REVIEW

published: 09 March 2021

doi: 10.3389/fcomp.2021.563060

Phishing Attacks: A Recent

Comprehensive Study and
a New Anatomy
Zainab Alkhalil, Chaminda Hewage *, Liqaa Nawaf and Imtiaz Khan
Cardiff School of Technologies, Cardiff Metropolitan University, Cardiff, United Kingdom

With the significant growth of internet usage, people increasingly share their personal
information online. As a result, an enormous amount of personal information and financial
transactions become vulnerable to cybercriminals. Phishing is an example of a highly
effective form of cybercrime that enables criminals to deceive users and steal important
data. Since the first reported phishing attack in 1990, it has been evolved into a more
sophisticated attack vector. At present, phishing is considered one of the most frequent
examples of fraud activity on the Internet. Phishing attacks can lead to severe losses for
their victims including sensitive information, identity theft, companies, and government
secrets. This article aims to evaluate these attacks by identifying the current state of
phishing and reviewing existing phishing techniques. Studies have classified phishing
attacks according to fundamental phishing mechanisms and countermeasures discarding
Edited by:
ASM Kayes,
the importance of the end-to-end lifecycle of phishing. This article proposes a new detailed
La Trobe University, Australia anatomy of phishing which involves attack phases, attacker’s types, vulnerabilities,
Reviewed by: threats, targets, attack mediums, and attacking techniques. Moreover, the proposed
Gabriele Lenzini,
anatomy will help readers understand the process lifecycle of a phishing attack which in
University of Luxembourg,
Luxembourg turn will increase the awareness of these phishing attacks and the techniques being used;
Santiago Escobar, also, it helps in developing a holistic anti-phishing system. Furthermore, some
Universitat Politècnica de València,
Spain
precautionary countermeasures are investigated, and new strategies are suggested.
*Correspondence: Keywords: phishing anatomy, precautionary countermeasures, phishing targets, phishing attack mediums, phishing
Chaminda Hewage attacks, attack phases, phishing techniques
chewage@cardiffmet.ac.uk

Specialty section: INTRODUCTION

This article was submitted to
Computer Security, The digital world is rapidly expanding and evolving, and likewise, as are cybercriminals who have
a section of the journal relied on the illegal use of digital assets—especially personal information—for inflicting damage to
Frontiers in Computer Science
individuals. One of the most threatening crimes of all internet users is that of ‘identity theft’
Received: 17 May 2020 (Ramanathan and Wechsler, 2012) which is defined as impersonating the person’s identity to steal
Accepted: 18 January 2021
and use their personal information (i.e., bank details, social security number, or credit card numbers,
Published: 09 March 2021
etc.) by an attacker for the individuals’ own gain not just for stealing money but also for committing
Citation: other crimes (Arachchilage and Love, 2014). Cyber criminals have also developed their methods for
Alkhalil Z, Hewage C, Nawaf L and
stealing their information, but social-engineering-based attacks remain their favorite approach. One
Khan I (2021) Phishing Attacks: A
Recent Comprehensive Study and a
of the social engineering crimes that allow the attacker to perform identity theft is called a phishing
New Anatomy. attack. Phishing has been one of the biggest concerns as many internet users fall victim to it. It is a
Front. Comput. Sci. 3:563060. social engineering attack wherein a phisher attempts to lure the users to obtain their sensitive
doi: 10.3389/fcomp.2021.563060 information by illegally utilizing a public or trustworthy organization in an automated pattern so that

Frontiers in Computer Science | www.frontiersin.org 1 March 2021 | Volume 3 | Article 563060

Alkhalil et al. Phishing Attacks: Recent Comprehensive Study

the internet user trusts the message, and reveals the victim’s reported malicious USB drops. The 2018 Proofpoint1 annual
sensitive information to the attacker (Jakobsson and Myers, report (Proofpoint, 2019a) has stated that phishing attacks
2006). In phishing attacks, phishers use social engineering jumped from 76% in 2017 to 83% in 2018, where all phishing
techniques to redirect users to malicious websites after types happened more frequently than in 2017. The number of
receiving an email and following an embedded link (Gupta phishing attacks identified in the second quarter of 2019 was
et al., 2015). Alternatively, attackers could exploit other notably higher than the number recorded in the previous three
mediums to execute their attacks such as Voice over IP quarters. While in the first quarter of 2020, this number was
(VoIP), Short Message Service (SMS) and, Instant Messaging higher than it was in the previous one according to a report from
(IM) (Gupta et al., 2015). Phishers have also turned from sending Anti-Phishing Working Group (APWG2) (APWG, 2018) which
mass-email messages, which target unspecified victims, into more confirms that phishing attacks are on the rise. These findings have
selective phishing by sending their emails to specific victims, a shown that phishing attacks have increased continuously in
technique called “spear-phishing.” recent years and have become more sophisticated and have
Cybercriminals usually exploit users with a lack of digital/ gained more attention from cyber researchers and developers
cyber ethics or who are poorly trained in addition to technical to detect and mitigate their impact. This article aims to determine
vulnerabilities to reach their goals. Susceptibility to phishing the severity of the phishing problem by providing detailed
varies between individuals according to their attributes and insights into the phishing phenomenon in terms of phishing
awareness level, therefore, in most attacks, phishers exploit definitions, current statistics, anatomy, and potential
human nature for hacking, instead of utilising sophisticated countermeasures.
technologies. Even though the weakness in the information The rest of the article is organized as follows. Phishing Definitions
security chain is attributed to humans more than the provides a number of phishing definitions as well as some real-world
technology, there is a lack of understanding about which ring examples of phishing. The evolution and development of phishing
in this chain is first penetrated. Studies found that certain attacks are discussed in Developing a Phishing Campaign. What
personal characteristics make some persons more receptive to Attributes Make Some People More Susceptible to Phishing Attacks
various lures (Iuga et al., 2016; Ovelgönne et al., 2017; Crane, Than Others explores the susceptibility to these attacks. The
2019). For example, individuals who usually obey authorities proposed phishing anatomy and types of phishing attacks are
more than others are more likely to fall victim to a Business Email elaborated in Proposed Phishing Anatomy. In Countermeasures,
Compromise (BEC) that is pretending to be from a financial various anti-phishing countermeasures are discussed. The
institution and requests immediate action by seeing it as a conclusions of this study are drawn in Conclusion.
legitimate email (Barracuda, 2020). Greediness is another
human weakness that could be used by an attacker, for
example, emails that offering either great discounts, free gift PHISHING DEFINITIONS
cards, and others (Workman, 2008).
Various channels are used by the attacker to lure the victim Various definitions for the term “phishing” have been proposed
through a scam or through an indirect manner to deliver a and discussed by experts, researchers, and cybersecurity
payload for gaining sensitive and personal information from institutions. Although there is no established definition for the
the victim (Ollmann, 2004). However, phishing attacks have term “phishing” due to its continuous evolution, this term has been
already led to damaging losses and could affect the victim not defined in numerous ways based on its use and context. The
only through a financial context but could also have other serious process of tricking the recipient to take the attacker’s desired action
consequences such as loss of reputation, or compromise of is considered the de facto definition of phishing attacks in general.
national security (Ollmann, 2004; Herley and Florêncio, 2008). Some definitions name websites as the only possible medium to
Cybercrime damages have been expected to cost the world $6 conduct attacks. The study (Merwe et al., 2005, p. 1) defines
trillion annually by 2021, up from $3 trillion in 2015 according to phishing as “a fraudulent activity that involves the creation of a
Cybersecurity Ventures (Morgan, 2019). Phishing attacks are the replica of an existing web page to fool a user into submitting
most common type of cybersecurity breaches as stated by the personal, financial, or password data.” The above definition
official statistics from the cybersecurity breaches survey 2020 in describes phishing as an attempt to scam the user into revealing
the United Kingdom (GOV.UK, 2020). Although these attacks sensitive information such as bank details and credit card numbers,
affect organizations and individuals alike, the loss for the by sending malicious links to the user that leads to the fake web
organizations is significant, which includes the cost for establishment. Others name emails as the only attack vector. For
recovery, the loss of reputation, fines from information laws/ instance, PishTank (2006) defines phishing as “a fraudulent
regulations, and reduced productivity (Medvet et al., 2008).
Phishing is a field of study that merges social psychology,
technical systems, security subjects, and politics. Phishing attacks 1
Proofpoint is “a leading cybersecurity company that protects organizations’
are more prevalent: a recent study (Proofpoint, 2020) found that
greatest assets and biggest risks: their people. With an integrated suite of
nearly 90% of organizations faced targeted phishing attacks in cloud-based solutions”(Proofpoint, 2019b).
2019. From which 88% experienced spear-phishing attacks, 83% 2
APWG Is “the international coalition unifying the global response to cybercrime
faced voice phishing (Vishing), 86% dealt with social media across industry, government and law-enforcement sectors and NGO communities”
attacks, 84% reported SMS/text phishing (SMishing), and 81% (APWG, 2020).

Frontiers in Computer Science | www.frontiersin.org 2 March 2021 | Volume 3 | Article 563060

Alkhalil et al. Phishing Attacks: Recent Comprehensive Study

definition (i.e., Anatomy) has been proposed in this article, which

describes the complete process of a phishing attack. This provides
a better understanding for the readers as it covers phishing attacks
in depth from a range of perspectives. Various angles and this
might help beginner readers or researchers in this field. To this
end, we define phishing as a socio-technical attack, in which the
attacker targets specific valuables by exploiting an existing
vulnerability to pass a specific threat via a selected medium
into the victim’s system, utilizing social engineering tricks or
some other techniques to convince the victim into taking a
specific action that causes various types of damages.
Figure 1 depicts the general process flow for a phishing attack
that contains four phases; these phases are elaborated in Proposed
Phishing Anatomy. However, as shown in Figure 1, in most attacks,
the phishing process is initiated by gathering information about the
target. Then the phisher decides which attack method is to be used in
the attack as initial steps within the planning phase. The second phase
is the preparation phase, in which the phisher starts to search for
vulnerabilities through which he could trap the victim. The phisher
conducts his attack in the third phase and waits for a response from
the victim. In turn, the attacker could collect the spoils in the valuables
acquisition phase, which is the last step in the phishing process. To
elaborate the above phishing process using an example, an attacker
may send a fraudulent email to an internet user pretending to be from
the victim’s bank, requesting the user to confirm the bank account
details, or else the account may be suspended. The user may think this
FIGURE 1 | General phishing attack process. email is legitimate since it uses the same graphic elements,
trademarks, and colors of their legitimate bank. Submitted
information will then be directly transmitted to the phisher who
attempt, usually made through email, to steal your personal will use it for different malicious purposes such as money withdrawal,
information.” A description for phishing stated by (Kirda and blackmailing, or committing further frauds.
Kruegel, 2005, p.1) defines phishing as “a form of online identity
theft that aims to steal sensitive information such as online banking Real-World Phishing Examples
passwords and credit card information from users.” Some Some real-world examples of phishing attacks are discussed in
definitions highlight the usage of combined social and technical this section to present the complexity of some recent phishing
skills. For instance, APWG defines phishing as “a criminal attacks. Figure 2 shows the screenshot of a suspicious phishing
mechanism employing both social engineering and technical email that passed a University’s spam filters and reached the
subterfuge to steal consumers’ personal identity data and recipient mailbox. As shown in Figure 2, the phisher uses the
financial account credentials” (APWG, 2018, p. 1). Moreover, sense of importance or urgency in the subject through the word
the definition from the United States Computer Emergency ‘important,’ so that the email can trigger a psychological
Readiness Team (US-CERT) states phishing as “a form of social reaction in the user to prompt them into clicking the
engineering that uses email or malicious websites (among other button “View message.” The email contains a suspicious
channels) to solicit personal information from an individual or embedded button, indeed, when hovering over this
company by posing as a trustworthy organization or entity” (CISA, embedded button, it does not match with Uniform Resource
2018). A detailed definition has been presented in (Jakobsson and Locator (URL) in the status bar. Another clue in this example is
Myers, 2006, p. 1), which describes phishing as “a form of social that the sender’s address is questionable and not known to the
engineering in which an attacker, also known as a phisher, attempts receiver. Clicking on the fake attachment button will result in
to fraudulently retrieve legitimate users’ confidential or sensitive either installation of a virus or worm onto the computer or
credentials by mimicking electronic communications from a handing over the user’s credentials by redirecting the victim
trustworthy or public organization in an automated fashion. onto a fake login page.
Such communications are most frequently done through emails More recently, phishers take advantage of the Coronavirus
that direct users to fraudulent websites that in turn collect the pandemic (COVID-19) to fool their prey. Many Coronavirus-
credentials in question.” themed scam messages sent by attackers exploited people’s fear of
In order to understand the anatomy of the phishing attack, contracting COVID-19 and urgency to look for information
there is a necessity for a clear and detailed definition that related to Coronavirus (e.g., some of these attacks are related
underpins previous existent definitions. Since a phishing attack to Personal Protective Equipment (PPE) such as facemasks), the
constitutes a mix of technical and social engineering tactics, a new WHO stated that COVID-19 has created an Infodemic which is

Frontiers in Computer Science | www.frontiersin.org 3 March 2021 | Volume 3 | Article 563060

Alkhalil et al. Phishing Attacks: Recent Comprehensive Study

FIGURE 2 | Screenshot of a real suspicious phishing email received by the authors’ institution in February 2019.

