As our lives become more interconnected and reliant on digital tools, cybercrime becomes more prevalent and dangerous. Businesses and individuals must constantly deal with various types of phishing attacks and a slew of other cybercrimes.
According to Proofpoint, successful email phishing attacks increased by 57% in 2021 compared to 2020. A third of all data breaches reported during the same time period were caused by phishing activities, according to the 2021 Data Breach Investigations Report. This represents a 22% increase over the previous year.
The rise of phishing attacks is a serious threat to the smooth operation of businesses and individual privacy worldwide. We must all be able to recognize these scams and avoid falling victim to the malicious agents behind them.
To that end, we’ll go over some of the most common types of phishing attacks and some defense strategies.
What Is a Phishing Attack
Phishing is the term used to describe any form of cybercrime that involves the deception of victims to extract information that leads to their extortion. These attackers often seek personal and sensitive information such as:
- Date of birth
- Social security Number
- Phone number
- Credit card details
- Home address
- Password information
When they are successful, they use that information to carry out large unauthorized purchases, identity theft, and stealing of funds.
Phishing is regarded as a social engineering technique. This is because the victim is lured into believing in the legitimacy of an illegitimate scheme. The attacker feeds on the vulnerability of the victim and manipulates them into disclosing personal information or paying hefty sums of money to have information remain private.
Businesses that fall victims to phishing attacks are often forced to pay ransom to have their operational data released.
The term ‘phishing’ was first used in 1996. It was coined by a group of individuals called the Warez community. They were mostly hackers and those who traded pirated software.
In the Internet’s early days, America Online (AOL) was the most prominent service provider. This group was formed and communicated on the service. They were the ones who conducted the first phishing attacks.
At first, they used an algorithm to generate random credit card numbers which they used to open accounts with AOL. They used those illegitimate accounts to spam the actual users of the service. AOL was able to put an end to these activities by updating its security measures.
However, these individuals came up with other ways to disrupt the service. One of those ways is what was called ‘phishing.’
Through instant messages and emails, they would pose as AOL employees to convince users to reveal their passwords. Some of them would try to change their AOL screen names to appear as AOL administrators. Using these screen names, they would then “phish” people via AOL Messenger for their information. Many people fell for their schemes, and AOL was forced to include warning messages in their emails.
By the early 2000s, phishing scams were directed at online payment systems. The first attempt recorded was against E-gold. Though it was unsuccessful, it was an important indicator of a focus shift.
In the following years, especially between 2004 and 2005, about $929 million was incurred in losses by 1.2 million U.S. users. It is estimated that organizations lose about $2 billion per year to phishing.
Phishing attacks have become commonplace and increasingly sophisticated. Advanced technologies like social media and mobile devices have seen these attacks reach unprecedented levels. Over 1.2 million phishing attacks were reported in the first quarter of 2022, the worst quarter reported so far.
Phishing attacks target specific users. Their targets and techniques may vary; however, this fundamental premise of deception and extortion is at the core of the attacks.
So, what are the different types of phishing attacks we have seen so far in the modern digital landscape?
Types of Phishing Attacks
Phishers recruit victims in two ways. They employ social engineering techniques to trick users into disclosing personal information. This is known as Deceptive Phishing. The popular email phishing attack is an example of this method.
They also use technology to persuade users to do what they want. They trick users into downloading malicious code or attacking through flaws in the software on their devices.
We discussed ten different types of cyber phishing attacks below.
1. Email Phishing
Email phishing is the most popular type of cyber phishing attack.
Malicious agents send emails to users impersonating a well-known brand, then use social engineering tactics to create a false sense of urgency, leading them to click on a link or download an asset.
Traditionally, the links lead to malicious websites that either steal credentials or install malicious code, referred to as malware, on a user’s device. The downloads, which are typically PDFs, contain malicious content that installs malware when the user opens the document.
Attackers will go to great lengths to design phishing messages that look exactly like emails from an actual organization. Using the same phrasing, typefaces, logos, and signatures lends credibility to the messages.
Phishing via email is a numbers game. Even if only a small percentage of recipients fall for the scam, an attacker who sends out thousands of fraudulent messages can obtain valuable information and money. As previously stated, the attackers use various techniques to increase their success rates.
