Phishing attacks range from classic email phishing schemes to more inventive approaches such as spear phishing and smishing. All have the same purpose – to steal your personal details. With a better understanding of the twelve types of phishing attacks and how to identify them, organizations can protect their users and their data more effectively.
1. Email phishing
Email phishing is the most common type of phishing attacks, and it has been in use since the 1990s. Hackers send these emails to any email addresses they can obtain. The email usually informs users that there has been a compromise on their account and that they must respond immediately by clicking on a provided link. This heightened sense of urgency often lead users to click on a link or download an asset.
The links traditionally go to malicious websites that either steal credentials or install malicious code, known as malware, on a user’s device. The downloads, usually PDFs, have malicious content stored in them that installs the malware once the user opens the document.
How to identify email phishing:
Most people recognize some of the primary indicators of a phishing email. However, for a quick refresher, some traditional things to look for when trying to mitigate risk include:
- Legitimate information: Look for contact information or other legitimate information about the organization being spoofed, then look to identify things like misspellings or a sender email address that has the wrong domain.
- Malicious and benign code: Be aware of anything including code that tries to trick Exchange Online Protection (EOP) such as downloads or links that have misspellings.
- Shortened links: Do not click on any shortened links because these are used to fool Secure Email Gateways.
- Fake brand logo: Review the message for any logos that look real because they may contain fake, malicious HTML attributes.
- Little text: Ignore emails that have only an image and very little text because the image might be hiding malicious code.
2. HTTPS phishing
An HTTPS phishing attack is carried out by sending the victim an email with a link to a fake website. The site may then be used to fool the victim into entering their private information..
How to identify HTTPS phishing
While often part of an email phishing attack, this is a slightly nuanced approach. When trying to decide if a link is legitimate or not, consider:
- Shortened link: Make sure that the link is in its original, long-tail format and shows all parts of the URL.
- Hypertext: These are “clickable” links embedded into the text to hide the real URL.
3. Spear phishing
In spear-phishing attacks, fraudsters customize their attack emails with the target’s name, position, company, work phone number, and other information to trick the recipient into believing that they have a connection with the sender. Yet the goal is the same as deceptive phishing: get the victim into clicking on a malicious URL or email attachment so that they’ll hand over their personal data. Given the amount of information needed to craft a convincing attack attempt, it’s no surprise that spear-phishing is commonplace on social media sites like LinkedIn where attackers can use multiple data sources to craft a targeted attack email.
How to identify and how to protect yourself from spear phishing attacks:
- Abnormal request: Look out for internal requests that come from people in other departments or seem out of the ordinary considering job function.
- Shared drive links: Be wary of links to documents stored on shared drives like Google Suite, O365, and Dropbox because these can redirect to a fake, malicious website.
- Password-protected documents: Any documents that require a user login ID and password may be an attempt to steal credentials.
4. Whaling / CEO fraud
Whaling attacks commonly make use of the same techniques as spear phishing campaigns. Here are a few additional tactics that malicious actors could use:
- Infiltrate the network: A compromised executive’s account is more effective than a spoofed email account. Digital attackers could therefore use malware and rootkits to infiltrate their target’s network.
- Follow up with a phone call: The United Kingdom’s National Cyber Security Centre (NCSC) learned of several instances where attackers followed up a whaling email with a phone call confirming the email request. This social engineering tactic helped to assuage the target’s fears that there could be something suspicious afoot.
- Go after the supply chain: Additionally, the NCSC has witnessed a rise of instances where malicious actors have used information from targets’ suppliers and vendors to make their whaling emails appear like they’re coming from trusted partners.
How to identify CEO fraud:
- Abnormal request: If a senior leadership member has never made contact before, be wary of taking the requested action.
- Recipient email: Since many people use email applications that connect all their email addresses, make sure that any request that appears normal is sent to a work email not personal.
Until now, we’ve discussed phishing attacks that for the most part rely on email. Fraudsters Sometimes turn to other media to perpetrate their attacks. This type of phishing attack is conducted using phone call instead of the usual email. An attacker can perpetrate a vishing campaign by setting up a Voice over Internet Protocol (VoIP) server to mimic various entities to steal sensitive data and/or funds.