FIGURE 3 | Screenshot of a coronavirus related phishing email (Ksepersky, 2020).

favorable for phishers (Hewage, 2020). Cybercriminals also lured attempted to use Google Translate to mask suspicious URLs,
people to open attachments claiming that it contains information prefacing them with the legit-looking “www.translate.google.com”
about people with Coronavirus within the local area. address to dupe users into logging in (Rhett, 2019). That attack
Figure 3 shows an example of a phishing e-mail where the followed with Phishing scams asking for Netflix payment detail for
attacker claimed to be the recipient’s neighbor sending a message example, or embedded in promoted tweets that redirect users to
in which they pretended to be dying from the virus and genuine-looking PayPal login pages. Although the tricky/bogus page
threatening to infect the victim unless a ransom was paid was very well designed in the latter case, the lack of a Hypertext
(Ksepersky, 2020). Transfer Protocol Secure (HTTPS) lock and misspellings in the URL
Another example is the phishing attack spotted by a security were key red flags (or giveaways) that this was actually a phishing
researcher at Akamai organization in January 2019. The attack attempt (Keck, 2018). Figure 4A shows a screenshot of a phishing

Frontiers in Computer Science | www.frontiersin.org 4 March 2021 | Volume 3 | Article 563060

Alkhalil et al. Phishing Attacks: Recent Comprehensive Study

FIGURE 4 | Screenshot of the (A) Netflix scam email and (B) fraudulent text message (Apple) (Keck, 2018; Rhett, 2019)

email received by the Federal Trade Commission (FTC). The email packet-switching network with distributed control and one
promotes the user to update his payment method by clicking on a of the first networks to implement the TCP/IP protocol suite.
link, pretending that Netflix is having a problem with the user’s The term “Phishing” which was also called carding or brand
billing information (FTC, 2018). spoofing, was coined for the first time in 1996 when the hackers
Figure 4B shows a text message as another example of created randomized credit card numbers using an algorithm to
phishing that is difficult to spot as a fake text message steal users’ passwords from America Online (AOL) (Whitman
(Pompon et al., 2018). The text message shown appears to and Mattord, 2012; Cui et al., 2017). Then phishers used instant
come from Apple asking the customer to update the victim’s messages or emails to reach users by posing as AOL employees
account. A sense of urgency is used in the message as a lure to to convince users to reveal their passwords. Attackers believed
motivate the user to respond. that requesting customers to update their account would be an
effective way to disclose their sensitive information, thereafter,
phishers started to target larger financial companies. The
DEVELOPING A PHISHING CAMPAIGN author in (Ollmann, 2004) believes that the “ph” in phishing
comes from the terminology “Phreaks” which was coined by
Today, phishing is considered one of the most pressing John Draper, who was also known as Captain Crunch, and was
cybersecurity threats for all internet users, regardless of their used by early Internet criminals when they phreak telephone
technical understanding and how cautious they are. These attacks systems. Where the “f” in ‘fishing’ replaced with “ph” in
are getting more sophisticated by the day and can cause severe “Phishing” as they both have the same meaning by phishing
losses to the victims. Although the attacker’s first motivation is the passwords and sensitive information from the sea of
stealing money, stolen sensitive data can be used for other internet users. Over time, phishers developed various and
malicious purposes such as infiltrating sensitive infrastructures more advanced types of scams for launching their attack.
for espionage purposes. Therefore, phishers keep on developing Sometimes, the purpose of the attack is not limited to
their techniques over time with the development of electronic stealing sensitive information, but it could involve injecting
media. The following sub-sections discuss phishing evolution and viruses or downloading the malicious program into a victim’s
the latest statistics. computer. Phishers make use of a trusted source (for instance a
bank helpdesk) to deceive victims so that they disclose their
Historical Overview sensitive information (Ollmann, 2004).
Cybersecurity has been a major concern since the beginning of Phishing attacks are rapidly evolving, and spoofing methods
APRANET, which is considered to be the first wide-area are continuously changing as a response to new corresponding

Frontiers in Computer Science | www.frontiersin.org 5 March 2021 | Volume 3 | Article 563060

Alkhalil et al. Phishing Attacks: Recent Comprehensive Study

FIGURE 5 | The growth in phishing attacks 2015–2020 by quarters based on data collected from APWG annual reports.

countermeasures. Hackers take advantage of new tool-kits and technologies such as mobile and social media (Marforio et al.,
technologies to exploit systems’ vulnerabilities and also use social 2015). For instance, from 2017 to 2020, phishing attacks have
engineering techniques to fool unsuspecting users. Therefore, increased from 72 to 86% among businesses in the
phishing attacks continue to be one of the most successful United Kingdom in which a large proportion of the attacks
cybercrime attacks. are originated from social media (GOV.UK, 2020).
The APWG Phishing Activity Trends Report analyzes and
The Latest Statistics of Phishing Attacks measures the evolution, proliferation, and propagation of
Phishing attacks are becoming more common and they are phishing attacks reported to the APWG. Figure 5 shows the
significantly increasing in both sophistication and frequency. growth in phishing attacks from 2015 to 2020 by quarters based
Lately, phishing attacks have appeared in various forms. on APWG annual reports (APWG, 2020). As demonstrated in
Different channels and threats are exploited and used by the Figure 5, in the third quarter of 2019, the number of phishing
attackers to trap more victims. These channels could be social attacks rose to 266,387, which is the highest level in three years
networks or VoIP, which could carry various types of threats such since late 2016. This was up 46% from the 182,465 for the second
as malicious attachments, embedded links within an email, quarter, and almost double the 138,328 seen in the fourth quarter
instant messages, scam calls, or other types. Criminals know of 2018. The number of unique phishing e-mails reported to
that social engineering-based methods are effective and APWG in the same quarter was 118,260. Furthermore, it was
profitable; therefore, they keep focusing on social engineering found that the number of brands targeted by phishing campaigns
attacks, as it is their favorite weapon, instead of concentrating on was 1,283.
sophisticated techniques and toolkits. Phishing attacks have Cybercriminals are always taking advantage of disasters and
reached unprecedented levels especially with emerging hot events for their own gains. With the beginning of the

Frontiers in Computer Science | www.frontiersin.org 6 March 2021 | Volume 3 | Article 563060

Alkhalil et al. Phishing Attacks: Recent Comprehensive Study

TABLE 1 | Percentage of respondents understanding multiple cybersecurity terms from different countries.

US United Kingdom France Germany Italy Australia Japan

What is Phishing 65 72 65 64 70 64 62
What is Ransomware 56 60 40 31 36 58 36
What is SMishing 17 18 39 26 28 17 15
What is Vishing 20 18 15 13 24 20 12

COVID-19 crisis, a variety of themed phishing and malware On the other hand, a report by Wombat security reflects
attacks have been launched by phishers against workers, responses from more than 6,000 working adults about
healthcare facilities, and even the general public. A report receiving fraudulent solicitation across six countries; the US,
from Microsoft (Microsoft, 2020) showed that cyber-attacks United Kingdom, Germany, France, Italy, and Australia
related to COVID-19 had spiked to an unprecedented level in (Ksepersky, 2020). Respondents from the United Kingdom
March, most of these scams are fake COVID-19 websites stated that they were recipients of fraudulent solicitations
according to security company RiskIQ (RISKIQ, 2020). through the following sources: email 62%, phone call 27%, text
However, the total number of phishing attacks observed by message 16%, mailed letter 8%, social media 10%, and 17%
APWG in the first quarter of 2020 was 165,772, up from the confirmed that they been the victim of identity theft
162,155 observed in the fourth quarter of 2019. The number of (Ksepersky, 2020). However, the consequences of responding
these unique phishing reports submitted to APWG during the to phishing are serious and costly. For instance, the
first quarter of 2020 was 139,685, up from 132,553 in the fourth United Kingdom losses from financial fraud across payment
quarter of 2019, 122,359 in the third quarter of 2019, and 112,163 cards, remote banking, and cheques totaled £768.8 million in
in the second quarter of 2019 (APWG, 2020). 2016 (Financial Fraud Action UK, 2017). Indeed, the losses
A study (KeepnetLABS, 2018) confirmed that more than 91% resulting from phishing attacks are not limited to financial
of system breaches are caused by attacks initiated by email. losses that might exceed millions of pounds, but also loss of
Although cybercriminals use email as the main medium for customers and reputation. According to the 2020 state of phish
leveraging their attacks, many organizations faced a high report (Proofpoint, 2020), damages from successful phishing
volume of different social engineering attacks in 2019 such as attacks can range from lost productivity to cash outlay. The
Social Media Attacks, Smishing Attacks, Vishing Attacks, USB- cost can include; lost hours from employees, remediation time for
based Attacks (for example by hiding and delivering malware to info security teams’ costs due to incident response, damage to
smartphones via USB phone chargers and distributing malware- reputation, lost intellectual property, direct monetary losses,
laden free USBs) (Proofpoint, 2020). However, info-security compliance fines, lost customers, legal fees, etc.
professionals reported a higher frequency of all types of social There are many targets for phishing including end-user,
engineering attacks year-on-year according to a report presented business, financial services (i.e., banks, credit card companies,
by Proofpoint. Spear phishing increased to 64% in 2018 from 53% and PayPal), retail (i.e., eBay, Amazon) and, Internet Service
in 2017, Vishing and/or SMishing increased to 49% from 45%, Providers (wombatsecurity.com, 2018). Affected
and USB attacks increased to 4% from 3%. The positive side organizations detected by Kaspersky Labs globally in the
shown in this study is that 59% of suspicious emails reported by first quarter of 2020 are demonstrated in Figure 6. As
end-users were classified as potential phishing, indicating that shown in the figure, online stores were at the top of the
employees are being more security-aware, diligent, and targeted list (18.12%) followed by global Internet portals
thoughtful about the emails they receive (Proofpoint, 2019a). (16.44%) and social networks in third place (13.07%)
In all its forms, phishing can be one of the easiest cyber attacks to (Ksepersky, 2020). While the most impersonated brands
fall for. With the increasing levels of different phishing types, a overall for the first quarter of 2020 were Apple, Netflix,
survey was conducted by Proofpoint to identify the strengths and Yahoo, WhatsApp, PayPal, Chase, Facebook, Microsoft
weaknesses of particular regions in terms of specific fundamental eBay, and Amazon (Checkpoint, 2020).
cybersecurity concepts. In this study, several questions were asked Phishing attacks can take a variety of forms to target people
of 7,000 end-users about the identification of multiple terms like and steal sensitive information from them. Current data shows
phishing, ransomware, SMishing, and Vishing across seven that phishing attacks are still effective, which indicates that the
countries; the US, United Kingdom, France, Germany, Italy, available existing countermeasures are not enough to detect and
Australia, and Japan. The response was different from country prevent these attacks especially on smart devices. The social
to country, where respondents from the United Kingdom engineering element of the phishing attack has been effective
recorded the highest knowledge with the term phishing at 70% in bypassing the existing defenses to date. Therefore, it is essential
and the same with the term ransomware at 60%. In contrast, the to understand what makes people fall victim to phishing attacks.
results showed that the United Kingdom recorded only 18% for What Attributes Make Some People More Susceptible to Phishing
each Vishing and SMishing (Proofpoint, 2019a), as shown in Attacks Than Others discusses the human attributes that are
Table 1. exploited by the phishers.

Frontiers in Computer Science | www.frontiersin.org 7 March 2021 | Volume 3 | Article 563060

Alkhalil et al. Phishing Attacks: Recent Comprehensive Study

FIGURE 6 | Distribution of organizations affected by phishing attacks detected by Kaspersky in quarter one of 2020.

