Last Updated on May 31, 2021 by Admin
A phishing attack is one method used by cybercriminals to gather valuable information about an individual or organization. In this article, we look at the 10 types of phishing attacks and ways to identify them.
Background of phishing attacks
Phishing is a fraudulent, social engineering attack used by cybercriminals to mislead a victim into giving up sensitive data.
This practice originated in the mid-90s and involved American Online, which was the major internet provider back then.
Millions of users logged-in daily and this attracted bad actors who started using phishing tactics to steal sensitive personal data.
Attackers would steal passwords and use randomly generated credit card numbers to create AOL accounts and launch more attacks.
In 1995, AOL introduced security measures that blocked the use of randomly generated credit card numbers.
This led to the evolution of phishing attacks and cybercriminals now use more sophisticated ways to steal your data.
According to Statista, in 2020 the largest number of phishing attacks targeted financial institutions.
It is important that when you are carrying out transactions online, you do so anonymously.
A VPN hides your IP address and encrypts your traffic, thus protecting you from common online attacks.
- Our best pick is NordVPN because it has the best security features.
Next, we look at the 10 types of phishing attacks
Types of phishing attacks
1. Email phishing
Let’s start with the most common type of phishing, which is email phishing.
Attackers send mass-mails to potential victims, hoping that some of the emails are opened.
In the email, they create a sense of urgency so that the potential victim takes a specific action e.g. visit a website or download a file.
Links take the user to a malicious website designed to steal credentials, or install malware on the user’s device.
Attached documents, usually PDFs, also contain malware that is installed once the user opens he document.
Things to look for in a phishing email are described in another article so make sure you check it out.
Vishing is short for voice phishing and in this type of attack a phone is used.
A user receives a call that appears to come from a financial institution or a popular company.
Attackers may use a robo-voice to make it seem like the system automatically generated the call.
The victim is tricked into providing details like login credentials or other sensitive personal data.
In some cases, cybercriminals actually make the call and pretend to be from a big company.
This attack works in the same way as the notorious tech support scams.
To be safe, take note of blocked numbers or numbers that come from an unusual location.
Another variation of the attack is smishing, or phishing using SMS.
A malicious text is sent to the victim and this text is disguised as coming from a trusted source or organization.
The user is prompted to take action that may involve clicking a link provided, providing a PIN or sending other personal information.
Users are more likely to open and respond to texts on their mobile devices and this gives attackers greater chances of success..
4. Spear phishing
In this type of phishing attack, criminals go for a specific category of individuals of a lower profile in an organization.
In other words, instead of trying to get sensitive data from random individuals, the attackers find it more lucrative to have specific targets.
An example of an attack involves targeting an individual who works at a government agency in order to steal secrets.
This kind of attack usually yields great results for the attacker because there is ample time to build a perfect bait.
Information about the target is usually gathered from social media or even the company’s website.
Emails are sent to the user bearing recognizable markers like the company logo, phone numbers, departments etc.
The recipient then believes that it’s an internal request and takes action, thus ultimately falls in the trap.
5. Angler phishing
While other tactics described above use email, SMS or voice messages, in an angler attack, popular social messaging platforms take center stage.
The cybercriminal may send a message with a malicious link or ask the recipient to take action.
Be careful of notifications you receive on social media platforms.
You may end up opening a message from a cybercriminal and fall victim to an angler phishing attack.
Although similar to spear phishing, whaling goes for high profile individuals or the top executives in an organization.
It is also called CEO fraud because attackers go for the big fish.
Details of the organization’s top executive can be found on social media or on the company website.
The next move is to impersonate that top individual in an email request that prompts recipients to send money, sensitive data or review a document.
However, the attacker is the one who receives all the money and data once the recipient complies with the request.
In pharming, an attacker installs a malicious code on the victim’s computer and this code redirects URLs to a fraudulent website.
This takes place without the user’s knowledge or consent.
Once on the website, if the user doesn’t notice the red flags that indicate that it’s fake, there is a risk of downloading malware or giving up sensitive data.
When you visit any website where you must enter personal information or download software, check for inconsistencies in:
Usually, attackers are sloppy and leave tell-tale signs of a fake website.
8. Clone phishing
This is another form of targeted phishing attack in which cybercriminals take advantage of services that an organization uses regularly.
These services require users to click on links provided by the service provider via email.
Attackers replicate the process and masquerade as a genuine service provider while emails generated have a malicious link.
This takes unsuspecting users to a fraudulent website where data is stolen or malware is downloaded.
Beware of emails where a service provider asks for personal information or makes other unusual requests.
9. Pop up phishing
Pop up phishing is still used by attackers, although pop-up blockers are widely used.
However, attackers now use more advanced ways to deliver pop-ups to your browser.
This new approach uses the browser’s notification feature and if you accepts any notifications, you risk installing malware.
10. Watering hole attack
This is another tactic employed by pro-attackers who study the online behaviours of a potential target first.
They take note of websites that a target frequents and infect the IP address with malware.
When the user visits a site controlled by hackers, they download malware that gives criminals access to the victim’s device.
Make sure you pay attention to browser alerts as sometimes you are prompted not to proceed to a suspicious site.
Pay attention to messages that request for personal information like credit card detail, passwords and other sensitive information.
The best is to confirm with IT personnel or your supervisor before taking action on any requests.
Good cyber hygiene is a habit that should be followed in any organization and at individual level.
This minimizes chances of hackers intercepting your traffic and exposing your IP address.
One way to use the internet securely and privately is by using a trusted VPN.
There are numerous VPN available and you can read detailed reviews here.
- Got no time? Our overall best choice is NordVPN
- Masks your IP address
- No DNS leaks
- No logs policy
- 24/7 customer support
- 30-day money-back guarantee
- 68% off a 2-year plan
What’s your experience with email phishing? Leave comments below and share the article with your colleagues on social media.