How to identify vishing:
- Caller number: The number might be from an unusual location or blocked.
- Timing: The call’s timing coincides with a season or event that causes stress.
- Requested action: The call requests personal information that seems unusual for the type of caller.
Malicious actors often apply similar tactics to different types of technologies. Smishing is sending texts that request a person take an action. These are the next evolution of vishing. Often, the text will include a link that, when clicked, installs malware on the user’s device.
How to identify smishing:
- Delivery status change: A text requesting that the recipient take action to change a delivery will include a link so always look for emails or go directly to the delivery service website to check status.
Abnormal area code: Review the area code and compare it to your contacts list before responding to a text or taking a suggested action.
7. Angler phishing
As malicious actors move between attack vectors, social media has become another popular location for phishing attacks. Like both vishing and smishing, angler phishing is when a cybercriminal uses notifications or direct messaging features in a social media application to entice someone into acting.
How to identify angler phishing:
- Notifications: Be wary of notifications that indicate being added to a post because these can include links that drive recipients to malicious websites.
- Abnormal direct messages: Be on the lookout for direct messages from people who rarely use the feature since the account might be spoofed, or fraudulently recreated.
- Links to websites: Never click a link in a direct message, even if it looks legitimate, unless the sender regularly shares interesting links this way.
Pharming is more technical and often more difficult to detect. The malicious actors hijack a Domain Name Server (DNS), the server that translates URLs from natural language into IP addresses. Then, when a user types in the website address, the DNS server redirects the user to a malicious website’s IP address that might look real.
How to identify pharming:
- Insecure website: Look for a website that is HTTP, not HTTPS.
- Website inconsistencies: Be aware of any inconsistencies that indicate a fake website, including mismatched colors, misspellings, or strange fonts.
9. Pop-up phishing
Although most people use pop-up blockers, pop-up phishing is still a risk. Malicious actors can place malicious code in the small notification boxes, called pop-ups, that show up when people go to websites. The newer version of pop-up phishing uses the web browser’s “notifications” feature. For example, when a person visits a website, the browser prompts the person with “www.thisisabadlifechoice.com wants to show notifications.” When the user clicks “Allow,” the pop-up installs malicious code.
How to identify pop-up phishing:
- Irregularities: Review for spelling errors or abnormal color schemes.
- Shift to full-screen mode: Malicious pop-ups can turn a browser to full-screen mode so any automatic change in screen size might be an indicator.
10. Clone phishing
Another targeted email phishing attack, clone phishing, leverages services that someone has previously used to trigger the adverse action. Malicious actors know most of the business applications that require people to click links as part of their daily activities. They will often engage in research to see what types of services an organization uses regularly then send targeted emails that appear to come from these services. For example, many organizations use DocuSign to send and receive electronic contracts, so malicious actors might create fake emails for this service.
How to identify clone phishing:
- Abnormal timing: Be wary of any unexpected email from a service provider, even one that is part of normal daily job function.
- Personal information: Look out for emails requesting personal information that the service provider never asks for.
11. Evil twin
An evil twin phishing attack uses a fake WiFi hotspot, often making it look legitimate, that might intercept data during transfer. If someone uses the fake hotspot, the malicious actors can engage in man-in-the-middle or eavesdropping attacks. This allows them to collect data like login credentials or sensitive information transferred across the connection.
How to identify an evil twin phishing attack:
- “Unsecure”: Be wary of any hotspot that triggers an “unsecure” warning on a device even if it looks familiar.
- Requires login: Any hotspot that normally does not require a login credential but suddenly prompts for one is suspicious.
12. Watering hole phishing
This phishing attack begins with malicious actors doing research around the websites a company’s employees visit often, then infecting the IP address with malicious code or downloads. These can be websites that provide industry news or third-party vendors’ websites. When the user visits the website, they download the malicious code.
How to identify watering hole phishing:
- Pay attention to browser alerts: If a browser indicates that a site might have malicious code, do not continue through to the website, even if it’s one normally used.
- Monitor firewall rules: Ensure that firewall rules are continuously updated and monitored to prevent inbound traffic from a compromised website.
Want to know how to protect your organization from phishing attack? check out this article.