WHAT ATTRIBUTES MAKE SOME PEOPLE phishing, is that younger adults are more trusting when it comes
MORE SUSCEPTIBLE TO PHISHING to online communication, and are also more likely to click on
unsolicited e-mails (Getsafeonline, 2017). Moreover, older
ATTACKS THAN OTHERS participants are less susceptible because they tend to be less
Why do most existing defenses against phishing not work? What impulsive (Arnsten et al., 2012). While some studies
personal and contextual attributes make them more susceptible to confirmed that women are more susceptible than men to
phishing attacks than other users? Different studies have phishing as they click on links in phishing emails and enter
discussed those two questions and examined the factors information into phishing websites more often than men do. The
affecting susceptibility to a phishing attack and the reasons study published by Getsafeonline (2017) identifies a lack of
behind why people get phished. Human nature is considered technical know-how and experience among women than men
one of the most affecting factors in the process of phishing. as the main reason for this. In contrast, a survey conducted by
Everyone is susceptible to phishing attacks because phishers play antivirus company Avast found that men are more susceptible to
on an individual’s specific psychological/emotional triggers as smartphone malware attacks than women (Ong, 2014). These
well as technical vulnerabilities (KeepnetLABS, 2018; Crane, findings confirmed the results from the study (Hadlington, 2017)
2019). For instance, individuals are likely to click on a link that found men are more susceptible to mobile phishing attacks
within an email when they see authority cues (Furnell, 2007). than women. The main reason behind this according to
In 2017, a report by PhishMe (2017) found that curiosity and Hadlington (2017) is that men are more comfortable and
urgency were the most common triggers that encourage people to trusting when using mobile online services. The relationships
respond to the attack, later these triggers were replaced by between demographic characteristics of individualls and their
entertainment, social media, and reward/recognition as the top ability to correctly detect a phishing attack have been studied in
emotional motivators. However, in the context of a phishing (Iuga et al., 2016). The study showed that participants with high
attack, the psychological triggers often surpass people’s conscious Personal Computer (PC) usage tend to identify phishing efforts
decisions. For instance, when people are working under stress, more accurately and faster than other participants. Another study
they tend to make decisions without thinking of the possible (Hadlington, 2017) showed that internet addiction, attentional,
consequences and options (Lininger and Vines, 2005). Moreover, and motor impulsivity were significant positive predictors for
everyday stress can damage areas of the brain that weakens the risky cybersecurity behaviors while a positive attitude toward
control of their emotions (Keinan, 1987). Several studies have cybersecurity in business was negatively related to risky
addressed the association between susceptibility to phishing and cybersecurity behaviors. On the other hand, the
demographic variables (e.g., age and gender) as an attempt to trustworthiness of people in some web sites/platforms is one
identify the reasons behind phishing success at different of the holes that the scammers or crackers exploit especially when
population groups. Although everyone is susceptible to it based on visual appearance that could fool the user
phishing, studies showed that different age groups are more (Hadlington, 2017). For example, fraudsters take advantage of
susceptible to certain lures than others are. For example, people’s trust in a website by replacing a letter from the legitimate
participants with an age range between 18 and 25 are more site with a number such as goog1e.com instead of google.com.
susceptible to phishing than other age groups (Williams et al., Another study (Yeboah-Boateng and Amanor, 2014)
2018). The reason that younger adults are more likely to fall for demonstrates that although college students are unlikely to

Frontiers in Computer Science | www.frontiersin.org 8 March 2021 | Volume 3 | Article 563060

Alkhalil et al. Phishing Attacks: Recent Comprehensive Study

FIGURE 7 | The number of clicks on phishing emails by students in the College of Arts, Humanities, and Social Sciences (AHSS), the College of Engineering and
Information Technology (EIT), and the College of Natural and Mathematical Sciences (NMS) at the University of Maryland, Baltimore County (UMBC) (Diaz et al., 2020).

disclose personal information as a response to an email, them ignored security indexes such as the status and address bar.
nonetheless they could easily be tricked by other tactics, In 2015, another study was conducted for the same purpose,
making them alarmingly susceptible to email phishing attacks. where a number of fake web pages was shown to the participants
The reason for that is most college students do not have a basis in (Alsharnouby et al., 2015). The results of this study showed that
ICT especially in terms of security. Although security terms like participants detected only 53% of phishing websites successfully.
viruses, online scams and worms are known by some end-users, The authors also observed that the time spent on looking at
these users could have no knowledge about Phishing, SMishing, browser elements affected the ability to detect phishing. Lack of
and Vishing and others (Lin et al., 2012). However, study knowledge or awareness and carelessness are common causes for
(Yeboah-Boateng and Amanor, 2014) shows that younger making people fall for a phishing trap. Most people have
students are more susceptible than older students, and unknowingly opened a suspicious attachment or clicked a fake
students who worked full-time were less likely to fall for phishing. link that could lead to different levels of compromise. Therefore,
The study reported in (Diaz et al., 2020) examines user click focusing on training and preparing users for dealing with such
rates and demographics among undergraduates by sending attacks are essential elements to minimize the impact of phishing
phishing attacks to 1,350 randomly selected students. Students attacks.
from various disciplines were involved in the test, from Given the above discussion, susceptibility to phishing varies
engineering and mathematics to arts and social sciences. The according to different factors such as age, gender, education level,
study observed that student susceptibility was affected by a range internet, and PC addiction, etc. Although for each person, there is
of factors such as phishing awareness, time spent on the a trigger that can be exploited by phishers, even people with high
computer, cyber training, age, academic year, and college experience may fall prey to phishing due to the attack
affiliation. The most surprising finding is that those who have sophistication that makes it difficult to be recognized.
greater phishing knowledge are more susceptible to phishing Therefore, it is inequitable that the user has always been
scams. The authors consider two speculations for these blamed for falling for these attacks, developers must improve
unexpected findings. First, user’s awareness about phishing the anti-phishing systems in a way that makes the attack invisible.
might have been increased with the continuous falling for Understanding the susceptibility of individuals to phishing
phishing scams. Second, users who fell for the phish might attacks will help in better developing prevention and detection
have less knowledge about phishing than they claim. Other techniques and solutions.
findings from this study agreed with findings from other
studies that is, older students were more able to detect a
phishing email, and engineering and IT majors had some of PROPOSED PHISHING ANATOMY
the lowest click rates as shown in Figure 7, which shows that
some academic disciplines are more susceptible to phishing than Phishing Process Overview
others (Bailey et al., 2008). Generally, most of the phishing attacks start with an email
Psychological studies have also illustrated that the user’s ability (Jagatic et al., 2007). The phishing mail could be sent
to avoid phishing attacks affected by different factors such as randomly to potential users or it can be targeted to a specific
browser security indicators and user’s awareness of phishing. The group or individuals. Many other vectors can also be used to
author in (Dhamija et al., 2006) conducted an experimental study initiate the attack such as phone calls, instant messaging, or
using 22 participants to test the user’s ability to recognize physical letters. However, phishing process steps have been
phishing websites. The study shows that 90% of these discussed by many researchers due to the importance of
participants became victims of phishing websites and 23% of understanding these steps in developing an anti-phishing

Frontiers in Computer Science | www.frontiersin.org 9 March 2021 | Volume 3 | Article 563060

Alkhalil et al. Phishing Attacks: Recent Comprehensive Study

FIGURE 8 | The proposed anatomy of phishing was built upon the proposed phishing definition in this article, which concluded from our understanding of a
phishing attack.

solution. The author in the study (Rouse, 2013) divides the three primary phases, the phisher requests sensitive valuables
phishing attack process into five phases which are planning, from the target, and the target gives away these valuables to a
setup, attack, collection, and cash. A study (Jakobsson and phisher, and phisher misuses these valuables for malicious
Myers, 2006) discusses the phishing process in detail and purposes. These phases can be classified furthermore into its
explained it as step-by-step phases. These phases include sub-processes according to phishing trends. Thus, a new anatomy
preparation for the attack, sending a malicious program using for phishing attacks has been proposed in this article, which
the selected vector, obtaining the user’s reaction to the attack, expands and integrates previous definitions to cover the full life
tricking a user to disclose their confidential information which cycle of a phishing attack. The proposed new anatomy, which
will be transmitted to the phisher, and finally obtaining the consists of 4 phases, is shown in Figure 8. This new anatomy
targeted money. While the study (Abad, 2005) describes a provides a reference structure to look at phishing attacks in more
phishing attack in three phases: the early phase which includes detail and also to understand potential countermeasures to
initializing attack, creating the phishing email, and sending a prevent them. The explanations for each phase and its
phishing email to the victim. The second phase includes receiving components are presented as follows:
an email by the victim and disclosing their information (in the Figure 8 depicts the proposed anatomy of the phishing attack
case of the respondent) and the final phase in which the process, phases, and components drawn upon the proposed
defrauding is successful. However, all phishing scams include definition in this article. The proposed phishing anatomy

Frontiers in Computer Science | www.frontiersin.org 10 March 2021 | Volume 3 | Article 563060

Alkhalil et al. Phishing Attacks: Recent Comprehensive Study

explains in detail each phase of phishing phases including they could cause serious damage such as stealing information
attackers and target types, examples about the information or uploading Trojans or viruses. In February 2000, an attack
that could be collected by the attacker about the victim, and launched by Canadian teen Mike Calce resulted in $1.7 million
examples about attack methods. The anatomy, as shown in the US Dollars (USD) damages from Distributed Denial of Service
figure, illustrates a set of vulnerabilities that the attacker can (DDoS) attacks on CNN, eBay, Dell, Yahoo, and Amazon
exploit and the mediums used to conduct the attack. Possible (Leyden, 2001).
threats are also listed, as well as the data collection method for a ▪ Serious Crackers: also known as Black Hats. These attackers
further explanation and some examples about target responding can execute sophisticated attacks and develop worms and
types and types of spoils that the attacker could gain and how they Trojans for their attack. They hijack people’s accounts
can use the stolen valuables. This anatomy elaborates on phishing maliciously and steal credit card information, destroy
attacks in depth which helps people to better understand the important files, or sell compromised credentials for
complete phishing process (i.e., end to end Phishing life cycle) personal gains.
and boost awareness among readers. It also provides insights into ▪ Organized crime: this is the most organized and effective type
potential solutions for phishing attacks we should focus on. of attacker and they can incur significant damage to victims.
Instead of always placing the user or human in an accusation These people hire serious crackers for conducting phishing
ring as the only reason behind phishing success, developers must attacks. Moreover, they can thoroughly trash the victim’s
be focusing on solutions to mitigate the initiation of the attack by identity, and committing devastated frauds as they have the
preventing the bait from reaching the user. For instance, to reach skills, tools, and manpower. An organized cybercrime group is
the target’s system, the threat has to pass through many layers of a team of expert hackers who share their skills to build complex
technology or defenses exploiting one or more vulnerabilities attacks and to launch phishing campaigns against individuals
such as web and software vulnerabilities. and organizations. These groups offer their work as ‘crime as a
service’ and they can be hired by terrorist groups,
Planning Phase organizations, or individuals.
This is the first stage of the attack, where a phisher makes a ▪ Terrorists: due to our dependency on the internet for most
decision about the targets and starts gathering information about activities, terrorist groups can easily conduct acts of terror
them (individuals or company). Phishers gather information remotely which could have an adverse impact. These types of
about the victims to lure them based on psychological attacks are dangerous since they are not in fear of any
vulnerability. This information can be anything like name, aftermath, for instance going to jail. Terrorists could use the
e-mail addresses for individuals, or the customers of that internet to the maximum effect to create fear and violence as it
company. Victims could also be selected randomly, by sending requires limited funds, resources, and efforts compared to, for
mass mailings or targeted by harvesting their information from example, buying bombs and weapons in a traditional attack.
social media, or any other source. Targets for phishing could be Often, terrorists use spear phishing to launch their attacks for
any user with a bank account and has a computer on the Internet. different purposes such as inflicting damage, cyber espionage,
Phishers target businesses such as financial services, retail sectors gathering information, locating individuals, and other
such as eBay and Amazon, and internet service providers such as vandalism purposes. Cyber espionage has been used
MSN/Hotmail, and Yahoo (Ollmann, 2004; Ramzan and Wuest, extensively by cyber terrorists to steal sensitive information
2007). This phase also includes devising attack methods such as on national security, commercial information, and trade
building fake websites (sometimes phishers get a scam page that is secrets which can be used for terrorist activities. These types
already designed or used, designing malware, constructing of crimes may target governments or organizations, or
phishing emails. The attacker can be categorized based on the individuals.
attack motivation. There are four types of attackers as mentioned
in studies (Vishwanath, 2005; Okin, 2009; EDUCBA, 2017; Attack Preparation
APWG, 2020): After making a decision about the targets and gathering
information about them, phishers start to set up the attack by
▪ Script kiddies: the term script kiddies represents an attacker scanning for the vulnerabilities to exploit. The following are some
with no technical background or knowledge about writing examples of vulnerabilities exploited by phishers. For example,
sophisticated programs or developing phishing tools but the attacker might exploit buffer overflow vulnerability to take
instead they use scripts developed by others in their control of target applications, create a DoS attack, or compromise
phishing attack. Although the term comes from children computers. Moreover, “zero-day” software vulnerabilities, which
that use available phishing kits to crack game codes by refer to newly discovered vulnerabilities in software programs or
spreading malware using virus toolkits, it does not relate operating systems could be exploited directly before it is fixed
precisely to the actual age of the phisher. Script kiddies can (Kayne, 2019). Another example is browser vulnerabilities,
get access to website administration privileges and commit a adding new features and updates to the browser might
“Web cracking” attack. Moreover, they can use hacking tools to introduce new vulnerabilities to the browser software
compromise remote computers so-called “botnet,” the single (Ollmann, 2004). In 2005, attackers exploited a cross-domain
compromised computer called a “zombie computer.” These vulnerability in Internet Explorer (IE) (Symantic, 2019). The
attackers are not limited to just sit back and enjoy phishing, cross-domain used to separate content from different sources

Frontiers in Computer Science | www.frontiersin.org 11 March 2021 | Volume 3 | Article 563060

