Phishing is a malicious attempt of getting someone’s private login details to a service or application. A phishing attack will be comprised of three parts, the initial entrance, the malicious mock website, and the saved details. You have probably seen, or been a victim too, phishing attempts. When someone on a social network, such as Facebook or Twitter, or within an email sends you one of those fake links that ask you to click to view a video or see something are usually phishing attempts. Once you click that link you will be taken to the mock website, a website that is made to look identical to an existing and trusted website. The mock website may resemble the login screen to Facebook, Twitter, Google, etc. The mock website will ask you to fill in your username and password to authenticate with the service, afterward the website will save your details to an area where the hacker can access them and use them to log in to the real service using your details.
A phishing attack is one of the easier attacks to execute, as it only takes a simple website login page to be created, but it can also be the easiest to identify. The key thing to look for when you’re signing into any service that your trust is the URL or domain. If you think you’re signing into Facebook but the website URL or domain name doesn’t match (e.g. “facbook.com”, “f4cebook.com”, “facebo.ok.com”, etc) then it is most likely a phishing attempt and you shouldn’t fill in the login details.
A web browser can allow you to copy the code from a login page, or any webpage, making the creation of a phishing attempt even easier. The hacker needs to copy the code from the login page, add some code to send the username and passwords to their private server and redirect your back to the original website. They redirect back to the original website so then it looks like your login failed and you sign in again without noticing the phishing attempt/attack.
Due to the ease of identification and that all it takes is a hyperlink, the hacker of a phishing attempt will usually target hundreds, thousands, if not millions of potential targets rather than one individual. It is a numbers game, eventually, they will find someone who will fall for the attack and give them their security details.
Usually, when you sign into a website like Facebook, Google, etc, they will hash/encrypt your password before they save it to their database. This means they will change your password from plain text to an unrecognisable string of text. This means that those sites don’t normally know your password, and therefore you should never give it to them as they shouldn’t ever ask for it. This is a similar system to your pin numbers on your credit/debit cards, you shouldn’t give your passwords or pins to anyone including the bank or website owner. If someone is asking for your password/pin in plain text (e.g. when you are not signing into Facebook, twitter, or withdrawing cash at an ATM) then you shouldn’t trust them without verifying that they can be trusted.