Phishing Attack: 6 Types of Phishing and How to Prevent Them
What is a Phishing Attack?
A phishing attack is a form of social engineering that attempts to obtain sensitive and financial information by tricking users into divulging this information, clicking on malicious links, or downloading malware. This type of attack attempts to disguise itself as legitimate communication, making it difficult for victims to notice its malicious purposes. Phishing is a severe cyber threat facing organizations of all sizes.
A phishing attack attempts to steal information such as passwords, user names, bank account information, credit card numbers, and more. The threat actor can use this information to commit malicious activities, such as identity theft, hacking, stealing money, or selling the information.
A phishing attack occurs when victims receive electronic communication, such as text messages, emails, and web pages that impersonate real individuals or companies. In reality, the communication is fake and contains malicious call-to-actions. For example, a phishing email may impersonate an eCommerce site and ask the victim to confirm their financial information.
How Phishing Works
Phishing attacks utilize various social engineering techniques to trick victims. It typically starts with gathering information and creating fake communication, and then launching the attack through various means, like email, text messages, web pages, and social media networks.
Threat actors impersonating real individuals or companies typically spend time gathering information about these entities so that they can impersonate them. They may also gather data about potential victims, using social media platforms like Facebook, Twitter, and LinkedIn, to collect names, email addresses, and job titles. The goal is to craft believable communications.
The victim may receive a message that seems to have been sent by a known organization or contact. The communication may contain a malicious file attachment or links connecting to malicious websites. A malicious file typically contains malware, while malicious links often direct victims to fake websites that trick victims into divulging financial and personal information.
As in most attacks, phishing attacks include a range of sophistication. Some send out poorly written emails that seem glaringly fake, while cybercriminal groups may use techniques often employed by professional marketers to identify the most effective messages.
Types of Phishing Attacks
1. Email Phishing
Email phishing is the most common type of phishing. Typically, the threat actor registers a fake domain that looks like a real one owned by a legitimate organization, sending thousands of generic emails. Here are common examples of fake domain names techniques:
Character substitution — For example, using “r” and “n” to substitute “m” with “m.”
Organization name — Actors use the organization’s name in the beginning of the email address to try to include the organization’s name as the sender’s name. For example, [email protected] may appear as “Visa” in the recipient’s inbox.
You can spot a phishing email by checking the email address of any message asking you to download an attachment or click a link.
2. Spear Phishing and Whaling
Spear phishing and whaling attacks send emails that impersonate trusted sources to trick their victims. Spear phishing is different than regular phishing attacks in that they target specific roles or individuals, such as IT administrators and HR professionals.
Whaling attacks also create campaigns around a certain role or individual, but with a bigger target than spear phishing. Instead of impersonating a broad group like a team or department, whaling attackers aim at high-level targets such as influencers or executives like CEOs, CFOs, or the head of HR.
A whaling attack requires more in-depth research to impersonate the whale accurately. The goal is to take advantage of the whale’s authority to convince other whales or employees not to question the actor’s requests.
3. Smishing and Vishing
Smishing and vishing attacks utilize telephone communication instead of emails. Smishing attacks send out text messages, and vishing attacks utilize phone conversations. The content of a smishing attack is usually similar to content sent via email phishing.
There are various types of vishing scams. In a common scam, threat actors impersonate a fraud investigator from a credit card company or the bank. The actor lies to the victim, saying their account was breached and then asking the victim to provide credit card details supposedly to verify their identity.
4. Clone Phishing
Clone phishing attacks are similar to typical phishing scams in that they send out emails that seem legitimate and prompt victims to divulge information. However, instead of impersonating an individual or organization, the threat actor copies a legitimate email previously sent by a trusted organization. Next, the actor manipulates the real link from the original email to redirect victims to a fraudulent site. Once they reach the site, victims are tricked into entering all credentials they use on the real site.
Pharming phishing attacks are highly technical and typically difficult to detect. The threat actor hijacks a domain name server (DNS), translating URLs from natural language into IP addresses. Once a user enters the website address, the DNS server redirects them to a legitimate-looking malicious website’s IP address.
6. Evil Twin Attack
An evil twin phishing attack employs a fake but legitimate-looking WiFi hotspot to intercept data in transit. Once a user tries to use the fake hotspot, the actor can engage in eavesdropping or man-in-the-middle attacks. It enables the actor to gather data, such as sensitive information and login credentials, transferred through the connection.
Related content: Read our guide to phishing attack examples
Best Practices For Preventing Phishing Attacks
Always Note the Language in the Email
Social engineering techniques use human nature to manipulate victims. For example, people often follow people with authority and are very likely to make a mistake when rushed. Phishing attacks take advantage of these characteristics to trick targets into ignoring any suspicion they might have. However, that does not mean you cannot spot a phishing attack.
Most phishing attacks do not bother to mimic the legitimate company’s or individual’s language. They often rely on the visual aspects. For example, the scammer might impersonate a delivery company like FedEx, asking to click on a link to authorize the order or impersonate a CEO to ask for financial information. If the language is not similar to the brand or person—it’s phishing.
The email may urge you to take unusual or rapid actions. However, you need to slow down to verify it is truly legitimate before trusting this communication. If the email contains misspellings, unusual phrasing, and grammatical errors, you should stop and investigate before doing anything the email requests.
Train your Employees
Organizations can thwart phishing attacks by training employees to recognize phishing attacks and providing standard reporting and response actions. Your anti-phishing education program must include ongoing education, awareness campaigns, and mandatory compliance training.
This training should be part of an overall security culture that continuously keeps employees abreast of standard security practices. It should include standard behaviors, technologies, and processes, helping employees work securely.
Run a Mock Phishing Campaign
Mock phishing campaigns help test employees to ensure they can recognize phishing attacks. Organizations can create a positive and constructive test that keeps employees motivated by framing testing campaigns around positive goals and offering rewards for identifying the scam. Ideally, you should conduct these tests regularly, once per month, to keep employees aware and responsive to this threat.
The goal is to positively reinforce the behavior when employees spot the phishing attack and provide constructive feedback to employees who fail the tests. Reviewing the email with them, explaining attack indicators, and providing remedial training helps ensure these employees treat an actual attack or the next test email with the correct security mindset.