Alkhalil et al. Phishing Attacks: Recent Comprehensive Study

in Microsoft IE. Attackers exploited a flaw in the cross-domain that within social networks or other human deception techniques
enables them to execute programs on a user’s computer after running (Ollmann, 2004). Whereas in automated data collection,
IE. According to US-CERT, hackers are actively exploiting this several techniques can be used such as fake web forms that
vulnerability. To carry out a phishing attack, attackers need a are used in web spoofing (Dhamija et al., 2006). Additionally,
medium so that they can reach their target. Therefore, apart from the victim’s public data such as the user’s profile in social
planning the attack to exploit potential vulnerabilities, attackers networks can be used to collect the victim’s background
choose the medium that will be used to deliver the threat to the information that is required to initialize social engineering
victim and carry out the attack. These mediums could be the internet attacks (Wenyin et al., 2005). In VoIP attacks or phone attack
(social network, websites, emails, cloud computing, e-banking, mobile techniques such as recorded messages are used to harvest
systems) or VoIP (phone call), or text messages. For example, one of user’s data (Huber et al., 2009).
the actively used mediums is Cloud Computing (CC). The CC has
become one of the more promising technologies and has popularly Types and Techniques of Phishing Attacks
replaced conventional computing technologies. Despite the Phishers conduct their attack either by using psychological
considerable advantages produced by CC, the adoption of CC manipulation of individuals into disclosing personal
faces several controversial obstacles including privacy and security information (i.e., deceptive attack as a form of social
issues (CVEdetails, 2005). Due to the fact that different customers engineering) or using technical methods. Phishers, however,
could share the same recourses in the cloud, virtualization usually prefer deceptive attacks by exploiting human
vulnerabilities may be exploited by a possible malicious customer psychology rather than technical methods. Figure 9 illustrates
to perform security attacks on other customers’ applications and data the types of phishing and techniques used by phishers to conduct
(Zissis and Lekkas, 2012). For example, in September 2014, secret a phishing attack. Each type and technique is explained in
photos of some celebrities suddenly moved through the internet in subsequent sections and subsections.
one of the more terrible data breaches. The investigation revealed that
the iCloud accounts of the celebrities were breached (Lehman and Deceptive Phishing
Vajpayee, 2011). According to Proofpoint, in 2017, attackers used Deceptive phishing is the most common type of phishing
Microsoft SharePoint to infect hundreds of campaigns with malware attack in which the attacker uses social engineering techniques
through messages. to deceive victims. In this type of phishing, a phisher uses
either social engineering tricks by making up scenarios
Attack Conducting Phase (i.e., false account update, security upgrade), or technical
This phase involves using attack techniques to deliver the threat methods (i.e., using legitimate trademarks, images, and
to the victim as well as the victim’s interaction with the attack in logos) to lure the victim and convince them of the
terms of responding or not. After the victim’s response, the legitimacy of the forged email (Jakobsson and Myers,
system may be compromised by the attacker to collect user’s 2006). By believing these scenarios, the user will fall prey
information using techniques such as injecting client-side script and follow the given link, which leads to disclose his personal
into webpages (Johnson, 2016). Phishers can compromise hosts information to the phisher.
without any technical knowledge by purchasing access from Deceptive phishing is performed through phishing emails;
hackers (Abad, 2005). A threat is a possible danger that that fake websites; phone phishing (Scam Call and IM); social media;
might exploit a vulnerability to compromise people’s security and and via many other mediums. The most common social phishing
privacy or cause possible harm to a computer system for types are discussed below;
malicious purposes. Threats could be malware, botnet,
eavesdropping, unsolicited emails, and viral links. Several Phishing e-Mail
Phishing techniques are discussed in sub-Types and The most common threat derived by an attacker is deceiving
Techniques of Phishing Attacks. people via email communications and this remains the most
popular phishing type to date. A Phishing email or Spoofed email
Valuables Acquisition Phase is a forged email sent from an untrusted source to thousands of
In this stage, the phisher collects information or valuables victims randomly. These fake emails are claiming to be from a
from victims and uses it illegally for purchasing, funding person or financial institution that the recipient trusts in order to
money without the user’s knowledge, or selling these convince recipients to take actions that lead them to disclose their
credentials in the black market. Attackers target a wide sensitive information. A more organized phishing email that
range of valuables from their victims that range from targets a particular group or individuals within the same
money to people’s lives. For example, attacks on online organization is called spear phishing. In the above type, the
medical systems may lead to loss of life. Victim’s data can attacker may gather information related to the victim such as
be collected by phishers manually or through automated name and address so that it appears to be credible emails from a
techniques (Jakobsson et al., 2007). trusted source (Wang et al., 2008), and this is linked to the
The data collection can be conducted either during or after planning phase of the phishing anatomy proposed in this article.
the victim’s interaction with the attacker. However, to collect A more sophisticated form of spear phishing is called whaling,
data manually simple techniques are used wherein victims which targets high-rank people such as CEOs and CFOs. Some
interact directly with the phisher depending on relationships examples of spear-phishing attack victims in early 2016 are the

Frontiers in Computer Science | www.frontiersin.org 12 March 2021 | Volume 3 | Article 563060

Alkhalil et al. Phishing Attacks: Recent Comprehensive Study

FIGURE 9 | Phishing attack types and techniques drawing upon existing phishing attacks.

phishing email that hacked the Clinton campaign chairman John a secondary market (Jakobsson and Myers, 2006), for instance,
Podesta’s Gmail account (Parmar, 2012). Clone phishing is script kiddies might sell the credentials on the dark web.
another type of email phishing, where the attacker clones a
legitimate and previously delivered email by spoofing the Spoofed Website
email address and using information related to the recipient This is also called phishing websites, in which phishers forge a
such as addresses from the legitimate email with replaced links website that appears to be genuine and looks similar to the
or malicious attachments (Krawchenko, 2016). The basic scenario legitimate website. An unsuspicious user is redirected to this
for this attack is illustrated previously in Figure 4 and can be website after clicking a link embedded within an email or through
described in the following steps. an advertisement (clickjacking) or any other way. If the user
continues to interact with the spoofed website, sensitive
1. The phisher sets up a fraudulent email containing a link or an information will be disclosed and harvested by the phisher
attachment (planning phase). (CSIOnsite, 2012).
2. The phisher executes the attack by sending a phishing email to
the potential victim using an appropriate medium (attack Phone Phishing (Vishing and SMishing)
conducting phase). This type of phishing is conducted through phone calls or text
3. The link (if clicked) directs the user to a fraudulent website, or messages, in which the attacker pretends to be someone the
to download malware in case of clicking the attachment victim knows or any other trusted source the victim deals
(interaction phase). with. A user may receive a convincing security alert message
4. The malicious website prompts users to provide confidential from a bank convincing the victim to contact a given phone
information or credentials, which are then collected by the number with the aim to get the victim to share passwords or
attacker and used for fraudulent activities. (Valuables PIN numbers or any other Personally Identifiable Information
acquisition phase). (PII). The victim may be duped into clicking on an embedded
link in the text message. The phisher then could take the
Often, the phisher does not use the credentials directly; credentials entered by the victim and use them to log in to the
instead, they resell the obtained credentials or information on victims’ instant messaging service to phish other people from

Frontiers in Computer Science | www.frontiersin.org 13 March 2021 | Volume 3 | Article 563060

Alkhalil et al. Phishing Attacks: Recent Comprehensive Study

the victim’s contact list. A phisher could also make use of Clipboard pastes (to grab passwords and paste them into form
Caller IDentification (CID)3 spoofing to dupe the victim that fields), and exploits to the Virtual Network Computing (VNC)
the call is from a trusted source or by leveraging from an desktop sharing system. In 2018, Panda malware expanded its
internet protocol private branch exchange (IP PBX)4 tools targets to include cryptocurrency exchanges and social media sites
which are open-source and software-based that support VoIP (F5Networks, 2018). There are many forms of Malware-based
(Aburrous et al., 2008). A new report from Fraud Watch phishing attacks; some of them are discussed below:
International about phishing attack trends for 2019
anticipated an increase in SMishing where the text Key Loggers and Screen Loggers. Loggers are the type of malware
messages content is only viewable on a mobile device used by phishers and installed either through Trojan horse email
(FraudWatchInternational, 2019). attachments or through direct download to the user’s personal
computer. This software monitors data and records user
Social Media Attack (Soshing, Social Media Phishing) keystrokes and then sends it to the phisher. Phisher uses the key
Social media is the new favorite medium for cybercriminals to loggers to capture sensitive information related to victims, such as
conduct their phishing attacks. The threats of social media can be names, addresses, passwords, and other confidential data. Key
account hijacking, impersonation attacks, scams, and malware loggers can also be used for non-phishing purposes such as to
distributing. However, detecting and mitigating these threats monitor a child’s use of the internet. Key loggers can also be
requires a longer time than detecting traditional methods as social implemented in many other ways such as detecting URL changes
media exists outside of the network perimeter. For example, the and logs information as Browser Helper Object (BHO) that enables
nation-state threat actors conducted an extensive series of social media the attacker to take control of the features of all IE’s, monitoring
attacks on Microsoft in 2014. Multiple Twitter accounts were affected keyboard and mouse input as a device driver and, monitoring users
by these attacks and passwords and emails for dozens of Microsoft input and displays as a screen logger (Jakobsson and Myers, 2006).
employees were revealed (Ramzan, 2010). According to Kaspersky
Lab’s, the number of phishing attempts to visit fraudulent social Viruses and Worms. A virus is a type of malware, which is a piece
network pages in the first quarter of 2018 was more than 3.7 million of code spreading in another application or program by making
attempts, of which 60% were fake Facebook pages (Raggo, 2016). copies of itself in a self-automated manner (Jakobsson and Myers,
The new report from predictive email defense company Vade 2006; F5Networks, 2018). Worms are similar to viruses but they
Secure about phishers’ favorites for quarter 1 and quarter 2 of differ in the execution manner, as worms are executed by
2019, stated that Soshing primarily on Facebook and Instagram exploiting the operating systems vulnerability without the need
saw a 74.7% increase that is the highest quarter-over- quarter to modify another program. Viruses transfer from one computer
growth of any industry (VadeSecure, 2021). to another with the document that they are attached to, while
worms transfer through the infected host file. Both viruses and
Technical Subterfuge worms can cause data and software damaging or Denial-of-
Technical subterfuge is the act of tricking individuals into Service (DoS) conditions (F5Networks, 2018).
disclosing their sensitive information through technical
subterfuge by downloading malicious code into the victim’s Spyware. Spying software is a malicious code designed to track
system. Technical subterfuge can be classified into the the websites visited by users in order to steal sensitive information
following types: and conduct a phishing attack. Spyware can be delivered through
an email and, once it is installed on the computer, take control
Malware-Based Phishing over the device and either change its settings or gather
As the name suggests, this is a type of phishing attack which is information such as passwords and credit card numbers or
conducted by running malicious software on a user’s machine. The banking records which can be used for identity theft
malware is downloaded to the victim’s machine, either by one of (Jakobsson and Myers, 2006).
the social engineering tricks or technically by exploiting
vulnerabilities in the security system (e.g., browser Adware. Adware is also known as advertising-supported software
vulnerabilities) (Jakobsson and Myers, 2006). Panda malware is (Jakobsson and Myers, 2006). Adware is a type of malware that
one of the successful malware programs discovered by Fox-IT shows the user an endless pop-up window with ads that could
Company in 2016. This malware targets Windows Operating harm the performance of the device. Adware can be annoying but
Systems (OS). It spreads through phishing campaigns and its most of it is safe. Some of the adware could be used for malicious
main attack vectors include web injects, screenshots of user purposes such as tracking the internet sites the user visits or even
activity (up to 100 per mouse click), logging of keyboard input, recording the user’s keystrokes (cisco, 2018).

