What is Phishing Fraud? Increasingly Sophisticated Tactics and Countermeasures

In recent years, phishing scams have increasingly threatened our digital lives, and the number of victims continues to rise, showing no sign of decreasing. The tactics are becoming more sophisticated, and anyone can fall prey. In this article, we will explain everything from the basics—“What is phishing?”—to specific techniques, and most importantly, the latest information on　“how to protect yourself from phishing.”

■ Why Are Countermeasures Necessary? The Spread of Phishing Scams

In recent years, the need for phishing countermeasures has been strongly emphasized. Why is that?

It’s because of the growing number of phishing incidents and the severity of their impact, which we will discuss later.

According to the “Top 10 Information Security Threats” published by the Information-technology Promotion Agency (IPA), phishing scams have ranked among the top threats for six consecutive years since 2019, making this a serious issue that requires urgent action across society.

Even the number of reported phishing site URLs continues to rise year after year, showing that new threats are constantly emerging around us.

■ What Is Phishing?

Phishing is a type of cybercrime in which attackers impersonate legitimate companies or organizations by sending fake emails or SMS messages, or by directing victims to fraudulent websites. The goal is to illegally obtain sensitive personal information such as account credentials (ID and password), credit card details, names, addresses, and phone numbers. Stolen information is then used to steal money or commit further crimes.

While there are various theories about its origin, according to the Ministry of Internal Affairs and Communication website, "phishing" is a coined term derived from “fishing” and “sophisticated.”

The specific damage caused by phishing scams is serious and includes the following:

• Financial Losses

  Unauthorized transfers via internet banking, fraudulent use of credit cards leading to large bills, unauthorized purchases of goods or subscriptions to paid services on online platforms—all of these result in direct monetary losses.

• Misuse of Personal Information and Secondary Damage

  Stolen personal information such as names, addresses, phone numbers, email addresses, and passwords can be sold on the dark web or used for other scams (identity theft, fake billing, etc.). If you reuse the same password across multiple services, the risk of cascading damage increases significantly.

• Account Hijacking and Loss of Trust

  Social media accounts, email accounts, and online service accounts can be hijacked, allowing attackers to impersonate you and send scam messages to friends or post inappropriate content, potentially damaging your social credibility.

Once you fall victim to a phishing scam, it’s not just financial loss—you may also suffer emotional distress from misuse of personal information and spend significant time and effort restoring accounts and handling various procedures.

■ Sophisticated Phishing Techniques That Are Hard to Avoid

Phishing scams are becoming increasingly sophisticated and malicious with technological advances. Overconfidence, like “I’m careful, so I’m safe,” is dangerous. Attackers exploit psychological vulnerabilities, making it hard to completely avoid phishing even if you’re cautious.

Here are some common techniques:

• Fake Emails/SMS That Are Hard to Distinguish from Real Ones (Imitation of Appearance and Content)

Phishing emails and SMS are cleverly disguised to look authentic.

Sender addresses, display names, and SMS sender names often mimic legitimate companies or services, sometimes using parts of official domains. Logos and signatures are often copied perfectly, making it easy to mistake them for genuine messages.

• Social Engineering Exploits Human Psychology (Psychological Manipulation)

  Phishing scams manipulate psychological weaknesses and emotions, not just appearances.

They exploit obedience to authority ("Notice from your bank"), urgency ("Act now or face serious consequences"), curiosity ("You've won a prize"), and even kindness ("Please help us update your information") to trick recipients into lowering their guard.

• Highly Convincing Fake Websites

Fake websites are increasingly sophisticated, replicating official sites’ design, layout, logos, and button placement almost perfectly. While older scams often had unnatural Japanese text that gave them away, recent cases are much harder to detect. Even if you suspect an email, you might still trust the linked site and enter sensitive information like IDs, passwords, or credit card details.

URLs are also cleverly disguised, using similar strings (e.g., microsft.com vs microsoft.com) or subdomains (e.g., amazon.co.jp.●●●.com).

Many fake sites now use HTTPS, so the presence of a padlock icon no longer guarantees safety.

