Phishing is a type of cybercrime in which criminals pose as a trustworthy source online to lure victims into handing over personal information such as usernames, passwords, or credit card numbers.
A phishing attack can take various forms, and while it often takes place over email, there are many different methods scammers use to accomplish their schemes. This is especially true today as phishing continues to evolve in sophistication and prevalence. While the goal of any phishing scam is always stealing personal information, there are many different types of phishing you should be aware of.
1. Email Phishing
Arguably the most common type of phishing, this method often involves a “spray and pray” technique in which hackers impersonate a legitimate identity or organization and send mass emails to as many addresses as they can obtain.
These emails are often written with a sense of urgency, informing the recipient that a personal account has been compromised and they must respond immediately. Their objective is to elicit a certain action from the victim such as clicking a malicious link that leads to a fake login page. After entering their credentials, victims unfortunately deliver their personal information straight into the scammer’s hands.
Example of Email Phishing
The Daily Swig reported a phishing attack that occurred in December 2020 at US healthcare provider Elara Caring that came after an unauthorized computer intrusion targeting two employees. The attacker gained access to the employees’ email accounts, resulting in the exposure of the personal details of over 100,000 elderly patients, including names, birth dates, financial and bank information, Social Security numbers, driver’s license numbers and insurance information. The attacker maintained unauthorized access for an entire week before Elara Caring could fully contain the data breach.
2. Spear Phishing
Rather than using the “spray and pray” method as described above, spear phishing involves sending malicious emails to specific individuals within an organization. Rather than sending out mass emails to thousands of recipients, this method targets certain employees at specifically chosen companies. These types of emails are often more personalized in order to make the victim believe they have a relationship with the sender.
Example of Spear Phishing
Armorblox reported a spear phishing attack in September 2019 against an executive at a company named one of the top 50 innovative companies in the world. The email contained an attachment that appeared to be an internal financial report, which led the executive to a fake Microsoft Office 365 login page. The fake login page had the executive’s username already pre-entered on the page, further adding to the disguise of the fraudulent web page.
Whaling closely resembles spear phishing, but instead of going after any employee within a company, scammers specifically target senior executives (or “the big fish,” hence the term whaling). This includes the CEO, CFO or any high-level executive with access to more sensitive data than lower-level employees. Often, these emails use a high-pressure situation to hook their victims, such as relaying a statement of the company being sued. This entices recipients to click the malicious link or attachment to learn more information.
Example of Whaling
In November 2020, Tessian reported a whaling attack that took place against the co-founder of Australian hedge fund Levitas Capital. The co-founder received an email containing a fake Zoom link that planted malware on the hedge fund’s corporate network and almost caused a loss of $8.7 million in fraudulent invoices. The attacker ultimately got away with just $800,000, but the ensuing reputational damage resulted in the loss of the hedge fund’s largest client, forcing them to close permanently.
SMS phishing, or smishing, leverages text messages rather than email to carry out a phishing attack. They operate much in the same way as email-based phishing attacks: Attackers send texts from what seem to be legitimate sources (like trusted businesses) that contain malicious links. Links might be disguised as a coupon code (20% off your next order!) or an offer for a chance to win something like concert tickets.
Example of Smishing
In September 2020, Tripwire reported a smishing campaign that used the United States Post Office (USPS) as the disguise. The attackers sent SMS messages informing recipients of the need to click a link to view important information about an upcoming USPS delivery. The malicious link actually took victims to various web pages designed to steal visitors’ Google account credentials.
Vishing—otherwise known as voice phishing—is similar to smishing in that a phone is used as the vehicle for an attack, but instead of exploiting victims via text message, it’s done with a phone call. A vishing call often relays an automated voice message from what is meant to seem like a legitimate institution, such as a bank or a government entity.
Attackers might claim you owe a large amount of money, your auto insurance is expired or your credit card has suspicious activity that needs to be remedied immediately. At this point, a victim is usually told they must provide personal information such as credit card credentials or their social security number in order to verify their identity before taking action on whatever claim is being made.
Examples of Vishing
In September of 2020, health organization Spectrum Health System reported a vishing attack that involved patients receiving phone calls from individuals masquerading as employees. The attackers were aiming to extract personal data from patients and Spectrum Health members, including member ID numbers and other personal health data associated with their accounts. Spectrum Health reported the attackers used measures like flattery or even threats to pressure victims into handing over their data, money or access to their personal devices.
6. Business Email Compromise (CEO Fraud)
CEO fraud is a form of phishing in which the attacker obtains access to the business email account of a high-ranking executive (like the CEO). With the compromised account at their disposal, they send emails to employees within the organization impersonating as the CEO with the goal of initiating a fraudulent wire transfer or obtaining money through fake invoices.
Example of CEO Fraud
Inky reported a CEO fraud attack against Austrian aerospace company FACC in 2019. This attack involved a phishing email sent to a low-level accountant that appeared to be from FACC’s CEO. The email relayed information about required funding for a new project, and the accountant unknowingly transferred $61 million into fraudulent foreign accounts.