Ransomware. Ransomware is a type of malware that encrypts the

user’s data after they run an executable program on the device. In
3
CalleR ID is “a telephone facility that displays a caller’s phone number on the
recipient’s phone device before the call is answered” (Techpedia, 2021).
this type of attack, the decryption key is held until the user pays a
4
An IPPBX is “a telephone switching system within an enterprise that switches calls ransom (cisco, 2018). Ransomware is responsible for tens of
between VoIP users on local lines while allowing all users to share a certain number millions of dollars in extortion annually. Worse still, this is
of external phone lines” (Margaret, 2008). hard to detect with developing new variants, facilitating the

Frontiers in Computer Science | www.frontiersin.org 14 March 2021 | Volume 3 | Article 563060

Alkhalil et al. Phishing Attacks: Recent Comprehensive Study

evasion of many antivirus and intrusion detection systems (Latto, twin is an example of a system reconfiguration attack in which all
2020). Ransomware is usually delivered to the victim’s device user’s traffic is monitored via a malicious wireless Access Point
through phishing emails. According to a report (PhishMe, 2016), (AP) (Jakobsson and Myers, 2006).
93% of all phishing emails contained encryption ransomware.
Phishing, as a social engineering attack, convinces victims into Data Theft
executing actions without knowing about the malicious program. Data theft is an unauthorized accessing and stealing of
confidential information for a business or individuals. Data
Rootkits theft can be performed by a phishing email that leads to the
A rootkit is a collection of programs, typically malicious, that download of a malicious code to the user’s computer which in
enables access to a computer or computer network. These toolsets turn steals confidential information stored in that computer
are used by intruders to hide their actions from system directly (Jakobsson and Myers, 2006). Stolen information
administrators by modifying the code of system calls and such as passwords, social security numbers, credit card
changing the functionality (Belcic, 2020). The term “rootkit” information, sensitive emails, and other personal data
has negative connotations through its association with could be used directly by a phisher or indirectly by selling
malware, and it is used by the attacker to alert existing system it for different purposes.
tools to escape detection. These kits enable individuals with little
or no knowledge to launch phishing exploits. It contains coding, Domain Name System Based Phishing (Pharming)
mass emailing software (possibly with thousands of email Any form of phishing that interferes with the domain name
addresses included), web development software, and graphic system so that the user will be redirected to the malicious website
design tools. An example of rootkits is the Kernel kit. Kernel- by polluting the user’s DNS cache with wrong information is
Level Rootkits are created by replacing portions of the core called DNS-based phishing. Although the host’s file is not a part
operating system or adding new code via Loadable Kernel of the DNS, the host’s file poisoning is another form of DNS based
Modules in (Linux) or device drivers (in Windows) (Jakobsson phishing. On the other hand, by compromising the DNS server,
and Myers, 2006). the genuine IP addresses will be modified which results in taking
the user unwillingly to a fake location. The user can fall prey to
Session Hijackers pharming even when clicking on a legitimate link because the
In this type, the attacker monitors the user’s activities by website’s domain name system (DNS) could be hijacked by
embedding malicious software within a browser component or cybercriminals (Jakobsson and Myers, 2006).
via network sniffing. The monitoring aims to hijack the session,
so that the attacker performs an unauthorized action with the Content Injection Phishing
hijacked session such as financial transferring, without the user’s Content-Injection Phishing refers to inserting false content into a
permission (Jakobsson and Myers, 2006). legitimate site. This malicious content could misdirect the user
into fake websites, leading users into disclosing their sensitive
Web Trojans information to the hacker or it can lead to downloading malware
Web Trojans are malicious programs that collect user’s into the user’s device (Jakobsson and Myers, 2006). The malicious
credentials by popping up in a hidden way over the login content could be injected into a legitimate site in three primary
screen (Jakobsson and Myers, 2006). When the user enters the ways:
credentials, these programs capture and transmit the stolen
credentials directly to the attacker (Jakobsson et al., 2007). 1. Hacker exploits a security vulnerability and compromises a
web server.
Hosts File Poisoning 2. Hacker exploits a Cross-Site Scripting (XSS) vulnerability that
This is a way to trick a user into going to the phisher’s site by is a programming flaw that enables attackers to insert client-
poisoning (changing) the host’s file. When the user types a side scripts into web pages, which will be viewed by the visitors
particular website address in the URL bar, the web address to the targeted site.
will be translated into a numeric (IP) address before visiting 3. Hacker exploits Structured Query Language (SQL) injection
the site. The attacker, to take the user to a fake website for vulnerability, which allows hackers to steal information from
phishing purposes, will modify this file (e.g., DNS cache). This the website’s database by executing database commands on a
type of phishing is hard to detect even by smart and perceptive remote server.
users (Ollmann, 2004).
Man-In-The-Middle Phishing
System Reconfiguration Attack The Man In The Middle attack (MITM) is a form of phishing, in
In this format of the phishing attack, the phisher manipulates the which the phishers insert communications between two parties
settings on a user’s computer for malicious activities so that the (i.e. the user and the legitimate website) and tries to obtain the
information on this PC will be compromised. System information from both parties by intercepting the victim’s
reconfigurations can be changed using different methods such communications (Ollmann, 2004). Such that the message is
as reconfiguring the operating system and modifying the user’s going to the attacker instead of going directly to the legitimate
Domain Name System (DNS) server address. The wireless evil recipients. For a MITM, the attacker records the information

Frontiers in Computer Science | www.frontiersin.org 15 March 2021 | Volume 3 | Article 563060

Alkhalil et al. Phishing Attacks: Recent Comprehensive Study

and misuse it later. The MITM attack conducts by redirecting user’s susceptibility to phishing attacks and compliments other
the user to a malicious server through several techniques such as technical solutions. According to the analysis carried out in
Address Resolution Protocol (ARP) poisoning, DNS spoofing, (Bailey et al., 2008), 95% of phishing attacks are caused due to
Trojan key loggers, and URL Obfuscation (Jakobsson and human errors; nonetheless, existing phishing detection training is
Myers, 2006). not enough for combating current sophisticated attacks. In the
study presented by Khonji et al. (2013), security experts
Search Engine Phishing contradict the effectiveness and usability of user education.
In this phishing technique, the phisher creates malicious websites Furthermore, some security experts claim that user education
with attractive offers and use Search Engine Optimization (SEO) is not effective as security is not the main goal for users and users
tactics to have them indexed legitimately such that it appears to do not have a motivation to educate themselves about phishing
the user when searching for products or services. This is also (Scaife et al., 2016), while others confirm that user education
known as black hat SEO (Jakobsson and Myers, 2006). could be effective if designed properly (Evers, 2006; Whitman and
Mattord, 2012). Moreover, user training has been mentioned by
URL and HTML Obfuscation Attacks many researchers as an effective way to protect users when they
In most of the phishing attacks, phishers aim to convince a user to are using online services (Dodge et al., 2007; Salem et al., 2010;
click on a given link that connects the victim to a malicious Chanti and Chithralekha, 2020). To detect and avoid phishing
phishing server instead of the destination server. This is the most emails, a combined training approach was proposed by authors in
popular technique used by today’s phishers. This type of attack is the study (Salem et al., 2010). The proposed solution uses a
performed by obfuscating the real link (URL) that the user combination of tools and human learning, wherein a security
intends to connect (an attempt from the attacker to make awareness program is introduced to the user as a first step. The
their web address look like the legitimate one). Bad Domain second step is using an intelligent system that detects the attacks
Names and Host Name Obfuscation are common methods used at the email level. After that, the emails are classified by a fuzzy
by attackers to fake an address (Ollmann, 2004). logic-based expert system. The main critic of this method is that
the study chooses only limited characteristics of the emails as
distinguishing features (Kumaraguru et al., 2010;
COUNTERMEASURES CybintCyberSolutions, 2018). Moreover, the majority of
phishing training programs focus on how to recognize and
A range of solutions are being discussed and proposed by the avoid phishing emails and websites while other threatening
researchers to overcome the problems of phishing, but still, there phishing types receive less attention such as voice phishing
is no single solution that can be trusted or capable of mitigating and malware or adware phishing. The authors in (Salem et al.,
these attacks (Hong, 2012; Boddy, 2018; Chanti and 2010) found that the most used solutions in educating people are
Chithralekha, 2020). The proposed phishing countermeasures not useful if they ignore the notifications/warnings about fake
in the literature can be categorized into three major defense websites. Training users should involve three major directions:
strategies. The first line of defense is human-based solutions by the first one is awareness training through holding seminars or
educating end-users to recognize phishing and avoid taking the online courses for both employees within organizations or
bait. The second line of defense is technical solutions that involve individuals. The second one is using mock phishing attacks to
preventing the attack at early stages such as at the vulnerability attack people to test users’ vulnerability and allow them to assess
level to prevent the threat from materializing at the user’s device, their own knowledge about phishing. However, only 38% of
which means decreasing the human exposure, and detecting the global organizations claim they are prepared to handle a
attack once it is launched through the network level or at the end- sophisticated cyber-attack (Kumaraguru et al., 2010). Wombat
user device. This also includes applying specific techniques to
track down the source of the attack (for example these could
Security’s State of the Phish ™ Report 2018 showed that
approximately two-fifths of American companies use
include identification of new domains registered that are closely computer-based online awareness training and simulated
matched with well-known domain names). The third line of phishing attacks as educating tools on a monthly basis, while
defense is the use of law enforcement as a deterrent control. These just 15% of United Kingdom firms do so (CybintCyberSolutions,
approaches can be combined to create much stronger anti- 2018). The third direction is educating people by developing
phishing solutions. The above solutions are discussed in games to teach people about phishing. The game developer
detail below. should take into consideration different aspects before
designing the game such as audience age and gender, because
people’s susceptibility to phishing is varying. Authors in the study
Human Education (Improving User (Sheng et al., 2007) developed a game to train users so that they
Awareness About Phishing) can identify phishing attacks called Anti-Phishing Phil that
Human education is by far an effective countermeasure to avoid teaches about phishing web pages, and then tests users about
and prevent phishing attacks. Awareness and human training are the efficiency and effectiveness of the game. The results from the
the first defense approach in the proposed methodology for study showed that the game participants improve their ability to
fighting against phishing even though it does not assume identify phishing by 61% indicating that interactive games might
complete protection (Hong, 2012). End-user education reduces turn out to be a joyful way of educating people. Although, user’s

Frontiers in Computer Science | www.frontiersin.org 16 March 2021 | Volume 3 | Article 563060

Alkhalil et al. Phishing Attacks: Recent Comprehensive Study

education and training can be very effective to mitigate security can easily register a new domain (Miyamoto et al., 2009).
threats, phishing is becoming more complex and cybercriminals Content-based methods classify the page or the email relying
can fool even the security experts by creating convincing spear on the information within its content such as texts, images, and
phishing emails via social media. Therefore, individual users and also HTML, java scripts, and Cascading Style Sheets (CSS) codes
employees must have at least basic knowledge about dealing with (Zhang et al., 2007; Maurer and Herzner, 2012). Content-based
suspicious emails and report it to IT staff and specific authorities. solutions involve Machine Learning (ML), heuristics, visual
In addition, phishers change their strategies continuously, which similarity, and image processing methods (Miyamoto et al.,
makes it harder for organizations, especially small/medium 2009; Chanti and Chithralekha, 2020). and finally, multifaceted
enterprises to afford the cost of their employee education. methods, which apply a combination of the previous approaches
With millions of people logging on to their social media to detect and prevent phishing attacks (Afroz and Greenstadt,
accounts every day, social media phishing is phishers’ favorite 2009). For email filtering, ML techniques are commonly used for
medium to deceive their victims. For example, phishers are taking example in 2007, the first email phishing filter was developed by
advantage of the pervasiveness of Facebook to set up creative authors in (Fette et al., 2007). This technique uses a set of features
phishing attacks utilizing the Facebook Login feature that enables such as URLs that use different domain names. Spam filtering
the phisher to compromise all the user’s accounts with the same techniques (Cormack et al., 2011) and statistical classifiers
credentials (VadeSecure). Some countermeasures are taken by (Bergholz et al., 2010) are also used to identify a phishing
Social networks to reduce suspicious activities on social media email. Authentication and verification technologies are also
such as Two-Factor authentication for logging in, that is required used in spam email filtering as an alternative to heuristics
by Facebook, and machine-learning techniques used by Snapchat methods. For example, the Sender Policy Framework (SPF)
to detect and prevent suspicious links sent within the app verifies whether a sender is valid when accepting mail from a
(Corrata, 2018). However, countermeasures to control Soshing remote mail server or email client (Deshmukh and raddha Popat,
and phone phishing attacks might include: 2017).
The technical solutions for Anti-phishing are available at
• Install anti-virus, anti-spam software as a first action and different levels of the delivery chain such as mail servers and
keep it up to date to detect and prevent any unauthorized clients, Internet Service Providers (ISPs), and web browser tools.
access. Drawing from the proposed anatomy for phishing attacks in
• Educate yourself about recent information on phishing, the Proposed Phishing Anatomy, authors categorize technical
latest trends, and countermeasures. solutions into the following approaches:
• Never click on hyperlinks attached to a suspicious email,
post, tweet, direct message. 1. Techniques to detect the attack after it has been launched. Such
• Never trust social media, do not give any sensitive as by scanning the web to find fake websites. For example,
information over the phone or non-trusted account. Do content-based phishing detection approaches are heavily
not accept friend requests from people you do not know. deployed on the Internet. The features from the website
• Use a unique password for each account. elements such as Image, URL, and text content are analyzed
using Rule-based approaches and Machine Learning that
Training and educating users is an effective anti-phishing examine the presence of special characters (@), IP addresses
countermeasure and has already shown promising initial instead of the domain name, prefix/suffix, HTTPS in domain
results. The main downside of this solution is that it demands part and other features (Jeeva and Rajsingh, 2016). Fuzzy Logic
high costs (Dodge et al., 2007). Moreover, this solution requires (FL) has also been used as an anti-phishing model to help
basic knowledge in computer security among trained users. classify websites into legitimate or ‘phishy’ as this model deals
with intervals rather than specific numeric values (Aburrous
Technical Solutions et al., 2008).
The proposed technical solutions for detecting and blocking 2. Techniques to prevent the attack from reaching the user’s
phishing attacks can be divided into two major approaches: system. Phishing prevention is an important step to defend
non-content based solutions and content-based solutions (Le against phishing by blocking a user from seeing and dealing
et al., 2006; Bin et al., 2010; Boddy, 2018). Both approaches with the attack. In email phishing, anti-spam software tools can
are briefly described in this section. Non-content based methods block suspicious emails. Phishers usually send a genuine look-
include blacklists and whitelists that classify the fake emails or alike email that dupes the user to open an attachment or click
webpages based on the information that is not part of the email or on a link. Some of these emails pass the spam filter because
the webpage such as URL and domain name features (Dodge phishers use misspelled words. Therefore, techniques that
et al., 2007; Ma et al., 2009; Bin et al., 2010; Salem et al., 2010). detect fake emails by checking the spelling and grammar
Stopping the phishing sites using blacklist and whitelist correction are increasingly used, so that it can prevent the
approaches, wherein a list of known URLs and sites is email from reaching the user’s mailbox. Authors in the study
maintained, the website under scrutiny is checked against such (Fette et al., 2007) have developed a new classification
a list in order to be classified as a phishing or legitimate site. The algorithm based on the Random Forest algorithm after
downside of this approach is that it will not identify all phishing exploring email phishing utilizing the C4.5 decision tree
websites. Because once a phishing site is taken down, the phisher generator algorithm. The developed method is called

