Cyber StepTracker Blog

Don't be a Fish

Many attacks on businesses and organizations are called "phishing" attacks.

If you don't know the origins of this word, read on, and we'll explain some ways and means to avoid being a "phish".

Hacker Terminology

In the 1990s and afterwards, hackers were people who explored computing and software and sometimes broke into commercial, industrial or government websites. Usually the breakin was for bragging rights.

The hackers developed their own subculture and terminology. A common element was changing the spelling of words to show membership in the subculture and to exclude others with a "secret" language.

Some of the terms included

• "elite" people or ideas became "l33t" where "3" replaces "e'
• "fishing" for gullible users became "phishing"
• "owning" or fully controlling a website became "pwning"
• "hacker" became "h4xor", using "4" for "a", "x" for "ck"

And so on.

Fishing for Phish

The notion of "phishing" comes from the all-too-common and almost unavoidable habit of people to click on a link that arrives in an email.

Most links are valid, so why not? Where the victim becomes a "fish" is when the link is fake: instead of directing you to your bank or travel agency or cryptocurrency exchange, it leads to the hacker's convincing duplicate of the actual website.

The duplicates can be very convincing, even with (almost) the same spelling of the web URL.

The "hack" comes when you fill in your account name and password, where the hacker's web page dutifully copies it for the hacker to exploit later.

Sophisticated duplicates will then log you in to the original, and so you will almost never notice the scam.

Other duplicates will announce a "password failure", and redirect your browser to the original. Again, you are unlikely to notice.

Why it works

There are two parts to this: people click automatically and the habit is so ingrained that it is very difficult to break.

Another critical element is that it is especially easy to make a fake copy of a website. Copying an existing website look is easy with online services based on "artificial intelligence" or AI.

Websites like ChatGPT or Claude or Google Gemini offer software development tools that will create a replica merely by directing the tool at an existing website. This process can be completed quickly and efficiently by a hacker.

Finally, phishing works. Criminals make money transferring money using stolen credentials. Not everyone will click a phishing link and not everyone will fill in details without being suspicious, but enough people are victimized and so the criminals keep doing it.

How to avoid being a "phish"

It is hard to break a habit like clicking so you have to adopt a few methods from the "quit smoking" strategies.

First, most fake links come in emails (or texts on your phone). So you have to change your habits because you are reading emails.

Become very aware you are reading email and therefore you won't click a link on the email. Not unless you look the link over and test it. Or, better, decide to type in the URL yourself, avoiding someone else's idea of what to link to.

Test the link by pointing your mouse at it without clicking. The link should appear in your browser's status bar. If the spelling does not match the expected website, don't click.

On a phone text, the link is clearly there to read and you can compare that to the website name you expect. If it looks even a little "fishy", don't click.

Developing better habits is one critical method to avoiding the dangers of "phishing."

Show Less