The malicious website requests confidential information or credentials from users, which the attacker then collects and uses for fraudulent purposes.
Often, the phisher will not use the credentials directly; instead, they will resell the obtained credentials or information on a secondary market, such as the dark web.
Example of Email Phishing
In 2021, Armorblox reported phishing emails impersonating FedEx and DHL. Both emails seemed to be from the courier companies and they were asking to confirm the delivery of a package. However, the links in these emails led to malicious web pages where the credentials of the victims would be harvested.
Spear phishing is a much more targeted attack. The attackers identify a target and research the target to make the attack more personalized and increase the likelihood of the target falling into their trap.
Company system administrators and financial executives are usually preferred targets of spear phishing attacks.
In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success.
These emails are customized with the target’s name, position, company, work phone number, and other information that would trick the recipient into believing they are the sender they claim to be.
Example of Spear Phishing
Threat Group-4127 (Fancy Bear) used spear phishing tactics to target email accounts linked to Hillary Clinton’s 2016 presidential campaign. They attacked more than 1,800 Google accounts, including authors, journalists, military personnel, and their spouses.
3. Whaling/CEO Fraud
A whaling attack is a spear phishing attack directed at a top-level executive in a company or other high-profile targets.
Spear phishers target an exec and steal their login details. If their attack proves successful, they mostly use the information to conduct CEO fraud. CEO fraud is when attackers abuse the compromised email account of a CEO or other high-ranking executive to authorize fraudulent wire transfers to a financial institution of their choice or download an attachment or link that installs malware
While CEO fraud has a reasonably low success rate, criminals can gain very large sums of money from the few attempts that do succeed. There have been multiple instances of organizations losing tens of millions of dollars to such attacks.
Another thing they do is to leverage that same email account to conduct W-2 phishing in which they request W-2 information for all employees so that they can file fake tax returns on their behalf or post that data on the dark web.
The goal of whaling is to receive money and sensitive company information that gives the attacker access to the company’s intellectual property, data, or other information that could be sold.
Example of Whaling/CEO Fraud
An Australian Hedge Fund lost eight million dollars to a whaling attack. The adversaries tricked the fund’s trustee and administrator into approving the funds via a fake zoom call link. The link contain malicious codes and it gave the attackers access to the fund’s email system, which they used to send off fake invoices.
4. Clone Phishing
Clone phishing is a phishing attack whereby a legitimate and previously delivered email containing an attachment or link has its content and recipient address(es) taken and used to create an almost identical or cloned email.
The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version.
Typically this requires either the sender or recipient to have been previously hacked by a malicious third party to obtain the legitimate email.
Example of Clone Phishing
In 2018, a couple was duped of over $53,000 in a fake house invoice scam. They got a mail that seemed like one from their building company to pay for their dream house. They paid only to find out that it wasn’t from their building company but a scammer.
5. Voice Phishing
Voice phishing is also called vishing. Fishers use telephones to conduct phishing attacks.
They pretend to be calling from the government, tax department, police, or the victim’s bank and try to convince the victim that there is a problem with their accounts with these institutions and there is no other option to fix the problem than by providing the sensitive information being asked of them.
Phishers dial a large number of telephone numbers and play automated recordings – often made using text-to-speech synthesizers – that make false claims of fraudulent activity on the victim’s bank accounts or credit cards.
Sophisticated attackers can go to the length of spoofing the calling phone number to show the actual number of the bank or institution impersonated. The victim is then directed to call a number controlled by the attackers, which will either automatically prompt them to enter sensitive information to “resolve” the supposed fraud, or connect them to a live person who will attempt to use social engineering to obtain information.
Voice phishing takes advantage of the general public’s lack of awareness of techniques such as caller ID spoofing and automated dialing, compared to the equivalents for email phishing, and thereby the inherent trust that many people have in voice telephony.
Example of Voice Phishing
Spectrum Health officials raised alarm in September 2020 about a series of calls where their customers were coerced into giving them information, money, and even access to personal devices. These fake phone calls “spoof” caller ID so that they appear to be from a Spectrum Health phone number.
6. SMS Phishing
SMS phishing or smishing is when attackers use Short Message Service (SMS) systems to send bogus text messages directly to a victim.