Frontiers in Computer Science | www.frontiersin.org 17 March 2021 | Volume 3 | Article 563060

Alkhalil et al. Phishing Attacks: Recent Comprehensive Study

"Phishing Identification by Learning on Features of Email (One-Time Password) which is sent to the user’s email id
Received" (PILFER), which can classify phishing email or phone. The third type is multi-factor authentication using
depending on various features such as IP based URLs, the more than one form of identity (i.e., a combination of
number of links in the HTML part(s) of an email, the number something you know, something you are, and something
of domains, the number of dots, nonmatching URLs, and you have). Some widely used methods in the authorization
availability of JavaScripts. The developed method showed process are API authorization and OAuth 2.0 that allow the
high accuracy in detecting phishing emails (Afroz and previously generated API to access the system.
Greenstadt, 2009).
3. Corrective techniques that can take down the compromised However, the progressive increase in phishing attacks shows
website, by requesting the website’s Internet Service Provider that previous methods do not provide the required protection
(ISP) to shut down the fake website in order to prevent more against most existing phishing attacks. Because no single solution
users from falling victims to phishing (Moore and Clayton, or technology could prevent all phishing attacks. An effective
2007; Chanti and Chithralekha, 2020). ISPs are responsible for anti-phishing solution should be based on a combination of
taking down fake websites. Removing the compromised and technical solutions and increased user awareness (Boddy, 2018).
illegal websites is a complex process; many entities are involved
in this process from private companies, self-regulatory bodies,
government agencies, volunteer organizations, law Solutions Provided by Legislations as a
enforcement, and service providers. Usually, illegal websites Deterrent Control
are taken down by Takedown Orders, which are issued by A cyber-attack is considered a crime when an individual
courts or in some jurisdictions by law enforcement. On the intentionally accesses personal information on a computer
other hand, these can be voluntarily taken down by the without permission, even if the individual does not steal
providers themselves as a result of issued takedown notices information or damage the system (Mince-Didier, 2020). Since
(Moore and Clayton, 2007; Hutchings et al., 2016). According the sole objective of almost all phishing attacks is to obtain
to PHISHLABS (PhishLabs, 2019) report, taking down sensitive information by knowingly intending to commit
phishing sites is helpful but it is not completely effective as identity theft, and while there are currently no federal laws in
these sites can still be alive for days stealing customers’ the United States aimed specifically at phishing, therefore,
credentials before detecting the attack. phishing crimes are usually covered under identity theft laws.
4. Warning tools or security indicators that embedded into the Phishing is considered a crime even if the victim does not actually
web browser to inform the user after detecting the attack. For fall for the phishing scam, the punishments depend on
example, eBay Toolbar and Account Guard (eBay Toolbar and circumstances and usually include jail, fines, restitution,
Account Guard, 2009) protect customer’s eBay and PayPal probation (Nathan, 2020). Phishing attacks are causing
passwords respectively by alerting the users about the different levels of damages to the victims such as financial and
authenticity of the sites that users try to type the password reputational losses. Therefore, law enforcement authorities
in. Numerous anti-phishing solutions rely mainly on warnings should track down these attacks in order to punish the
that are displayed on the security toolbar. In addition, some criminal as with real-world crimes. As a complement to
toolbars block suspicious sites to warn about it such as McAfee technical solutions and human education, the support
and Netscape. A study presented in (Robichaux and Ganger, provided by applicable laws and regulations can play a vital
2006) conducted a test to evaluate the performance of eight role as a deterrent control. Increasingly authorities around the
anti-phishing solutions, including Microsoft Internet Explorer world have created several regulations in order to mitigate the
7, EarthLink, eBay, McAfee, GeoTrust, Google using Firefox, increase of phishing attacks and their impact. The first anti-
Netscape, and Netcraft. These tools are warning and blocking phishing laws were enacted by the United States, where the FTC
tools that allow legitimate sites while block and warn about in the US added the phishing attacks to the computer crime list in
known phishing sites. The study also found that Internet January 2004. A year later, the ‘‘Anti-Phishing Act’’ was
Explorer and Netcraft Toolbar showed the most effective introduced in the US Congress in March 2005 (Mohammad
results than other anti-phishing tools. However, security et al., 2014). Meanwhile, in the United Kingdom, the law
toolbars are still failing to avoid people falling victim to legislation is gradually conforming to address phishing and
phishing despite these toolbars improving internet security other forms of cyber-crime. In 2006, the United Kingdom
in general (Abu-Nimeh and Nair, 2008). government improved the Computer Misuse Act 1990
5. Authentication (Moore and Clayton, 2007) and authorization intending to bring it up to date with developments in
(Hutchings et al., 2016) techniques that provide protection computer crime and to increase penalties for breach enacted
from phishing by verifying the identity of the legitimate penalties of up to 10 years (eBay Toolbar and Account Guard,
person. This prevents phishers from accessing a protected 2009; PhishLabs, 2019). In this regard, a student in the
resource and conducting their attack. There are three types United Kingdom who made hundreds of thousands of pounds
of authentication; single-factor authentication requires only blackmailing pornography website users was jailed in April 2019
username and password. The second type is two-factor for six years and five months. According to the National Crime
authentication that requires additional information in Agency (NCA), this attacker was the most prolific cybercriminal
addition to the username and password such as an OTP to be sentenced in the United Kingdom (Casciani, 2019).

Frontiers in Computer Science | www.frontiersin.org 18 March 2021 | Volume 3 | Article 563060

Alkhalil et al. Phishing Attacks: Recent Comprehensive Study

Moreover, the organizations bear part of the responsibility in definition covering end-to-end exclusion and realization of the
protecting personal information as stated in the Data Protection attack.
Act 2018 and EU General Data Protection Regulation (GDPR). Although human education is the most effective defense for
Phishing websites also can be taken down through Law phishing, it is difficult to remove the threat completely due to the
enforcement agencies’ conduct. In the United Kingdom, sophistication of the attacks and social engineering elements.
websites can be taken down by the National Crime Agency Although, continual security awareness training is the key to
(NCA), which includes the National Cyber Crime Unit, and avoid phishing attacks and to reduce its impact, developing
by the City of London Police, which includes the Police efficient anti-phishing techniques that prevent users from
Intellectual Property Crime Unit (PIPCU) and the National being exposed to the attack is an essential step in mitigating
Fraud Intelligence Bureau (NFIB) (Hutchings et al., 2016). these attacks. To this end, this article discussed the importance of
However, anti-phishing law enforcement is still facing developing anti-phishing techniques that detect/block the attack.
numerous challenges and limitations. Firstly, after perpetrating Furthermore, the importance of techniques to determine the
the phishing attack, the phisher can vanish in cyberspace making source of the attack could provide a stronger anti-phishing
it difficult to prove the guilt attributed to the offender and to solution as discussed in this article.
recover the damages caused by the attack, limiting the Furthermore, this article identified the importance of law
effectiveness of the law enforcement role. Secondly, even if the enforcement as a deterrent mechanism. Further investigations
attacker’s identity is disclosed in the case of international and research are necessary as discussed below.
attackers, it will be difficult to bring this attacker to justice
because of the differences in countries’ legislations (e.g., 1. Further research is necessary to study and investigate susceptibility
exchange treaties). Also, the attack could be conducted within to phishing among users, which would assist in designing stronger
a short time span, for instance, the average lifetime for a phishing and self-learning anti-phishing security systems.
web site is about 54 h as stated by the APWG, therefore, there 2. Research on social media-based phishing, Voice Phishing, and
must be a quick response from the government and the SMS Phishing is sparse and these emerging threats are
authorities to detect, control and identify the perpetrators of predicted to be significantly increased over the next years.
the attack (Ollmann, 2004). 3. Laws and legislations that apply for phishing are still at their
infant stage, in fact, there are no specific phishing laws in many
countries. Most of the phishing attacks are covered under
CONCLUSION traditional criminal laws such as identity theft and computer
crimes. Therefore, drafting of specific laws for phishing is an
Phishing attacks remain one of the major threats to individuals important step in mitigating these attacks in a time where these
and organizations to date. As highlighted in the article, this is crimes are becoming more common.
mainly driven by human involvement in the phishing cycle. Often 4. Determining the source of the attack before the end of the
phishers exploit human vulnerabilities in addition to favoring phishing lifecycle and enforcing law legislation on the offender
technological conditions (i.e., technical vulnerabilities). It has could help in restricting phishing attacks drastically and would
been identified that age, gender, internet addiction, user stress, benefit from further research.
and many other attributes affect the susceptibility to phishing
between people. In addition to traditional phishing channels (e.g., It can be observed that the mediums used for phishing attacks
email and web), new types of phishing mediums such as voice and have changed from traditional emails to social media-based
SMS phishing are on the increase. Furthermore, the use of social phishing. There is a clear lag between sophisticated phishing
media-based phishing has increased in use in parallel with the attacks and existing countermeasures. The emerging
growth of social media. Concomitantly, phishing has developed countermeasures should be multidimensional to tackle both
beyond obtaining sensitive information and financial crimes to human and technical elements of the attack. This article
cyber terrorism, hacktivism, damaging reputations, espionage, provides valuable information about current phishing attacks
and nation-state attacks. Research has been conducted to identify and countermeasures whilst the proposed anatomy provides a
the motivations and techniques and countermeasures to clear taxonomy to understand the complete life cycle of phishing.
these new crimes, however, there is no single solution for the
phishing problem due to the heterogeneous nature of the attack
vector. This article has investigated problems presented by AUTHOR CONTRIBUTIONS
phishing and proposed a new anatomy, which describes the
complete life cycle of phishing attacks. This anatomy provides This work is by our PhD student ZA supported by her
a wider outlook for phishing attacks and provides an accurate Supervisory Team.

Abu-Nimeh, S., and Nair, S. (2008). “Bypassing security toolbars and

REFERENCES phishing filters via dns poisoning,” in IEEE GLOBECOM 2008–2008
IEEE global telecommunications conference, New Orleans, LA,
Abad, C. (2005). The economy of phishing: a survey of the operations of the November 30–December 2, 2008 (IEEE), 1–6. doi:10.1109/GLOCOM.
phishing market. First Monday 10, 1–11. doi:10.5210/fm.v10i9.1272 2008.ECP.386

Frontiers in Computer Science | www.frontiersin.org 19 March 2021 | Volume 3 | Article 563060

