Phishing attacks are a form of social engineering where a cybercriminal imitates a trusted entity in order to trick any individual into opening a fraudulent email, SMS, or instant message. This message is curated and designed to deceive the victim into sharing sensitive information or clicking a link that will run malicious code.
However, phishing can also be a targeted attack focused on a specific individual. The attacker can tailor an email to speak directly to you, and even include information only an acquaintance would know. These attackers will usually get this information after gaining access to your personal data and life, e.g. through social media.
So what are the common types of phishing attacks?
Bulk or Email Phishing
Bulk phishing or email phishing is the most common form of phishing attack. This is where a cybercriminal sends a large number of fraudulent emails to employees and individuals or any email addresses they can obtain. Although they are not tailored to the victim, they can be effective as if enough emails are sent, because eventually someone will open one.
Examples of bulk phishing attempts include emails relating to winning a prize, issues with the user’s account, or emails stating that a password has expired and needs to be changed. Some of these can easily be spotted due to poor grammar, spelling and design of the email, however others are nearly indistinguishable from an official email.
Therefore, you should always check where an email has come from and look for different spellings of the email address or URLs in the text. And if you are ever in doubt, do not open the email or click any of the links! It’s always better to be safe than sorry!
Spear Phishing
Now you may ask, what exactly is spear phishing, and how did this name come about? Well, fishing with a pole may land you a number of items below the waterline – a flounder, bottom feeder, or piece of trash. However, fishing with a spear allows you to target a specific fish. Hence the name! Cool huh?
Similarly, spear phishing is an attack where the cybercriminal has researched their target and found personal information to be able to tailor the attack to them. This is typically more successful than bulk phishing as when an email contains personal information it lowers the target’s guard, making them more likely to open a malicious link or file.
These emails may include the victim’s name, or place of work, imitating a supplier or third-party technical support requiring the user to send their password for security purposes. Spear phishing attempts can be difficult to spot, however you should always verify suspicious requests in person if possible and never share your password with others.
Whaling
Whaling is an even more targeted type of phishing that goes after the whales – a marine animal even bigger than a fish. Meaning, these type of attacks typically target a CEO, CFO, or any CXX within an industry or a specific business in order to steal login credentials. This can be devastating for a company, as an executive’s account often has a high-level access to the network along with employee and customer data.
A whaling email might state that the company is facing legal consequences and that you need to click on the link to get more information. The link will then take you to a page where you are asked to enter critical data about the company such as tax ID and bank account numbers.
Another alternative method is by using a spear phishing attack to gain access to an employee’s email account, and then use their account to phish the executive as they are more likely to trust an email from an employee than an unknown individual.
Hence, it is important for an entire company to be aware and educated about cybersecurity, especially the executives. Additionally, there should be policies and software in place to avoid high level employees being phished.
Vishing
Vishing also known as voice phishing are attacks performed over the phone or VoIP. Hence the “v” rather than the “ph” in the name.
A common vishing attack includes a call from someone claiming to be a representative from Microsoft. This person informs you that they’ve detected a virus on your computer. You’re then asked to provide credit card details so the attacker can install an updated version of anti-virus software on your computer. The attacker now has your credit card information and you have likely installed malware on your computer.
However, these can be detected as fraudulent as a company will never ask for personal information over the phone. Another method of detecting if a call is fraudulent is by checking to make sure the number that has called is listed on the official company website and not a known scam phone number.
Smishing
Smishing or SMS phishing, is using phone text messaging to mislead or deceive a victim. A common smishing technique is to deliver a message to a cell phone through SMS that contains a clickable link or a return phone number. These can be particularly effective as text messages are more likely to be read and responded to, rather than emails.
A common example of a smishing attack is an SMS message that looks like it came from your banking institution. It tells you your account has been compromised and that you need to respond immediately. The attacker asks you to verify your bank account number, SSN, etc. Once the attacker receives the information, the attacker has control of your bank account.
But remember, it is important to apply the same level of scrutiny to phone calls and text messages that you would an email, as it is just as dangerous of an attack vector!
Search Engine Phishing
Search engine phishing, also known as SEO poisoning or SEO Trojans, is where hackers work to become the top hit on a search using a search engine. Clicking on their link displayed within the search engine directs you to the hacker’s website. From there, threat actors can steal your information when you interact with the site and/or enter sensitive data.
Hacker sites can pose as any type of website, but the prime candidates are banks, money transfer, social media, and shopping sites.
So what can you do?
Phishing has been a common cyberthreat for the longest time, even before I was born! And it is unlikely to stop anytime soon, especially as cybercriminals are constantly changing their methods to be more complex and difficult to identify!
Therefore, it is crucial that all employees are aware of these common phishing methods to avoid being victim to an attack.
However, it only takes one employee opening a malicious link or file to have a company-wide data breach. Thus, it is in a company’s best interest to ensure that all employees, especially executives, undergo cybersecurity awareness training.