The phone text messages typically invite the user to click a link, call a phone number, or contact an email address provided by the attacker via SMS message. The victim is then asked to provide sensitive information such as credit card details or passwords and other private data.
It is fairly easy for mobile users to fall victim to these scams. URLs may not be fully displayed on mobile browse; thus, it is difficult to identify an illegitimate web page.
These smishing websites are also known to attempt to infect the person’s device with malware.
Example of SMS Phishing
In 2016, Canadians started receiving text messages saying they won $4.9 million US dollars and they should send their account details to an email address seemingly belonging to Atlantic Lottery Corporation’s Lotto 6/49. The company had to debunk the scam and point out the irregularities in the text message.
7. Calendar Phishing
Calendar phishing is when phishing links are delivered via calendar invitations. Calendar invitations are sent, which by default, are automatically added to many calendars. These invitations often take the form of RSVPs and other common event requests.
Example of Calendar Phishing
In June 2020, a scam attempt involving a Wells Fargo Bank employee was stopped. The interesting part is that the scammer made use of a calendar invite link to lure the employees into divulging their login credentials.
8. Social Media Phishing (Soshing)
Social media is a newer medium for cybercriminals to conduct phishing attacks. Their aims include account hijacking, impersonation attacks, scams, and malware distribution.
As of the first quarter of 2018, Kaspersky Lab reported more than 3.7 million phishing attempts on social media pages.
Example of Social Media Phishing
In 2014, the Twitter accounts of some Microsoft services were hijacked. Though the team quickly resolved it, customer data was breached.
Social media phishing can also take subtle forms, like answering random questions about yourself on social media platforms. This is especially rife on Facebook.
9. Search Engine Phishing
Search engine phishing is unique in that the attacker doesn’t bother in sending targeted emails. Instead, the attacker creates a website that offers cheap products and too-good-to-be-true deals.
This website is crawled and then indexed by legitimate search engines. A potential victim clicks on the website, thinking it’s a typical page. This website will encourage users to enter personal information.
Example of Search Engine Phishing
In 2020, Google reported that there were more than 25 billion spam web pages it had to remove from search results. Users would click on these links believing they were legitimate and fall victim to the malicious agents operating the page.
Pharming is a combination of two words: “Phishing” and “farming”. This type of phishing is much more difficult to detect.
Malicious actors hijack a Domain Name Server (DNS) and redirect users to malicious websites. These websites often have fake IP addresses and steal the victim’s data.
Pharming attacks occur directly in the web browser. Unlike other types of phishing, a prior prompt via email or text, or phone is not needed. You need to visit an affected website to fall victim to pharming attacks.
Example of Pharming
A famous pharming attack is the 2007 incident that affected more than 50 financial institutions. A vulnerability in Microsoft’s software was exploited and used to redirect users to a malicious website. Victims were asked to put their login credentials, and at the same time, the malware was downloaded onto their devices. More than 3000 personal computers were affected within three days.
How to Avoid Phishing Attacks
A thread that runs through these various types of Phishing is preying on one’s vulnerabilities. Whether it is putting you in a false urgency or targeting your ignorance, the malicious agent behind a phishing scam depends on you being unaware or in haste to achieve their aims.
For users, vigilance is key. A phishing message often contains subtle mistakes that expose its true identity. These can include spelling mistakes or changes to domain names, as seen in the earlier URL example. Users should also stop and think about why they’re even receiving such an email.
Organizations and enterprises have to take more practical steps to prevent and or mitigate the effects of a successful phishing attack. Instituting a multifactor authentication system (MFA) system is one of those steps. It adds extra layers of verification for accessing business accounts.
Here are five general tips you can follow to prevent yourself from being a victim of phishing attacks.
1. Stay Informed
New phishing techniques are being developed all the time, so stay up to date with the latest attacks and key identifiers. Know what a phishing attack looks like. If you are unaware of these tactics, you will eventually fall prey to them.
Organizations should organize educational sessions for their employees. An ongoing security awareness training for all users of digital tools is a highly recommended security measure. Invest in making your staff cyber aware.
