Download the PDF version

Phishing: what you really need to know


Imagine a world where phishing is not a threat anymore. Imagine how easier life would be for thousands of organizations and customers who get worried every time they receive an email or an SMS. “Should I click on this link?” “Is this a real email?” “Should I double-check with him/her?” “Why is my bank sending me this text message now?”

When banks and financial institutions look for the right online fraud management solution, one of the main concerns is finding the one that offers the best phishing protection to reduce the customers’ exposure to fraud.

The truth is that phishing is not the real threat itself. It is just a door that lets fraudsters make the very first move.

But let’s take a step back. In this article, we will share with you all the essential information about phishing, what it is, how it works, and what you really need to know (and no one else tells you) to avoid falling into the fraudsters’ trap and keep your organization and your customers safe.

What is phishing and how does it work

Phishing is a social engineering technique used to steal users’ account information or install malware on their devices. In both cases, phishing aims to trick users into committing involuntary actions that will eventually lead them to fall into online fraud. 

According to Proofpoint’s 2021 State of the Phish report, the number of organizations damaged by phishing attacks has increased consistently over the years. This is often because people who are targeted by malicious emails or messages are not aware of how to recognize and prevent fraud

As we’ll see below, phishing can happen through different methods and can target either employees of a specific organization (usually via e-mails) or individual customers on their phones (frequently via SMS or voice calls). Either way, the very final objective is one: make money

Unlike some years ago, though, today phishing attacks are harder to recognize, as fraudsters develop new techniques every day to stay undetected and target their victims with extreme precision.

Phishing attacks consist in contacting the victims and asking them to perform one of the following actions:

  • Download an attachment that requires their attention (e.g., an invoice to be paid urgently)
  • Click on a link to download a malicious resource (e.g., an app from Google Play Store)
  • Click on a link that directs to a fake website to complete an action (e.g., verify account information). 

In the first two cases, the victim downloads malware that infects the device. This opens the doors to either an Account Takeover (ATO) or an Automatic Transfer System (ATS) attack.

An ATO attack happens every time a cybercriminal takes over an online account to steal information or money. 
An ATS attack happens when the criminal operates on the user’s device by manipulating activities without the user noticing it. 
If you are interested to learn more, we have written a dedicated article about how these attacks work and their main differences.

In the latter, instead, fraudsters send people to fake websites that look completely legitimate to steal their credentials. This is the first step to gaining access to their accounts (usually banking accounts): stealing credentials paves the way for an Account Takeover (ATO) attack.

Email & Phishing

When trying to fraud employees or customers via email or SMS, criminals send messages inviting users to click on a link to either visit a malicious website, where the user will unintentionally give away personal credentials, or to download an app that will install malware on the targeted device. 

In the past few years, smishing has become increasingly popular as it exploits the tendency of internet providers, e-commerce, banks, or delivery companies to communicate with customers via mobile text messages. Despite the name, smishing attacks can occur also on non-SMS channels like mobile messaging apps. However, the higher security parameters of these apps make them more difficult to perpetrate.

The graphic below shows a real-life example of how criminals can insert their fraudulent text messages in an existing thread with a legitimate provider. This makes it harder for users to realize the fraud, as it looks like they are communicating with a real entity. 

Example of phishing via sms
Example of phishing via sms


Phishing attacks can also be conducted via voice calls. In this case, criminals pretend to be employees of legitimate bodies, such as internet providers or banks, to obtain customers’ details and financial information that will eventually allow them to perpetrate fraud. 

As mentioned above, vishing is also used in combination with email phishing. In this case, fraudsters guide the client to complete an activity. It can be opening a fake website, where the victims, in the attempt to log in, will give away their credentials; or maybe reading out loud to the fake bank employee OTP codes that will give final access to their account.

Type of phishing Cleafy
How does phishing happen?

Spear phishing

Spear phishing targets specific people or individuals inside an organization to obtain sensitive data. For this reason, it is more dangerous than general phishing and harder to expose. 

At a consumer level, spear phishing can be conducted by fraudsters when they can retrieve accurate data regarding, for example, the user’s banking account or latest purchase and send targeted messages that look legitimate. 

Generally, spear phishing attacks target individuals inside an organization as their success is more lucrative.


Whaling happens when scammers target high-ranking executives inside an organization to access critical information, sensitive data, or high quantities of money. 

To succeed, criminals spend a long time monitoring and profiling their targets to make sure they fall into their trap. 


Criminals can redirect internet users browsing legitimate websites to fake ones, capturing IP addresses and log-in credentials (e.g., passwords or account numbers).

Fraudsters also build these websites to install pharming malware on users’ devices.  

The evolution of phishing

In the last two years, people's habits have deeply changed with the evolution of technology and the worldwide pandemic situation. The use of mobile devices and online services has skyrocketed, and with this, fraudsters have found new ways to attack. 

E-commerce websites, banking apps, streaming services, instant messaging apps, and social networks are the best places for criminals to find the victims and collect relevant information to commit fraud. 

Today, phishing attacks on mobile devices are far more common and difficult to detect than phishing via emails. Numbers say that only 15% of phishing attacks are conducted via email. Three main reasons can explain this:

  1. The time spent on mobiles is undoubtedly higher than the time spent on other devices. 
  2. Almost all email providers adopt advanced spam filters that can detect suspicious emails and transfer them to a separate folder, where the user will probably never see them;
  3. Mobile devices offer more advanced vectors for scams, such as messaging apps, social media, banking apps, and, of course, traditional text messages. 

Fraudsters can throw their bates everywhere, pretending to be anyone (e.g. fake messages from online services providers such as Netflix and Paypal), hoping to catch some fish among millions of users.

How you can protect your customers from getting phished

Let’s be brutally honest here: phishing cannot be stopped. 

As fraudsters will keep trying to attack via emails, SMS, or voice calls, users will have to keep their eyes open and be aware of the danger they can incur with every click or download. 

For sure, banks and financial institutions can play an essential role in protecting customers from phishing attacks by continuously raising awareness and educating them on the issue, and offering highly-secured services to prevent fraud. 

Reduce successful attacks with education and awareness 

In this infographic below, we have collected some valuable tips for you to share with your customers and help them avoid getting phished.

How to avoid getting phished Cleafy infographic
Click the image to download the infographic

Prevent online banking fraud with highly-secured services

Now, we have it clear. The ultimate goal of phishing is to perpetrate fraud via ATO or ATS attacks. 

For ATO, it is done by taking victims into a spiral of social engineering tricks, installing malware on their device, or combining both.

For ATS, the first step is getting the victim’s device infected to take complete control of it with advanced malware

If you think about it, it works like in the real world: as we cannot avoid the existence of viruses, but we can avoid being infected by getting vaccinated, so we cannot avoid phishing, but we can avoid being hit by ATO and ATS attacks by using the right anti-fraud system. 

A real-time, end-to-end detection & response system that can monitor what’s happening across all digital channels, throughout the entire user’s journey, even before the authentication phase occurs. 

To block ATS, it is paramount to deploy a system with unique malware detection capabilities that can identify and stop even the most advanced malware. 

On the other hand, to block ATO, it is essential to perfectly recognize the users and the way they behave and act on the banking channels, to detect any anomalies. The integration of behavioral analysis, biometrics, and transactional analysis is the key. 

What if you had a vaccine against ATO and ATS? Would you still be worried about phishing itself? 

Get a free consultation

Read more articles