How do you define phishing?
The word “phishing” – despite its ubiquity – doesn’t really have a set definition. There is little to consensus on a phishing definition, either. It means many different things to many different organizations.
We know this because we asked dozens of organizations how they define phishing. And we got a diversity of responses that really underscored one of the biggest problems currently facing the cybersecurity industry: not everyone is on the same page about THE biggest threat every organization faces.
91% of cyber attacks start with an email. But the percentage of those emails that would be classified as “phishing” varies by organization. Again, there is no consensus on one singular phishing definition.
Now, that’s not to say that any of these phishing definitions are necessarily wrong. Instead this is a discussion about whether those definitions go far enough, or whether they might even go too far. Obviously, we’re not going to be able to nail down a consensus right now, but it’s still worth asking: how do you define phishing?
Let’s hash it out.
The Definition of Definition
Before we get into the various definitions we received (and decided to highlight), let’s talk a little bit about definitions themselves. Hopefully this will inform our critiques. And don’t worry, we’re not going to stray too far into the weeds on this.
Generally, there were two types of phishing definitions that we saw with high frequency. The first, is more of a real definition of the essence of phishing. This originates from classical thought and Aristotle, who believed that a word’s essential attributes accounted for its “essential nature” and that any definition of said word must necessarily contain them.
Here’s an example, this phishing definition comes from Garry Brownrigg, the CEO of QuickSilk, a cloud-based SaaS company:
In simple terms, phishing can be defined as an attempt by a bad actor to gain access to sensitive information such as usernames, credit card details and passwords. The hacker typically attempts to do this by acting as the legitimate sender of an email or instant message.
This definition sticks to the basic attributes of phishing:
- Perpetrated by bad actor
- Looking to compromise information
- Done by impersonating a legitimate sender
This isn’t necessarily a broad phishing definition, but it sticks more to the specific attributes that make it phishing rather than worrying about the various permutations of it.
Personally, I think this style of definition is better-suited to our needs.
The other types of definition we saw with frequency is what’s called an extensional definition. An extensional definition does worry about the various permutations. In fact, it defines phishing by listing every type of attack that comprises phishing.
Here’s an example of an extensional phishing definition from The United States Computer Emergency Readiness Team (US-CERT):
[Phishing is] a form of social engineering that uses email or malicious websites (among other channels) to solicit personal information from an individual or company by posing as a trustworthy organization or entity. Phishing attacks often use email as a vehicle, sending email messages to users that appear to be from an institution or company that the individual conducts business with, such as a banking or financial institution, or a web service through which the individual has an account.
While this definition also contains some of phishing’s essential attributes, it’s more concerned with covering the various ways the crime can be executed, stopping just short of naming the various types of phishing by name – likely for length purposes.
That’s really the problem with defining phishing, do you focus more on the essential attributes of the crime – its quiddity, or as medieval logicians called it, the “what-ness” of phishing – or should the focus be on more broadly encompassing all the disparate methods that comprise the umbrella term, phishing.
Here are how some of the other organizations and experts in the cybersecurity community define phishing. It’s worth noting that many of these definitions have been truncated. We received a lot of excellent responses, some of which we’ll quote from in the future. But for now we’ve tried to distill each phishing definition down to its… essence?
Anyway, first up is…
Justin Lavelle, the CCO of BeenVerified, a leading online background check platform:
The term “phishing” is a broad term that describes any effort that a scammer makes to manipulate a group of people into sharing their personal information, such as their passwords, usernames or credit card information for mischievous reasons. The victims can be anyone, as the initial contact is sent out to large groups of people at once. The scammer may present themselves as someone the victims can trust. They will contact their victims by email, social media, or by phone. The objective of these attacks is to send a fake correspondence, which seems as if it was generated from a real organization, to a large group in hopes that one of these contacts will follow the link provided for them and reveal their personal information to the scammer.
This phishing definition manages to check both boxes. It’s actually impressive for how much territory it covers. The only question we’d ask is how BeenVerified defines email-based attacks where the intent is to distribute a malicious payload? Does that constitute phishing or should we be defining that as something else?
Patricia Vercillo, Vice-President of Operations at The Smith Investigation Agency and Smith Training Centre
Internet fraud. A scammer who emails people impersonating businesses, financial institutions or credit card companies. The goal is to trick people into giving up their private information such as date of birth, account numbers etc.
This phishing definition is concise, and somewhat narrow, focusing on the more classical methods of phishing. Again, there’s no mention of other types of email-based attacks – but, that could actually be a strength. If you reside in the “phishing definitions are too broad” camp, this is perfect.
Ray Walsh, ProPrivacy, Privacy Advocacy Group
Phishing is the act of extracting sensitive information from an internet user by tricking them. This is usually achieved by fooling the user into entering their personal details into fake online forms and websites. Phishing may sometimes involve deliberate personal manipulation of a victim. This kind of attack uses social engineering and is technically referred to as spear-phishing.
This is another phishing definition with a fairly narrow scope, limiting itself to just the harvesting of information. Again, this is closer to the classic definition, but doesn’t address other iterations. And as we stated a minute ago, maybe that level of specificity is actually the right approach. But it does require some additional definitions that cover other kinds of email attacks.
