Sienna Arellano, Ian Kilty – February 17, 2025
As of 2025, Phishing is the most common form of cyber crime with over 3.4 billion spam emails sent daily. With Gen-Z internet users being the most likely to fall victim to phishing attacks, one wrong click can lead to disastrous implications such as gaining access to your personal information, credentials and compromising your devices.
Source: https://www.cisa.gov/sites/default/files/2023-02/phishing-infographic-508c.pdf
What is Phishing? Why is it so effective?
Phishing is a type of social engineering attack where threat actors pose as ordinary users who lure a victim to provide sensitive information.
But why do these attackers use this method? It comes down to human psychology; attackers exploit human emotion and use deception techniques and trick users into clicking malicious links. The phishing method does not require advanced technical skills to launch, reaches a wide range of users at once, and typically has a high success rate.
What is the Phishing Business Model?
The Phishing Business Model is based on the “Phishing-as-a Service” of (PhaaS) platform which is a pay-as-you-go service or “Software-as-a-Service” allowing attackers to perform phishing attacks. People can subscribe to this phishing attack package, purchase phishing kits, and perform attacks. Vendors advertise their services on the dark web introducing the growing business to anyone willing to pay and deploy a phishing campaign.
The Phishing-as-a-Service model includes a complete kit with everything required to launch a successful phishing attack. The kit may include email templates and legitimate company emails. The PhaaS vendors advertise these business models as a product that attackers with little technical knowledge can run.
Why is Phishing so effective?
You might think that phishing is an ineffective method for compromising users, but due to the scale of modern-day communications, such as email, it’s easy for a malicious attacker to find thousands of email addresses of potential victims.
Let’s say that a phishing attacker creates a phishing email that has a success rate of 0.7%, not very high right? Now let’s say the attacker found a list of 10,000 email addresses, the size of a company or a medium-sized college. Then, statistically, 70 people are going to be compromised, allowing an attacker to potentially infiltrate the network and gain further unauthorized access to an organization’s resources.
Phishing only needs to work once for a whole organization to be in danger.
Why is my data a target?
You might think that if someone had your username and password, that would not be too bad, you might think “I have nothing to hide”. But the consequences can be very serious, if someone has access to your email address, they can reset passwords on other sites, leading to further intrusion. If you are in a position of power, an attacker can abuse that power under your name.
There is a market for people’s data, including credentials, that is sold everyday. These personal credentials are commonly labeled as “initial access”. Initial access to a network is often the hardest and most sought-after step in the cyber kill chain. As a result, criminals make money by selling this “initial access” to other attackers with malicious intent.
After the initial access is compromised, attackers use whatever means necessary to achieve their malicious goals including, pretending to be someone else in an organization, phishing other people with a trusted email address, etc. You might not think your data would be very important, but in the wrong hands, the consequences can be detrimental.