These techniques evolve daily and are often combined, so even the most vigilant users can fall victim due to a momentary lapse.

■ Phishing Countermeasures: Practical Ways to Prevent Damage

To protect your information and assets from increasingly sophisticated phishing scams, it’s crucial to adopt multiple countermeasures regularly:

• Access Official Sites via Bookmarks or Official Apps

  Avoid clicking links in emails, SMS, or search results. Instead, bookmark official sites or use official apps for banks, shopping platforms, and social media. This is one of the most reliable ways to eliminate the risk of being redirected to fake sites.

• Do Not Click Links or Open Attachments in Emails/SMS

Never click links or open attachments in messages claiming “Account update,” “Security alert,” “Prize notification,” or “Package delivery.” Be especially cautious if asked to enter personal (ID, password) or payment information.

It is common practice for the displayed text of a link to differ from the actual destination URL. There is a risk that the moment you click, you will be redirected to a fake site or malware will be downloaded. If you want to check the authenticity of a link, access the official website from your bookmarks or the official app and check for announcements, or contact the official support desk.

• Keep OS, Browser, and Security Software Updated

Always apply updates promptly to your OS, browser, and security software. Leaving vulnerabilities unpatched increases the risk of phishing and malware attacks. Security software can detect and block known phishing sites and suspicious behavior, so keep it updated.

• Enforce Strong Password Management and Use Multi-Factor Authentication (MFA)

Use unique, complex passwords for each service (mix uppercase, lowercase, numbers, and symbols). Never reuse passwords. Enable MFA wherever possible—using SMS codes, authenticator apps (such as Google Authenticator, Microsoft Authenticator), or security keys—to add an extra layer of protection.

If a password is reused and leaked from one service, it can lead to a chain reaction of unauthorized access to other services. By setting up multi-factor authentication, even if a password is leaked, unauthorized logins can be prevented without additional authentication factors, dramatically increasing the security level of your account.

• [Highly Effective] Consider Using Passkeys

Passkeys, standardized by the FIDO Alliance, are a new authentication technology that eliminates passwords and offers strong resistance to phishing. Many major services now support passkeys. If available, register and use them as your primary login method.

Why Passkeys Are Strong Against Phishing

• No passwords to remember or enter

  With passkey authentication, there is no password that the user needs to remember or enter. Instead, authentication is performed using a pair of a private key that is securely stored on the device (smartphone, PC, security key) and a public key that is registered on the website. Therefore, there is no "password" to be stolen on phishing sites.

  
  

• Domain binding

  Passkeys only work on the legitimate website (domain) for which they were generated and registered. Even if an attacker sets up a fake website that looks exactly like the real thing, the domain will be different, so the user's passkey will not be valid on that fake website. This prevents authentication information from being stolen even if the user accidentally attempts to authenticate on a fake website.

  
  

• Device-based authentication combined with biometrics

  To use a passkey, you usually need to unlock (by entering a PIN code, fingerprint authentication, facial authentication, etc.) the device on which the passkey is stored (smartphone, PC, security key, etc.). This combines physical possession of the device with the user's biometric information, making it extremely difficult for a third party to impersonate you.

■ Summary

Phishing scams are malicious cybercrimes targeting personal information and money, and their threat is growing every year.

To avoid becoming a victim, stay vigilant and practice basic countermeasures: use bookmarks, avoid suspicious links, keep software updated, manage passwords properly, and enable MFA.

Passkeys are a game-changer for phishing prevention—adopt them wherever possible for a safer digital life.

Our company offers security keys compatible with passkeys and provides YubiOn security services based on passkey technology. If you’re considering measures against phishing and other cyberattacks, please explore YubiOn.

For details, consultations, or document requests, contact us via our inquiry form.

Thank you for reading.

■ Related Links

[Security Key Sales]

YubiKeyShop Authorized Distributor

Amazon

Smart logon with Passkeys

[YubiOn FIDO Logon]

https://www.yubion.com/fidologon

Turn your usual authentication into Passkeys

[YubiOn FIDO2 Server]

https://www.yubion.com/fido2-server

[Product Inquiries]

Contact