8 Phishing Types and How to Prevent Them
What Is Phishing?
Phishing is a fraud technique where a malicious actor sends messages impersonating a legitimate individual or organization, usually via email or other messaging system. Many cyber attackers distribute malicious attachments and links through phishing emails to trick unsuspecting users into downloading malware.
In most phishing attacks, attackers extract sensitive information from the victim, such as user credentials and account details. Exploiting human weaknesses to bypass security controls is often easier than breaking through digital defenses. Many people easily mistake phishing emails for legitimate messages.
Understanding how phishing works and the different techniques involved in phishing attacks is essential for establishing an effective strategy to prevent, detect, and mitigate phishing.
This is part of a series of articles about cyber threats.
8 Types of Phishing Attacks
While phishing usually refers to email-based fraud, there are several types of phishing.
1. Email Phishing
Email is the most popular phishing medium. Scammers register fake domains that impersonate real organizations and send thousands of requests to their targets.
Fake domain names often contain character substitutions, such as using “r” and “n” side-by-side to make “rn” instead of “m.” They could also use a genuine organization’s name in the local part of an email address with the sender’s name appearing in the inbox (e.g., [email protected]).
There are multiple ways to detect phishing emails, but users should always check email addresses when a message prompts them to download an attachment or click a link.
2. Spear Phishing
Spear phishing works like common phishing attacks, using communications from a seemingly trusted source to trick victims. However, a spear phishing attack targets a specific individual or set of individuals rather than sending generic messages to many users in the hope that one falls for the trick. Popular targets include HR staff and IT managers because they have higher access levels within the wider organization.
When the target is especially ambitious, it is called whaling. Standard spear phishing targets IT or management team members, while whaling targets high-value individuals such as the chief executive (i.e., CEO, CFO, or other senior management figures). Attackers often can impersonate other senior executives or representatives of other companies to convince the target to disclose sensitive and high-value information.
Successful whaling attacks require attackers to do more than usual to lure the whale. Once successful, the attackers can use the target’s authority to spear phish employees and other high-value targets without arousing suspicion.
3. Vishing and Smishing
Mobile phones replace email in smishing (SMS phishing) and vishing (voice phishing). With smishing, the attackers send text messages with similar deceptive content to a phishing email. Vishing involves phone conversations, with the scammer directly speaking to the target.
In one popular vishing scam, the fraudster pretends to be a fraud investigator representing a bank or credit card company. The fraudster informs the victims of an account breach, prompting them to verify their identity by providing credit card details. Alternatively, the attacker might ask the victim to transfer funds to a special account.
4. Clone Phishing
Although clone phishing attacks are not as sophisticated as spear phishing or whaling, they are still very effective. This attack method includes all major phishing tenants. The difference is that instead of impersonating an individual or organization to make a fraudulent request, the attacker copies legitimate emails previously sent by trusted entities.
The attacker then manipulates the link, replacing the real link from the original email with a new link that redirects victims to a fraudulent website that imitates a legitimate site. Users enter their credentials, exposing them to the attacker.
Pharming is a highly technical form of phishing, making it harder to detect. It involves a hacker hijacking the DNS (Domain Name Server), which converts URLs from plain language to IP addresses. When users enter the target website’s URL, the DNS redirects them to another IP address, usually of a malicious website that appears legitimate.
6. HTTPS Phishing
Hypertext Transfer Protocol Secure (HTTPS) uses encryption to enhance security, and most users consider it safe to click on HTTPS links. Most organizations today use HTTPS over standard HTTP to help establish the legitimacy of links. However, attackers can leverage HTTPS to make their links appear legitimate and increase the success of their phishing campaigns.
7. Pop-up Phishing
Most users install pop-up blockers, but pop-up phishing is still dangerous. Malicious actors may place malicious code in small notifications (pop-ups), which people see when they visit a website.
An example of a relatively new pop-up phishing technique is to use the “notification” feature of the victim’s web browser. When the user tries to visit a website, the browser displays a message saying the website wants to display notifications. Clicking on “Allow” triggers the pop-up to install malware.
8. Evil Twin Phishing
Evil twin attacks often use fake WiFi hotspots that appear legitimate but can intercept sensitive data in transit. Malicious actors can eavesdrop or perform man-in-the-middle (MitM) attacks when someone uses a fake hotspot. Attackers can steal data sent over the connection, such as confidential information and login credentials.
Learn more in our detailed guides to:
Best Practices for Preventing Phishing Attacks
The following best practices can help organizations and employees identify and prevent phishing.
Pay Attention to the Language in Emails
Social engineering methods exploit human fallibility, especially when employees feel rushed and react too quickly. Many people automatically adhere to the instructions of individuals with authority without questioning the content of the message.
Everyone should be aware of these phishing techniques:
Fake order — The phishing email impersonates a courier to direct the victim to the attacker’s website, where the victim logs in and exposes credentials.
Business email compromise (BEC) — The scam leverages an organization’s hierarchy, impersonating an executive with authority and instructing the victim to take action.
Fake invoice — The message requests payment for a product from a legitimate vendor, usually redirecting the money to the cybercriminal’s account.
If an email urges recipients to take immediate action, they should slow down to verify its authenticity before acting. Employees should also check if the email’s language is consistent with the sender’s usual tone.
A crucial part of preventing phishing is encouraging employees to use safe practices. Organizations should educate all employees and stakeholders about the patterns and impact of phishing attacks and how to maintain compliance. This security awareness acts as a human firewall.
Awareness training should be ongoing and include engaging material such as visual guides and informative videos. There should be clear steps that each employee must take to determine if a message is legitimate or suspicious.
Carry Out Phishing Drills
Many organizations test their employees by simulating a phishing campaign. While these drills may inconvenience the IT management, it helps ensure that employees understand and apply their training. It also allows teams to practice their response to phishing attacks.
The key is to motivate employees by making sure the drills are constructive and relevant. The mock phishing campaign should have a positive goal, such as a challenge to identify phishing emails. Companies can reward employees who successfully identify fraudulent activity, providing positive reinforcement.
Providing constructive feedback to individuals when they fail a test is also important. The manager should show them the suspicious elements in phishing emails and offer additional training so they can recognize future phishing scams (whether in a drill or the real world). Drills should be relatively frequent, such as every month.
Even the savviest person can be coaxed into clicking on a seemingly innocent email that’s designed to expose sensitive data. Our four-step approach helps your employees become continually vigilant.