Alkhalil et al. Phishing Attacks: Recent Comprehensive Study

Aburrous, M., Hossain, M. A., Thabatah, F., and Dahal, K. (2008). “Intelligent Cui, Q., Jourdan, G.-V., Bochmann, G. V., Couturier, R., and Onut, I.-V. (2017).
phishing website detection system using fuzzy techniques,” in 2008 3rd Tracking phishing attacks over time. Proc. 26th Int. Conf. World Wide Web -
international conference on information and communication technologies: WWW ’17, Republic and Canton of Geneva, Switzerland: International World
from theory to applications (New York, NY: IEEE, 1–6. doi:10.1109/ICTTA. Wide Web Conferences Steering Committee. 667–676. doi:10.1145/3038912.
2008.4530019 3052654
Afroz, S., and Greenstadt, R. (2009). “Phishzoo: an automated web phishing CVEdetails (2005). Vulnerability in microsoft internet explorer. Available at:
detection approach based on profiling and fuzzy matching,” in Proceeding https://www.cvedetails.com/cve/CVE-2005-4089/ (Accessed August 20, 2019).
5th IEEE international conference semantic computing (ICSC), 1–11. Cybint Cyber Solutions (2018). 13 alarming cyber security facts and stats. Available
Alsharnouby, M., Alaca, F., and Chiasson, S. (2015). Why phishing still works: user at: https://www.cybintsolutions.com/cyber-security-facts-stats/ (Accessed July
strategies for combating phishing attacks. Int. J. Human-Computer Stud. 82, 20, 2019).
69–82. doi:10.1016/j.ijhcs.2015.05.005 Deshmukh, M., and raddha Popat, S. (2017). Different techniques for detection of
APWG (2018). Phishing activity trends report 3rd quarter 2018. US. 1–11. phishing attack. Int. J. Eng. Sci. Comput. 7, 10201–10204. Available at: http://
APWG (2020). APWG phishing attack trends reports. 2020 anti-phishing work. ijesc.org/.
Group, Inc. Available at: https://apwg.org/trendsreports/ (Accessed September Dhamija, R., Tygar, J. D., and Hearst, M. (2006). “Why phishing works,” in
20, 2020). Proceedings of the SIGCHI conference on human factors in computing
Arachchilage, N. A. G., and Love, S. (2014). Security awareness of computer users: a systems - CHI ’06, Montréal Québec, Canada, (New York, NY: ACM Press),
phishing threat avoidance perspective. Comput. Hum. Behav. 38, 304–312. 581. doi:10.1145/1124772.1124861
doi:10.1016/j.chb.2014.05.046 Diaz, A., Sherman, A. T., and Joshi, A. (2020). Phishing in an academic
Arnsten, B. A., Mazure, C. M., and April, R. S. (2012). Everyday stress can shut down the community: a study of user susceptibility and behavior. Cryptologia 44,
brain’s chief command center. Sci. Am. 306, 1–6. Available at: https://www. 53–67. doi:10.1080/01611194.2019.1623343
scientificamerican.com/article/this-is-your-brain-in-meltdown/ (Accessed October Dodge, R. C., Carver, C., and Ferguson, A. J. (2007). Phishing for user security
15, 2019). awareness. Comput. Security 26, 73–80. doi:10.1016/j.cose.2006.10.009
Bailey, J. L., Mitchell, R. B., and Jensen, B. k. (2008). “Analysis of student eBay Toolbar and Account Guard (2009). Available at: https://download.cnet.com/
vulnerabilities to phishing,” in 14th americas conference on information eBay-Toolbar/3000-12512_4-10153544.html (Accessed August 7, 2020).
systems, AMCIS 2008, 75–84. Available at: https://aisel.aisnet.org/ EDUCBA (2017). Hackers vs crackers: easy to understand exclusive difference.
amcis2008/271. Available at: https://www.educba.com/hackers-vs-crackers/ (Accessed July 17,
Barracuda (2020). Business email compromise (BEC). Available at: https://www. 2019).
barracuda.com/glossary/business-email-compromise (Accessed November 15, Evers, J. (2006). Security expert: user education is pointless. Available at: https://
2020). www.cnet.com/news/security-expert-user-education-is-pointless/ (Accessed
Belcic, I. (2020). Rootkits defined: what they do, how they work, and how to remove June 25, 2019).
them. Available at: https://www.avast.com/c-rootkit (Accessed November 7, F5Networks (2018). Panda malware broadens targets to cryptocurrency exchanges
2020). and social media. Available at: https://www.f5.com/labs/articles/threat-
Bergholz, A., De Beer, J., Glahn, S., Moens, M.-F., Paaß, G., and Strobel, S. (2010). intelligence/panda-malware-broadens-targets-to-cryptocurrency-exchanges-
New filtering approaches for phishing email. JCS 18, 7–35. doi:10.3233/JCS- and-social-media (Accessed April 23, 2019).
2010-0371 Fette, I., Sadeh, N., and Tomasic, A. (2007). “Learning to detect phishing
Bin, S., Qiaoyan, W., and Xiaoying, L. (2010). “A DNS based anti-phishing emails,” in Proceedings of the 16th international conference on world wide
approach.” in 2010 second international conference on networks security, web - WWW ’07, Banff Alberta, Canada, (New York, NY: ACM Press),
wireless communications and trusted computing, Wuhan, China, April 649–656. doi:10.1145/1242572.1242660
24–25, 2010. (IEEE), 262–265. doi:10.1109/NSWCTC.2010.196 Financial Fraud Action UK (2017). Fraud the facts 2017: the definitive overview of
Boddy, M. (2018). Phishing 2.0: the new evolution in cybercrime. Comput. Fraud payment industry fraud. London. Available at: https://www.
Secur. 2018, 8–10. doi:10.1016/S1361-3723(18)30108-8 financialfraudaction.org.uk/fraudfacts17/assets/fraud_the_facts.pdf.
Casciani, D. (2019). Zain Qaiser: student jailed for blackmailing porn users Fraud Watch International (2019). Phishing attack trends for 2019. Available at:
worldwide. Available at: https://www.bbc.co.uk/news/uk-47800378 (Accessed https://fraudwatchinternational.com/phishing/phishing-attack-trends-for-
April 9, 2019). 2019/ (Accessed October 29, 2019).
Chanti, S., and Chithralekha, T. (2020). Classification of anti-phishing solutions. FTC (2018). Netflix scam email. Available at: https://www.ftc.gov/tips-advice/
SN Comput. Sci. 1, 11. doi:10.1007/s42979-019-0011-2 business-center/small-businesses/cybersecurity/phishing (Accessed May 8, 2019).
Checkpoint (2020). Check point research’s Q1 2020 brand phishing report. Furnell, S. (2007). An assessment of website password practices). Comput. Secur.
Available at: https://www.checkpoint.com/press/2020/apple-is-most-imitated- 26, 445–451. doi:10.1016/j.cose.2007.09.001
brand-for-phishing-attempts-check-point-researchs-q1-2020-brand-phishing- Getsafeonline (2017). Caught on the net. Available at: https://www.getsafeonline.
report/ (Accessed August 6, 2020). org/news/caught-on-the-net/%0D (Accessed August 1, 2020).
cisco (2018). What is the difference: viruses, worms, Trojans, and bots? Available GOV.UK (2020). Cyber security breaches survey 2020. Available at: https://www.
at: https://www.cisco.com/c/en/us/about/security-center/virus-differences. gov.uk/government/publications/cyber-security-breaches-survey-2020/cyber-
html (Accessed January 20, 2020). security-breaches-survey-2020 (Accessed August 6, 2020).
CISA (2018). What is phishing. Available at: https://www.us-cert.gov/report- Gupta, P., Srinivasan, B., Balasubramaniyan, V., and Ahamad, M. (2015).
phishing (Accessed June 10, 2019). “Phoneypot: data-driven understanding of telephony threats,” in
Cormack, G. V., Smucker, M. D., and Clarke, C. L. A. (2011). Efficient and effective Proceedings 2015 network and distributed system security symposium,
spam filtering and re-ranking for large web datasets. Inf. Retrieval 14, 441–465. (Reston, VA: Internet Society), 8–11. doi:10.14722/ndss.2015.23176
doi:10.1007/s10791-011-9162-z Hadlington, L. (2017). Human factors in cybersecurity; examining the link between
Corrata (2018). The rising threat of social media phishing attacks. Available at: internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity
https://corrata.com/the-rising-threat-of-social-media-phishing-attacks/%0D behaviours. Heliyon 3, e00346-18. doi:10.1016/j.heliyon.2017.e00346
(Accessed October 29, 2019). Herley, C., and Florêncio, D. (2008). “A profitless endeavor,” in New security
Crane, C. (2019). The dirty dozen: the 12 most costly phishing attack examples. paradigms workshop (NSPW ’08), New Hampshire, United States, October
Available at: https://www.thesslstore.com/blog/the-dirty-dozen-the-12-most- 25–28, 2021, 1–12. doi:10.1145/1595676.1595686
costly-phishing-attack-examples/#:∼:text
At some level%2C everyone is Hewage, C. (2020). Coronavirus pandemic has unleashed a wave of cyber
susceptible to phishing,outright trick you into performing a particular task attacks – here’s how to protect yourself. Conversat. Available at: https://
(Accessed August 2, 2020). theconversation.com/coronavirus-pandemic-has-unleashed-a-wave-of-
CSI Onsite (2012). Phishing. Available at: http://csionsite.com/2012/phishing/ cyber-attacks-heres-how-to-protect-yourself-135057 (Accessed November
(Accessed May 8, 2019). 16, 2020).

Frontiers in Computer Science | www.frontiersin.org 20 March 2021 | Volume 3 | Article 563060

Alkhalil et al. Phishing Attacks: Recent Comprehensive Study

Hong, J. (2012). The state of phishing attacks. Commun. ACM 55, 74–81. doi:10. ubiquitous computing - UbiComp ’12 (New York, New York, USA: ACM
1145/2063176.2063197 Press), 1625. doi:10.1145/2370216.2370290
Huber, M., Kowalski, S., Nohlberg, M., and Tjoa, S. (2009). “Towards automating Lininger, R., and Vines, D. R. (2005). Phishing: cutting the identity theft line. Print
social engineering using social networking sites,” in 2009 international book. Indiana: Wiley Publishing, Inc.
conference on computational science and engineering, Vancouver, BC, Ma, J., Saul, L. K., Savage, S., and Voelker, G. M. (2009). “Identifying suspicious URLs.”
August 29–31, 2009 (IEEE, 117–124. doi:10.1109/CSE.2009.205 in Proceedings of the 26th annual international conference on machine learning -
Hutchings, A., Clayton, R., and Anderson, R. (2016). “Taking down websites to ICML ’09 (New York, NY: ACM Press), 1–8. doi:10.1145/1553374.1553462
prevent crime,” in 2016 APWG symposium on electronic crime research Marforio, C., Masti, R. J., Soriente, C., Kostiainen, K., and Capkun, S. (2015).
(eCrime) (IEEE), 1–10. doi:10.1109/ECRIME.2016.7487947 Personalized security indicators to detect application phishing attacks in mobile
Iuga, C., Nurse, J. R. C., and Erola, A. (2016). Baiting the hook: factors impacting platforms. Available at: http://arxiv.org/abs/1502.06824.
susceptibility to phishing attacks. Hum. Cent. Comput. Inf. Sci. 6, 8. doi:10.1186/ Margaret, R. I. P. (2008). PBX (private branch exchange). Available at: https://
s13673-016-0065-2 searchunifiedcommunications.techtarget.com/definition/IP-PBX (Accessed
Jagatic, T. N., Johnson, N. A., Jakobsson, M., and Menczer, F. (2007). Social June 19, 2019).
phishing. Commun. ACM 50, 94–100. doi:10.1145/1290958.1290968 Maurer, M.-E., and Herzner, D. (2012). Using visual website similarity for phishing
Jakobsson, M., and Myers, S. (2006). Phishing and countermeasures: understanding detection and reporting. 1625–1630. doi:10.1145/2212776.2223683
the increasing problems of electronic identity theft. New Jersey: John Wiley and Medvet, E., Kirda, E., and Kruegel, C. (2008). “Visual-similarity-based phishing
Sons. detection,” in Proceedings of the 4th international conference on Security and
Jakobsson, M., Tsow, A., Shah, A., Blevis, E., and Lim, Y. K. (2007). “What instills privacy in communication netowrks - SecureComm ’08 (New York, NY: ACM
trust? A qualitative study of phishing,” in Lecture notes in computer science Press), 1. doi:10.1145/1460877.1460905
(including subseries lecture notes in artificial intelligence and lecture notes in Merwe, A. v. d., Marianne, L., and Marek, D. (2005). “Characteristics and
bioinformatics), (Berlin, Heidelberg: Springer), 356–361. doi:10.1007/978-3- responsibilities involved in a Phishing attack, in WISICT ’05: proceedings of
540-77366-5_32 the 4th international symposium on information and communication
Jeeva, S. C., and Rajsingh, E. B. (2016). Intelligent phishing url detection using technologies. Trinity College Dublin, 249–254.
association rule mining. Hum. Cent. Comput. Inf. Sci. 6, 10. doi:10.1186/s13673- Microsoft (2020). Exploiting a crisis: how cybercriminals behaved during the
016-0064-3 outbreak. Available at: https://www.microsoft.com/security/blog/2020/06/16/
Johnson, A. (2016). Almost 600 accounts breached in “celebgate” nude photo hack, exploiting-a-crisis-how-cybercriminals-behaved-during-the-outbreak/
FBI says. Available at: http://www.cnbc.com/id/102747765 (Accessed: February (Accessed August 1, 2020).
17, 2020). Mince-Didier, A. (2020). Hacking a computer or computer network. Available at:
Kayne, R. (2019). What are script kiddies? Wisegeek. Available at: https://www. https://www.criminaldefenselawyer.com/resources/hacking-computer.html
wisegeek.com/what-are-script-kiddies.htm V V February 19, 2020). (Accessed August 7, 2020).
Keck, C. (2018). FTC warns of sketchy Netflix phishing scam asking for payment Miyamoto, D., Hazeyama, H., and Kadobayashi, Y. (2009). “An evaluation of
details. Available at: https://gizmodo.com/ftc-warns-of-sketchy-netflix- machine learning-based methods for detection of phishing sites,”
phishing-scam-asking-for-p-1831372416 (Accessed April 23, 2019). ininternational conference on neural information processing ICONIP 2008:
Keepnet LABS (2018). Statistical analysis of 126,000 phishing simulations carried advances in neuro-information processing lecture notes in computer science.
out in 128 companies around the world. USA, France. Available at: www. Editors M. Köppen, N. Kasabov, and G. Coghill (Berlin, Heidelberg: Springer
keepnetlabs.com. Berlin Heidelberg), 539–546. doi:10.1007/978-3-642-02490-0_66
Keinan, G. (1987). Decision making under stress: scanning of alternatives under Mohammad, R. M., Thabtah, F., and McCluskey, L. (2014). Predicting phishing
controllable and uncontrollable threats. J. Personal. Soc. Psychol. 52, 639–644. websites based on self-structuring neural network. Neural Comput. Applic 25,
doi:10.1037/0022-3514.52.3.639 443–458. doi:10.1007/s00521-013-1490-z
Khonji, M., Iraqi, Y., and Jones, A. (2013). Phishing detection: a literature survey. Moore, T., and Clayton, R. (2007). “Examining the impact of website take-down on
IEEE Commun. Surv. Tutorials 15, 2091–2121. doi:10.1109/SURV.2013. phishing,” in Proceedings of the anti-phishing working groups 2nd annual
032213.00009 eCrime researchers summit on - eCrime ’07 (New York, NY: ACM Press), 1–13.
Kirda, E., and Kruegel, C. (2005). Protecting users against phishing attacks with doi:10.1145/1299015.1299016
AntiPhish. Proc. - Int. Comput. Softw. Appl. Conf. 1, 517–524. doi:10.1109/ Morgan, S. (2019). 2019 official annual cybercrime report. USA, UK, Canada.
COMPSAC.2005.126 Available at: https://www.herjavecgroup.com/wp-content/uploads/2018/12/
Krawchenko, K. (2016). The phishing email that hacked the account of John CV-HG-2019-Official-Annual-Cybercrime-Report.pdf.
Podesta. CBSNEWS. Available at: https://www.cbsnews.com/news/the- Nathan, G. (2020). What is phishing? + laws, charges & statute of limitations.
phishing-email-that-hacked-the-account-of-john-podesta/ (Accessed April Available at: https://www.federalcharges.com/phishing-laws-charges/
13, 2019). (Accessed August 7, 2020).
Ksepersky (2020). Spam and phishing in Q1 2020. Available at: https://securelist. Okin, S. (2009). From script kiddies to organised cybercrime. Available at: https://
com/spam-and-phishing-in-q1-2020/97091/ (Accessed July 27, 2020). comsecglobal.com/from-script-kiddies-to-organised-cybercrime-things-are-getting-
Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F., and Hong, J. (2010). nasty-out-there/ (Accessed August 12, 2019).
Teaching Johnny not to fall for phish. ACM Trans. Internet Technol. 10, Ollmann, G. (2004). The phishing guide understanding & preventing phishing
1–31. doi:10.1145/1754393.1754396 attacks abstract. USA. Available at: http://www.ngsconsulting.com.
Latto, N. (2020). What is adware and how can you prevent it? Avast. Available at: Ong, S. (2014). Avast survey shows men more susceptible to mobile malware.
https://www.avast.com/c-adware (Accessed May 8, 2020). Available at: https://www.mirekusoft.com/avast-survey-shows-men-more-
Le, D., Fu, X., and Hogrefe, D. (2006). A review of mobility support paradigms for susceptible-to-mobile-malware/ (Accessed November 5, 2020).
the internet. IEEE Commun. Surv. Tutorials 8, 38–51. doi:10.1109/COMST. Ovelgönne, M., Dumitraş, T., Prakash, B. A., Subrahmanian, V. S., and Wang, B.
2006.323441 (2017). Understanding the relationship between human behavior and
Lehman, T. J., and Vajpayee, S. (2011). “We’ve looked at clouds from both sides susceptibility to cyber attacks. ACM Trans. Intell. Syst. Technol. 8, 1–25.
now,” in 2011 annual SRII global conference, San Jose, CA, March 20–April 2, doi:10.1080/00207284.1985.11491413
2011, (IEEE, 342–348. doi:10.1109/SRII.2011.46 Parmar, B. (2012). Protecting against spear-phishing. Computer Fraud Security,
Leyden, J. (2001). Virus toolkits are s’kiddie menace. Regist. Available at: https://www. 2012, 8–11. doi:10.1016/S1361-3723(12)70007-6
theregister.co.uk/2001/02/21/virus_toolkits_are_skiddie_menace/%0D (Accessed Phish Labs (2019). 2019 phishing trends and intelligence report the growing social
June 15, 2019). engineering threat. Available at: https://info.phishlabs.com/hubfs/2019 PTI
Lin, J., Sadeh, N., Amini, S., Lindqvist, J., Hong, J. I., and Zhang, J. (2012). Report/2019 Phishing Trends and Intelligence Report.pdf.
“Expectation and purpose,” in Proceedings of the 2012 ACM conference on PhishMe (2016). Q1 2016 malware review. Available at: WWW.PHISHME.COM.