7. Clone Phishing
If you’ve ever received a legitimate email from a company only to receive what appears to be the same message shortly after, you’ve witnessed clone phishing in action. This method of phishing works by creating a malicious replica of a recent message you’ve received and re-sending it from a seemingly credible source. Any links or attachments from the original email are replaced with malicious ones. Attackers typically use the excuse of re-sending the message due to issues with the links or attachments in the previous email.
Examples of Clone Phishing
A security researcher demonstrated the possibility of following an email link to a fake website that seems to show the correct URL in the browser window, but tricks users by using characters that closely resemble the legitimate domain name. Always visit websites from your own bookmarks or by typing out the URL yourself, and never clicking a link from an unexpected email (even if it seems legitimate).
8. Evil Twin Phishing
Evil twin phishing involves setting up what appears to be a legitimate WiFi network that actually lures victims to a phishing site when they connect to it. Once they land on the site, they’re typically prompted to enter their personal data, such as login credentials, which then goes straight to the hacker. Once the hacker has these details, they can log into the network, take control of it, monitor unencrypted traffic and find ways to steal sensitive information and data.
Example of Evil Twin Phishing
In September 2020, Nextgov reported a data breach against the U.S. Department of the Interior’s internal systems. Hackers used evil twin phishing to steal unique credentials and gain access to the department’s WiFi networks. Further investigation revealed that the department wasn’t operating within a secure wireless network infrastructure, and the department’s network policy failed to ensure bureaus enforced strong user authentication measures, periodically test network security or require network monitoring to detect and manage common attacks.
9. Social Media Phishing
Social media phishing is when attackers use social networking sites like Facebook, Twitter and Instagram to obtain victims’ sensitive data or lure them into clicking on malicious links. Hackers may create fake accounts impersonating someone the victim knows to lead them into their trap, or they may even impersonate a well-known brand’s customer service account to prey on victims who reach out to the brand for support.
Example of Social Media Phishing
In August 2019, Fstoppers reported a phishing campaign launched on Instagram where scammers sent private messages to Instagram users warning them that they made an image copyright infringement and requiring them to fill out a form to avoid suspension of their account.
One victim received a private message from what appeared to an official North Face account alleging a copyright violation, and prompted him to follow a link to “InstagramHelpNotice.com,” a seemingly legitimate website where users are asked to input their login credentials. Victims who fell for the trap ultimately provided hackers with access to their account information and other personal data linked to their Instagram account.
10. Search Engine Phishing
Search engine phishing involves hackers creating their own website and getting it indexed on legitimate search engines. These websites often feature cheap products and incredible deals to lure unsuspecting online shoppers who see the website on a Google search result page. If they click on it, they’re usually prompted to register an account or enter their bank account information to complete a purchase. Of course, scammers then turn around and steal this personal data to be used for financial gain or identity theft.
Example of Search Engine Phishing
In 2020, Google reported that 25 billion spam pages were detected every day, from spam websites to phishing web pages. Additionally, Wandera reported in 2020 that a new phishing site is launched every 20 seconds. That means three new phishing sites appear on search engines every minute!
Pharming—a combination of the words “phishing” and “farming”—involves hackers exploiting the mechanics of internet browsing to redirect users to malicious websites, often by targeting DNS (Domain Name System) servers. DNS servers exist to direct website requests to the correct IP address. Hackers who engage in pharming often target DNS servers to redirect victims to fraudulent websites with fake IP addresses. Victims’ personal data becomes vulnerable to theft by the hacker when they land on the website with a corrupted DNS server.
Example of Pharming
Secure List reported a pharming attack targeting a volunteer humanitarian campaign created in Venezuela in 2019. The campaign included a website where volunteers could sign up to participate in the campaign, and the site requested they provide data such as their name, personal ID, cell phone number, their home location and more.
A few days after the website was launched, a nearly identical website with a similar domain appeared. The hacker created this fake domain using the same IP address as the original website. Whenever a volunteer opened the genuine website, any personal data they entered was filtered to the fake website, resulting in the data theft of thousands of volunteers.
Tips to Spot and Prevent Phishing Attacks
One of the best ways you can protect yourself from falling victim to a phishing attack is by studying examples of phishing in action. This guide by the Federal Trade Commission (FTC) is useful for understanding what to look for when trying to spot a phishing attack, as well as steps you can take to report an attack to the FTC and mitigate future data breaches. In general, keep these warning signs in mind to uncover a potential phishing attack:
- An email asks you to confirm personal information: If you get an email that seems authentic but seems out of the blue, it’s a strong sign that it’s an untrustworthy source.
- Poor grammar: Misspelled words, poor grammar or a strange turn of phrase is an immediate red flag of a phishing attempt.
- Messages about a high-pressure situation: If a message seems like it was designed to make you panic and take action immediately, tread carefully—this is a common maneuver among cybercriminals.
- Suspicious links or attachments: If you received an unexpected message asking you to open an unknown attachment, never do so unless you’re fully certain the sender is a legitimate contact.
- Too good to be true offers: If you’re being contacted about what appears to be a once-in-a-lifetime deal, it’s probably fake.
The next best line of defense against all types of phishing attacks and cyberattacks in general is to make sure you’re equipped with a reliable antivirus. At the very least, take advantage of free antivirus software to better protect yourself from online criminals and keep your personal data secure.