The cybersecurity space has always had a problem with terminology. For example, Business Email Compromise (BEC Fraud) refers to incidents where threat actors gain access to a company’s Email address and use previous email communications to defraud existing relationships, such as customers or partners. However, in some cases of BEC fraud, threat actors don’t actually compromise a company’s email account, even though the scheme is named for that specific tactic. When such access is unavailable to threat actors, some opt to register a similar domain instead, in order to conduct their scam by impersonating the company rather than compromising it (albeit, at a lower success rate). The confusion around terminology extends beyond attack variations, as certain solution categories and practices can also refer to multiple use cases. Threat Intelligence can refer to both generic feeds of malicious URLs and malware IOCs, as well as services that provide tailor-made intelligence on external threats. While both indeed provide intelligence on threats, their use cases are different. In large organizations, they are often handled by different teams, yet the same term is used for both. In this case, there have been attempts to rebrand customer-specific intelligence as Digital Risk Protection or External Threat Intelligence. However, many still use “Threat Intelligence” to describe both.

The term “Phishing” is problematic in a similar way, to a degree that it can impact our ability to properly remediate it.

“Phishing” is a type of cyber attack where threat actors impersonate legitimate entities, such as financial institutions or online service providers, to deceive individuals into revealing sensitive information like login credentials or credit card details. While this description accurately captures the essence of the threat in its various forms, its broadness presents a problem. Different variants of phishing attacks can vary significantly in both purpose and relevance, making it harder to address them appropriately.

To clarify the difference, consider a financial institution called ABC Bank. There are two main phishing attack scenarios the bank might encounter:

1. The Phishing site impersonates ABC Bank, targeting its customers to steal online banking passwords, financial information such as Social Security Number, and credit card details.

2. The Phishing site impersonates a third0party service provider, targeting ABC Bank’s employees. For instance, it might impersonate Outlook, Google Workspaces, or JIRA to compromise employee accounts.

The former use case is one of fraud risk and often handled by the fraud side of the business. The latter, on the other hand, is a cybersecurity threat, that is often handled by the cyber security teams.

The conflation of these two distinct scenarios under the umbrella term “Phishing” can lead to significant challenges in both detection and response. When security teams and fraud departments use the same terminology for fundamentally different threats, it can result in miscommunication, inefficient allocation of resources, and gaps in defense strategies.

In the first scenario, where the phishing site targets ABC Bank’s customers, the primary concern is protecting the bank’s reputation and its customers’ assets. This type of attack is typically addressed by the fraud prevention team, which may work on takedown requests for fraudulent websites, notify customers, and enhance customer education about such threats.

In contrast, the second scenario involves phishing attacks aimed at compromising the internal systems of ABC Bank by targeting its employees. These attacks are designed to breach the organization’s cybersecurity defenses, potentially leading to unauthorized access to sensitive corporate data, intellectual property theft, or enabling further attacks like ransomware deployment. Cybersecurity teams handle these threats by implementing email filtering solutions, conducting employee training on phishing awareness, and monitoring for suspicious activities within the network.

The evolution of phishing techniques has outpaced the development of our terminology. Originally, phishing referred to broad, generic attempts to trick individuals into revealing sensitive information. However, as threat actors have become more sophisticated, they’ve developed targeted approaches like spear phishing, where specific individuals within an organization are singled out, and whaling, which targets high-profile executives. Despite these distinctions, the umbrella term “Phishing” is still commonly used, which can obscure the specific nature and severity of the threat.

By using the same term for both external and internal threats, organizations may overlook the nuances that differentiate these attacks. This can lead to a one-size-fits-all approach in defense mechanisms, which is ineffective given the distinct nature of the threats. For example, the same team may be responsible for handling phishing attacks targeting both employees and consumers, which can complicate the integration of phishing remediation into broader cybersecurity and anti-fraud processes, as the team may not have full oversight of both areas.

Furthermore, regulatory compliance and legal obligations may differ depending on the type of attack. Data breaches resulting from employee-targeted phishing attacks can lead to significant legal repercussions under data protection laws like GDPR or HIPAA. In contrast, consumer-targeted phishing may primarily impact the organization’s reputation and customer trust but may not carry the same regulatory weight. Using the same term for both scenarios can muddy the waters when it comes to compliance efforts.

Finally, nuance is crucial when attempting to take down a phishing site. If a web hosting provider or registrar is asked to remove a site by claiming it targets ABC Bank, but the phishing actually impersonates Office365 to target ABC Bank employees, this mismatch can hinder the takedown process since the request does not accurately reflect the threat.

To address these challenges, it’s essential to adopt more specific terminology that accurately reflects the nature of the threat. For example, attacks targeting customers could be referred to as “Customer Phishing” or “Fraudulent Customer Targeting,” while attacks aimed at employees could be termed “Spear Phishing” or “Employee Phishing.” By clearly distinguishing between these types of attacks, organizations can develop targeted strategies for prevention, detection, and response. At CyberATS, we label Phishing attacks impersonating our customers and targeting their consumers as “Phishing”, while attacks targeting their employees as “Spear Phishing”. While we acknowledge that the term “Spear Phishing” is often used to describe attacks that target particular individuals, it does fit in an attack that targets a specific company and provides an important distinction when sending a takedown request to a relevant entity.

Ultimately, language shapes our understanding of problems and influences how we address them. The term “Phishing,” in its current broad application, fails to capture the complexities of modern cyber threats. By refining our terminology and enhancing collaboration within organizations, we can improve our collective ability to identify, prevent, and respond to these evolving challenges. Precise language leads to precise action, which is essential in the ever-evolving landscape of cybersecurity.