Frontiers in Computer Science | www.frontiersin.org 21 March 2021 | Volume 3 | Article 563060

Alkhalil et al. Phishing Attacks: Recent Comprehensive Study

PhishMe (2017). Human phishing defense enterprise phishing resiliency and people not to fall for phish,” in Proceedings of the 3rd symposium on usable
defense report 2017 analysis of susceptibility, resiliency and defense against privacy and security - SOUPS ’07 (New York, NY: ACM Press), 88–99. doi:10.
simulated and real phishing attacks. Available at: https://cofense.com/wp- 1145/1280680.1280692
content/uploads/2017/11/Enterprise-Phishing-Resiliency-and-Defense- Symantic (2019). Internet security threat report volume 24|February 2019. USA.
Report-2017.pdf. Techpedia (2021). Caller ID. Available at: https://www.techopedia.com/definition/
PishTank (2006). What is phishing. Available at: http://www.phishtank.com/what_ 24222/caller-id (Accessed June 19, 2019).
is_phishing.php?view
website&annotated
true (Accessed June 19, 2019). VadeSecure (2021). Phishers favorites 2019. Available at: https://www.vadesecure.
Pompon, A. R., Walkowski, D., and Boddy, S. (2018). Phishing and Fraud Report com/en/ (Accessed October 29, 2019).
attacks peak during the holidays. US. Vishwanath, A. (2005). “Spear phishing: the tip of the spear used by cyber
Proofpoint (2019a). State of the phish 2019 report. Sport Mark. Q. 14, 4. doi:10. terrorists,” in deconstruction machines (United States: University of
1038/sj.jp.7211019 Minnesota Press), 469–484. doi:10.4018/978-1-5225-0156-5.ch023
Proofpoint (2019b). What is Proofpoint. Available at: https://www.proofpoint. Wang, X., Zhang, R., Yang, X., Jiang, X., and Wijesekera, D. (2008). “Voice
com/us/company/about (Accessed September 25, 2019). pharming attack and the trust of VoIP,” in Proceedings of the 4th
Proofpoint (2020). 2020 state of the phish. Available at: https://www.proofpoint. international conference on security and privacy in communication
com/sites/default/files/gtd-pfpt-us-tr-state-of-the-phish-2020.pdf. networks, SecureComm’08, 1–11. doi:10.1145/1460877.1460908
Raggo, M. (2016). Anatomy of a social media attack. Available at: https://www. Wenyin, L., Huang, G., Xiaoyue, L., Min, Z., and Deng, X. (2005). “Detection of
darkreading.com/analytics/anatomy-of-a-social-media-attack/a/d-id/1326680 phishing webpages based on visual similarity,” in 14th international world wide
(Accessed March 14, 2019). web conference, WWW2005, Chiba, Japan, May 10–14, 2005, 1060–1061.
Ramanathan, V., and Wechsler, H. (2012). PhishGILLNET-phishing detection doi:10.1145/1062745.1062868
methodology using probabilistic latent semantic analysis, AdaBoost, and Whitman, M. E., and Mattord, H. J. (2012). Principles of information security.
co-training. EURASIP J. Info. Secur. 2012, 1–22. doi:10.1186/1687-417X- Course Technol. 1–617. doi:10.1016/B978-0-12-381972-7.00002-6
2012-1 Williams, E. J., Hinds, J., and Joinson, A. N. (2018). Exploring susceptibility to
Ramzan, Z. (2010). “Phishing attacks and countermeasures,” in Handbook of phishing in the workplace. Int. J. Human-Computer Stud. 120, 1–13. doi:10.
Information and communication security (Berlin, Heidelberg: Springer Berlin 1016/j.ijhcs.2018.06.004
Heidelberg), 433–448. doi:10.1007/978-3-642-04117-4_23 wombatsecurity.com (2018). Wombat security user risk report. USA. Available at:
Ramzan, Z., and Wuest, C. (2007). “Phishing Attacks: analyzing trends in 2006,” in https://info.wombatsecurity.com/hubfs/WombatProofpoint-
Fourth conference on email and anti-Spam (Mountain View, (California, UserRiskSurveyReport2018_US.pdf.
United States). Workman, M. (2008). Wisecrackers: a theory-grounded investigation of phishing
Rhett, J. (2019). Don’t fall for this new Google translate phishing attack. Available at: and pretext social engineering threats to information security. J. Am. Soc. Inf.
https://www.gizmodo.co.uk/2019/02/dont-fall-for-this-new-google-translate- Sci. 59 (4), 662–674. doi:10.1002/asi.20779
phishing-attack/ (Accessed April 23, 2019). doi:10.5040/9781350073272 Yeboah-Boateng, E. O., and Amanor, P. M. (2014). Phishing , SMiShing & vishing:
RISKIQ (2020). Investigate | COVID-19 cybercrime weekly update. Available at: an assessment of threats against mobile devices. J. Emerg. Trends Comput. Inf.
https://www.riskiq.com/blog/analyst/covid19-cybercrime-update/%0D Sci. 5 (4), 297–307.
(Accessed August 1, 2020). Zhang, Y., Hong, J. I., and Cranor, L. F. (2007). “Cantina,” in Proceedings of the
Robichaux, P., and Ganger, D. L. (2006). Gone phishing: evaluating anti-phishing 16th international conference on World Wide Web - WWW ’07 (New York,
tools for windows. Available at: http://www.3sharp.com/projects/antiphishing/ NY: ACM Press), 639. doi:10.1145/1242572.1242659
gonephishing.pdf. Zissis, D., and Lekkas, D. (2012). Addressing cloud computing security issues.
Rouse, M. (2013). Phishing defintion. Available at: https://searchsecurity. Future Generat. Comput. Syst. 28, 583–592. doi:10.1016/j.future.2010.12.006
techtarget.com/definition/phishing (Accessed April 10, 2019).
Salem, O., Hossain, A., and Kamala, M. (2010). “Awareness program and AI based Conflict of Interest: The authors declare that the research was conducted in the
tool to reduce risk of phishing attacks,” in 2010 10th IEEE international absence of any commercial or financial relationships that could be construed as a
conference on computer and information technology (IEEE), Bradford, potential conflict of interest.
United Kingdom, June 29–July 1, 2010, 2001 (IEEE), 1418–1423. doi:10.
1109/CIT.2010.254 Copyright © 2021 Alkhalil, Hewage, Nawaf and Khan. This is an open-access article
Scaife, N., Carter, H., Traynor, P., and Butler, K. R. B. (2016). “Crypto lock (and distributed under the terms of the Creative Commons Attribution License (CC BY).
drop it): stopping ransomware attacks on user data,” in 2016 IEEE 36th The use, distribution or reproduction in other forums is permitted, provided the
international conference on distributed computing systems (ICDCS) (IEEE, original author(s) and the copyright owner(s) are credited and that the original
303–312. doi:10.1109/ICDCS.2016.46 publication in this journal is cited, in accordance with accepted academic practice.
Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L. F., Hong, J., et al. No use, distribution or reproduction is permitted which does not comply with
(2007). “Anti-Phishing Phil: the design and evaluation of a game that teaches these terms.

Frontiers in Computer Science | www.frontiersin.org 22 March 2021 | Volume 3 | Article 563060

Alkhalil et al. Phishing Attacks: Recent Comprehensive Study

GLOSSARY NCA National Crime Agency

NFIB National Fraud Intelligence Bureau
AOL America Online PIPCU Police Intellectual Property Crime Unit
APWG Anti Phishing Working Group Advanced OS Operating Systems
APRANET Advanced Research Projects Agency Network. PBX Private Branch Exchange
ARP address resolution protocol. SMishing Text Message Phishing
BHO Browser Helper Object SPF Sender Policy Framework
BEC business email compromise SMTP Simple Mail Transfer Protocol
COVID-19 Coronavirus disease 2019 SMS Short Message Service
CSS cascading style sheets Soshing Social Media Phishing
DDoS distributed denial of service SQL structured query language
DNS Domain Name System URL Uniform Resource Locator
DoS Denial of Service UK United Kingdom
FTC Federal Trade Commission US United States
FL Fuzzy Logic USB Universal Serial Bus
HTTPS Hypertext Transfer Protocol Secure US-CERT United States Computer Emergency Readiness Team.
IE Internet Explorer Vishing Voice Phishing
ICT Information and Communications Technology VNC Virtual Network Computing
IM Instant Message VoIP Voice over Internet Protocol
IT Information Technology XSS Cross-Site Scripting
IP Internet Protocol
MITM Man-in-the-Middle

Frontiers in Computer Science | www.frontiersin.org 23 March 2021 | Volume 3 | Article 563060