solution is your best bet for first-line defense against phishing. Those solutions generally hew to one of three types.

Conventional Security

Conventional email security is the protection that’s available with O365 or GSuite for Business, even a specialty solution that operates in the same way. These solutions will rely on traditional tools like filters, safe sender lists and human-provided threat reports. However, conventional email security solutions for businesses can be ineffective – 25% of phishing email still reaches employees in companies that use traditional email security

A Secure Email Gateway (SEG)

A Secure Email Gateway (SEG) is a complex beast that requires expert setup and maintenance. It can take weeks or even months to get a SEG set up. It also depends on humans for continued maintenance and to feed it threat reports. Even then, they’re generally only sorting incoming mail into two categories: safe and suspicious. SEGs are not very good at that either – 90% of the phishing messages discovered in penetration testing by phishing experts made it through a SEG.  

 Automated Solution

Automated solutions are today’s answer for email security, offering companies a number of advantages at a surprisingly affordable price. Smart, AI-powered solutions read the whole message, not just the sender and subject line, to weed out sophisticated phishing messages. Automated security also gathers its own threat intelligence and used that data to refine your protection. 


How safe is your email domain? Find out now with our domain checker. CHECK YOUR DOMAIN>>


Why Choose Graphus?


Graphus reliably defends your business from cybersecurity risks like phishing 24/7/365. Powered by an AI that never stops learning, Graphus learns your communication patterns to tailor your protection perfectly, defending your business from trouble by putting three strong shields between you and the bad guys.

  • TrustGraph uses more than 50 separate data points to analyze incoming messages completely before allowing them to pass into employee inboxes. TrustGraph also learns from each analysis it completes, adding that information to its knowledge base to continually refine your protection and keep learning without human intervention.
  • EmployeeShield adds a bright, noticeable box to messages that could be dangerous, notifying staffers of unexpected communications that may be undesirable and empowering staffers to report that message with one click for administrator inspection.
  • Phish911 enables employees to instantly report any suspicious message that they receive. When an employee reports a problem, the email in question isn’t just removed from that employee’s inbox — it is removed from everyone’s inbox and automatically quarantined for administrator review.

 Schedule a demo

Stop phishing immediately with Graphus – the most simple, automated and affordable phishing defense available today. You’ll be pleasantly surprised by the performance and the price. Schedule a demo with one of our solutions experts today. SCHEDULE YOUR DEMO>>




Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.
Get a Demo of Graphus