Magda Zabrocka started our conversation with these words. As always, professional and outstanding in her field.
How exactly does phishing work? Is there a way to protect ourselves? Magda answers these questions with great engagement in the next episode of “3 Questions to the Expert”- and 3 answers that explain complex phenomena in a simple way. Episode 6# – “Cyberthreats starts with phishing”.
Ania: Magda, NASK reported over 130,000 cyber incidents in 2024. Those numbers are alarming.
Magda: Indeed, these figures highlight the increasing sophistication and frequency of cyber threats, not just in Poland but globally. Ransomware, social engineering, and AI-powered cybercrime are among the top concerns. Can you believe that an estimated 3.4 billion phishing emails are sent every day?
Ania: Let’s pause for a moment—can you elaborate on phishing? How exactly does phishing work?
Magda: Phishing is a social engineering technique where a cybercriminal attempts to trick a user into downloading malware, providing credentials, credit card details, or other sensitive information by impersonating a legitimate organization or individual. These attacks can be carried out via email, phone calls, SMS, or other communication channels.
There are different types of phishing attacks:
Bulk email phishing – A widespread spam campaign sent to as many recipients as possible, hoping that at least some will fall victim.
Spear phishing – A highly targeted attack using personalized messages to deceive a specific individual or organization.
Vishing (voice phishing) – Fraudsters use phone calls to extract sensitive information.
Smishing (SMS phishing) – Attackers send fraudulent messages via text to lure victims into providing credentials or downloading malware.
According to a Verizon report, 68% of data breaches involve human error, making people the weakest link in cybersecurity.
When it comes to the way how it works: cybercriminals leverage social engineering tactics to exploit human psychology, often evoking strong emotions such as fear, urgency, or excitement.
For example, you might receive an email from your bank claiming a large unauthorized transaction was made on your credit card. The email provides a link to cancel the transaction, which directs you to a fake but convincing login page where the attacker captures your credentials.
Another common scenario is receiving an invoice marked “urgent payment required” with a malicious attachment containing malware.
Recently, we’ve seen a rise in AI-driven phishing attacks. Cybercriminals now use artificial intelligence to craft highly sophisticated messages that lack the usual red flags, such as spelling errors and grammatical inconsistencies, making them much harder to detect.
Ania: Is there a way to protect ourselves?
Magda: While phishing attacks are becoming more advanced, there are steps we can take to stay protected:
Stay informed—follow cybersecurity alerts and warnings.
Be cautious with emails or messages that create a sense of urgency or seem too good to be true.
Always verify the sender’s email address and domain. Check if the message has other recipients or if the subject line matches the content.
Never click on links directly—hover over them to preview the actual URL before proceeding.
Contact your bank or service provider directly if you receive a suspicious email.
Never enter your login credentials through links received via email or text.
Avoid opening attachments from unknown or unexpected sources.
By staying vigilant and following these best practices, we can significantly reduce the risk of falling victim to phishing scams.