2. Embrace good internet etiquette
This means that
a. You don’t click suspicious links.
b. You don’t click on pop-ups
c. You don’t download files from suspicious emails or websites.
Be sure to click on links on trusted sites. A site is trusted when you can ascertain its relevance and administrators. One indicator of a secure website is its URL. You can trust sites whose URL begins with “HTTPS” and has a closed lock icon right before it in the address bar.
You can also check for the site’s security certificate as well. If you get a message stating a certain website may contain malicious files, do not open the website.
Hover over links to ensure that the destination is the correct one. If possible, navigate to the intended site by using a search engine instead of clicking on the link. When using search engines, be careful to inspect the claims. Phishing websites make too-good-to-be-real claims.
Most phishing emails will start with “Dear Customer,” so you should be alert when you come across these emails. When in doubt, go directly to the source rather than clicking a potentially dangerous link.
You must also be wary of Pop-Ups. Those are windows that pop-up while you visit a page and look like they are part of the website. Many times, they are phishing attempts.
Most popular browsers allow you to block pop-ups; you can allow them on a case-by-case basis. If one manages to slip through the cracks, don’t click the “cancel” button; such buttons often lead to phishing sites. Instead, click the small “x” in the upper corner of the window.
Make it a habit to Think Before You Click!
3. Use anti-phishing add-ons and firewalls
Anti-phishing add-ons spot the signs of a malicious website and alert you about known phishing sites. These add-ons come in the form of toolbars, and they are compatible with most browsers.
Firewalls act as a shield between you and the attacker. It reduces the chances of a phisher gaining access to your device. You should use two different kinds: a desktop firewall and a network firewall. When used together, they drastically reduce the odds of hackers and phishers infiltrating your computer or your network when used together.
4. Don’t Share Personal Information
Make it a rule to never share personal or financially sensitive information over the Internet. And if you have to do it, ensure you are doing it on trusted sites.
Most of the phishing emails will direct you to pages where entries for financial or personal information are required. You should never make confidential entries through the links provided in the emails. When in doubt, visit the company’s main website, get their contact, and give them a call.
Never send an email with sensitive information to anyone. Make it a habit to check the address of the website. A secure website always starts with “HTTPS.”
5. Review Your Online Accounts Regularly
Get into the habit of changing your passwords regularly too. Rotating passwords at regular intervals will not only prevent phishing attackers from gaining access but will also prevent other types of cybercrime.
To prevent bank phishing and credit card phishing scams, you should personally check your statements regularly. Get monthly statements for your financial accounts and check each entry carefully to ensure no fraudulent transactions have been made without your knowledge.
A Bonus Tip: Keep Your Browser Up to Date – Popular browsers are constantly updated with security patches. These patches are released in response to the security loopholes that phishers and other hackers inevitably discover and exploit. If you typically ignore messages about updating your browsers, stop. The minute an update is available, download and install it.
Remember, there is no single fool-proof way to avoid phishing attacks; you must be cyber-aware and safety conscious. You don’t have to live in fear of phishing scams. By keeping the preceding tips in mind, you should be able to enjoy a worry-free online experience.
What Is Group Phishing?
A phishing attack targeted at a specific group or type of individual is called a group phishing attack. A group of system administrators or accountants in a company might be the target of a phishing attack.
What Is Trap Phishing Attack?
Trap phishing describes phishing attempts that try to trap or trick the user into performing an intended action. The action may lead to divulging sensitive information and resources or downloading or installing malware. This type of phishing attack capitalizes on human error to be successful.
Is Phishing Only Down Through Email?
No. Phishing attacks can be through text messages, phone calls, and social media posts. Email phishing is a popular form of phishing attack but not the only type.
Are Phishing and Spam Emails the Same?
No. Phishing emails have malicious intents. They aim to trick recipients into acting against their will and disclosing sensitive information to the sender. While spam emails are unsolicited emails that come from services or businesses you have interacted with in times past.
What is Mass Phishing?
Mass Phishing refers to situations when phishing is done on a large scale. Most times, it refers to when phishing emails are sent to a large number of people at the same time.
Is Phishing a Crime?
Yes. The act of phishing is punishable under the laws that criminalize identity theft. In simpler terms, phishing is fraudulently using someone else’s information.