Most of us has seen it … the email of someone claiming to be an employee at a financial entity working with an estate of a deceased wealthy person which name is related to yours, and that the person has no living relatives to claim the estate of the deceased, but you need to send them the money for the processing fees … Yes, its a phishing scam.
Humans most of the time are the weakest link when it comes to information security, and unfortunately more often than what we would think, humans fall for these phishing attempts.
A phishing email talking about an inheritance, another phishing email stating that you earned a prize and that they need your information to send you the prize, or even a email asking you to confirm some information which seems to be coming from your bank. All these are common phishing attempts.
Phishing success rates vary depending on many different factors and challenges. An attacker that would do OSINT and Social Engineering to find out as much as they can about their target and then craft the attack, this is called Spear Phishing, and is more specific to a small group of people or a specific business.
The attacker might attempt to phish all the employees or perhaps only a few selected ones. If a phishing attack is targeted to a specific individual, for example someone which a high level profile within the organization, this is called Whaling.
Similar to Social Engineering, phishing is a vulnerability that is commonly addressed by implementing regular awareness training, performing test phishing campaigns on a regular basis, and proper email filtering rules.