Understanding Phishing

Learn how cybercriminals trick users and how to protect yourself

What is Phishing?

Phishing Attack

The Digital Deception

Phishing is a serious cybercrime where attackers impersonate trusted organizations like banks, government agencies, or delivery services. For example, via email, SMS, or calls to trick people into revealing personal info such as IC numbers, bank logins, or passwords.

In Malaysia, common phishing scams include fake LHDN tax refunds, JPJ summons, and delivery messages from Pos Laju or DHL. Victims are redirected to fake websites that mimic official ones to steal their data.

This stolen info is then used for fraud, unauthorized fund transfers, or identity theft. The word "phishing" comes from "fishing," as scammers bait victims into giving up sensitive details.

According to CyberSecurity Malaysia, phishing ranked among the top 3 reported incidents in recent years.
Over 5,000 phishing websites targeting Malaysians were taken down in 2023 alone.
The Royal Malaysia Police (PDRM) reported millions lost in parcel scam phishing cases, especially via SMS and messaging apps like WhatsApp.

How Phishing Works

1. The Bait

Attackers create fake emails, messages, or websites that look legitimate. These often imitate banks, social media platforms, or popular services to gain your trust.

2. The Hook

The message creates urgency or fear ("Your account will be closed!") prompting immediate action. Links lead to fake login pages where victims enter credentials.

3. The Catch

With your information, attackers access real accounts, steal money, or sell data. Malware may also be installed for long-term access to your device.

History of Phishing

Phishing has evolved significantly since its inception. Here's a timeline of major developments:

1990s

The term "phishing" first appeared in 1996 targeting AOL users. Hackers would pose as AOL staff to steal passwords.

Early 2000s

Phishing expanded to target online payment systems like eBay and PayPal as e-commerce grew in popularity.

2003

The first known phishing attack against a bank targeted customers of a Brazilian bank with emails containing malicious attachments.

2005-2010

Spear phishing emerged, targeting specific individuals or organizations with personalized messages for higher success rates.

2013

Phishing kits became available on dark web marketplaces, making it easier for less technical criminals to launch attacks.

2016-2020

Business Email Compromise (BEC) scams cost organizations over $26 billion. Social media phishing grew exponentially.

2021-Present

AI-powered phishing uses machine learning to craft highly personalized messages. Cloud service phishing and SMS phishing (smishing) surge.

Phishing by the Numbers

76%
of organizations experienced phishing attacks in 2024
1.2M
unique phishing websites detected monthly
36%
of data breaches involve phishing
$4.35M
average cost of phishing attacks to businesses

Common Phishing Targets

Financial Institutions

Banks, credit unions, and payment processors are prime targets. Attackers impersonate these to steal login credentials and financial information.

E-commerce Sites

Shopee, Amazon, eBay, and other retailers are frequently spoofed with fake order confirmations or account verification requests.

Email Providers

Gmail, Outlook, and Yahoo accounts are valuable targets as they provide access to password reset links for other services.

Cloud Services

Microsoft 365, Google Workspace, and Dropbox are targeted for business data and as gateways to corporate networks.

Social Media

Facebook, Instagram, and LinkedIn accounts are hijacked for spreading scams or accessing connected services.

Telecom Providers

Scammers impersonate phone and internet providers to steal account info or install malware on devices.