Ana Bera from safeatlast.co, a website specializing in cyber security
…we define phishing as any acquiring private and sensitive information without the person understanding how that information will be used. Whether those who’re acquiring the information are openly lying about why they need that information or they are just vague in their explanation on purpose, we call it phishing.
This phishing definition goes in a different direction because it also covers email that is deceptive, if not necessarily malicious. This would definitely be a GDPR violation. But it’s interesting to see it defined as phishing.
Eric Williams, Founder & CEO, Ijura
Phishing is the practice of impersonating a trusted or legitimate source via email/text/SMS to trick targets into revealing privileged information for malicious purposes, or to install malware on the victim’s computer.
This is one of the more all-encompassing phishing definitions we got, and it’s all the more remarkable for its brevity. Unlike most of the other phishing definitions, this one includes malicious payloads.
Social Catfish, Online Identity Verification Service
Our organizations’ working definition of phishing is when someone sends you a malicious email with the intent to steal the recipients private or sensitive information. These scammers usually pretend to be from a legitimate company to leverage the trust of these organizations. The email itself will vary based on their intent; whether that be to get the intended recipients’ credit card information, their login credentials to a particular website, or another type of data that may be of value to the scammer.
This ones sticks to the exfiltration of information. It covers it quite well, but it ignores other types of email attacks. Again, this could very well be by design. Social Catfish may identify other types of email attacks differently. And that underscores our whole point, once again, that there’s really no consensus on the definition of phishing despite the fact it would be exceedingly useful to have one.
G2, Digital Business Solutions Provider
At G2, we define phishing as the method of obtaining user information through fraudulent communications targeted directly at people. This is usually done through emails disguised as coming from a legitimate source but delivers the target’s information back to the hacker’s actual source. It’s basically when the goal of a hacker is to scam you, usually via email, into providing them with the information they want. It’s easy to fall victim and take the bait, especially if you’re moving too fast to see that the email address is just one character off, or the URL provided in the email is just slightly misspelled.
This was the only phishing definition that got into WHY phishing works. Many explore why it’s done. This one points out why it’s successful. Smart, given that this definition is going to appeal to the average business owner and IT admin a little differently than some of the more surgical definitions.
Atif Mushtaq, CEO and founder of SlashNext
“Basic phishing tries to get someone to do something – from downloading an attachment, to clicking through to a website, to completing a form. Human nature is a key vulnerability and attackers know how to exploit it. Spear phishing differs in that it usually targets a smaller group or a specific department in an organization and is more difficult to detect as it appears to come from a sender closely aligned with the recipient. Whaling attacks are spear phishing threats that specifically target high-profile individuals. This could be C-level executives within an organization, or celebrities and politicians that have a lot to lose, that being reputation or money.”
This phishing definition comes the closest to completely encompassing all potential email attacks that could constitute phishing. It’s definitely the most extensional definition that was submitted. Still, I think it’s biggest strength is the first sentence:
Don’t laugh. Because as simply stated as that may be – in 2019, it’s entirely accurate. Phishing is no longer just about exfiltrating information. It’s also the most commonly exploited attack vector for other, more dangerous attacks.
Keep that in mind as we (foolishly) try to cobble together our own best definition…
What is the best way to define phishing?
As we’ve just covered, phishing’s definition varies by organization and industry. It varies person to person. There is no consensus on how to define phishing beyond the fact that it’s about deception, and has historically involved theft of data.
But anytime you use the word “historically” to refer to cybercrime you’re already way behind the curve. Phishing has evolved substantially since its invention – back when email was still a novelty and children could still communicate effectively without the use of emojis.
Nowadays phishing commonly involves malicious payloads. Malware posing as resumes or invoices. Phishing is commonly a vehicle for ransomware. It’s fair to say it’s become less of an exploit in and of itself and more of a conduit to greater threats.
That’s why we appreciated the way Atif started his definition, which we’ll paraphrase to start our own:
Phishing is an attempt to get a target to take an intended action…
At The SSL Store, we take a broader view on phishing, one that extends beyond simply stealing personal information or login credentials. We view any attack that’s triggered by a duplicitous communication, and that fools its intended target into taking the intended action as phishing.
Let’s try to put it a bit more concisely though. Here’s our phishing definition:
Phishing is an attempt to get a target to take an intended action via deceptive communication where the attacker impersonates a trusted entity.
I think Aristotle would be pleased with that definition as it sticks to just the essential attributes of phishing:
- It’s deception
- It takes advantage of social trust dynamics
- It’s designed to persuade the target to take an intended action
Beyond that, what other common threads do all the other variants of phishing share? It can play out across different mediums. It can target different individuals, divisions or companies. It can imitate just about anyone. The end goals vary.
And everyone defines phishing differently. Our definition may not satisfy other organizations. Just like theirs may not satisfy us.
The biggest question we can take away from all of this is: do we define phishing too broadly? Or not broadly enough?
As always, leave any comments or questions below…