Phishing is one of the most common cyber threats, targeting individuals and organizations by tricking them into revealing sensitive information. Attackers use deceptive emails, messages, or websites to steal login credentials, financial details, or personal data. These scams often rely on social engineering techniques to create a sense of urgency or trust, convincing victims to act without thinking critically.

As phishing tactics evolve, cybercriminals have developed various methods, including spear phishing, smishing (SMS phishing), and vishing (voice phishing). Understanding how phishing works, recognizing warning signs, and implementing security measures such as two-factor authentication (2FA) and email filtering are essential for protecting against these attacks. This lesson will explore different types of phishing, how they exploit human psychology, and how to defend against them effectively.

Learning Objectives

• I can explain what phishing is and identify different forms, including spear phishing, smishing, and vishing.

• I can recognize common phishing tactics, such as fake invoices, urgent language, and suspicious attachments.

• I can describe strategies to prevent phishing, including two-factor authentication and using browser security tools.

Key Terms

1. Phishing – A cyberattack that uses fake messages or websites to trick users into sharing sensitive information.

2. Spear Phishing – A targeted phishing attack aimed at specific individuals or organizations using personalized messages.

3. Smishing – Phishing attacks delivered via SMS (text messages), often containing malicious links.

4. Vishing – Phishing attacks conducted over the phone, where attackers pretend to be trusted entities.

5. Social Media Phishing – Using fake accounts or malicious links on social platforms to steal information.

6. Email Spoofing – Faking the sender’s address to make phishing emails appear as if they’re from a trusted source.

7. Phishing Website – A fake website designed to look like a legitimate one to steal user credentials or financial information.

8. Credential Harvesting – A phishing technique where attackers collect usernames and passwords for unauthorized access.

9. Clone Phishing – A phishing attack that copies a legitimate email but replaces links or attachments with malicious ones.

10. CEO Fraud – A phishing scam where attackers impersonate executives to trick employees into transferring money or sensitive data.

11. Pretexting – A form of social engineering where an attacker fabricates a scenario to gain trust and extract information.

12. Business Email Compromise (BEC) – A phishing scam targeting businesses by spoofing an executive’s email to request fraudulent transactions.

13. Pharming – A cyberattack that redirects users from legitimate websites to fraudulent ones to steal information.

14. Ransomware – A type of malware often spread through phishing emails that locks users out of their data until a ransom is paid.

15. Whaling Attack – A phishing scam targeting high-profile individuals like executives or government officials.

16. Social Engineering – Manipulating individuals into divulging confidential information.

17. Impersonation Attacks – Pretending to be a trusted figure to deceive victims.

18. Firewall – A security system that monitors and controls incoming and outgoing network traffic to prevent cyber threats.

Key Ideas

1. Phishing is a cyberattack that tricks users into revealing sensitive information like passwords or financial details.

2. Attackers use social engineering (impersonation, urgency, deception) to manipulate victims.

3. Common phishing types include spear phishing, smishing (SMS phishing), and vishing (voice phishing).

4. Whaling attacks target high-profile individuals like executives.

5. Phishing emails often contain red flags such as suspicious links, urgent language, and fake sender addresses (email spoofing).

6. Fake websites (phishing sites) mimic real ones to steal login credentials and financial data.

7. Credential harvesting is a phishing tactic used to collect usernames and passwords for unauthorized access.

8. Business Email Compromise (BEC) and CEO fraud trick employees into sending money or sensitive data.

9. Clone phishing duplicates legitimate emails but replaces links or attachments with malicious versions.

10. Pretexting is a phishing method where attackers invent a scenario to gain trust and extract information.

11. Pharming redirects users to fraudulent websites by exploiting DNS settings.

12. Ransomware is often spread via phishing emails, locking users out of their data until a ransom is paid.

13. Security measures like 2FA, email filtering, and anti-phishing tools help prevent attacks.

14. Checking for HTTPS and hovering over links before clicking helps verify authenticity.

15. Cyber awareness training is essential for recognizing and avoiding phishing threats.

Phishing is a social engineering attack that tricks users into revealing sensitive information. Attackers impersonate trusted sources, using emails, texts, or fake websites to steal credentials, spread malware, or commit fraud. Even with firewalls and email filters, phishing exploits human error, making awareness a crucial defense.

How Phishing Works

🔹 Psychological Tricks:

• Impersonation – Fake emails from banks, teachers, or IT support.

• Urgency – “Your account will be locked in 24 hours!”

• Malicious links & attachments – Redirecting to fake login pages or installing malware.

🔹 Common Attack Methods:

• Spear Phishing – Personalized attacks targeting individuals (e.g., fake emails from a teacher).

• Smishing & Vishing – Phishing via text or phone calls (e.g., fake Apple support messages).

• Clone Phishing – Duplicating real emails but swapping links or attachments with malicious ones.

Preventing Phishing Attacks

✔ Hover over links before clicking.
✔ Check for HTTPS on login pages.
✔ Use Two-Factor Authentication (2FA) for extra security.
✔ Never share passwords via email or text.
✔ Report suspicious emails to IT support or teachers.

Fake Toll Road Text Scam (USA, 2025)

A major SMS phishing (smishing) scam swept across the U.S., tricking drivers into handing over their payment details. Fraudsters sent fake texts claiming unpaid toll fees, urging recipients to click a malicious link to settle their balance. Victims who followed the link were directed to a fake payment page, where attackers stole their credit card information.

How the Scam Worked:

• Attackers posed as toll agencies across multiple states, including Texas, California, and Florida.

• Messages contained urgent warnings about "overdue tolls" to create panic.

• Clicking the link led to a fraudulent website, stealing payment details and login credentials.

Activity 1 Phishing Case Study (Pair Work)

• In pairs, research a phishing case from the last five years.

• Summarize the case in five sentences, explaining:

  1. Who was targeted?

  2. How did the phishing attack work?

  3. What were the consequences?

  4. How could it have been prevented?

  5. What lessons can be learned from this case?

Comprehension Questions

1. What are three common features of phishing emails?

2. How does spear phishing differ from general phishing?

3. What is smishing, and how does it work?

GCSE-Style Questions

1. Describe the term "vishing" and explain how it can be used in a phishing attack. (4 marks)

2. Explain two techniques that can prevent phishing attacks and discuss their effectiveness. (6 marks)