The attacks of phishing has been in the news since the dawn on the web. Cybercriminals spread the first phishing attacks in the mid-1990s, using the America Online (AOL) service to steal passwords and credit card information. While modern attacks use similar social engineering models, cybercriminals use more advanced tactics. Phishing, at its core, is an attack methodology that uses social engineering tactics to get someone to take action against their self-interest. There are many different types of phishing, and they are usually classified according to who the target and the attacker are. With a better understanding of the 13 types of phishing attacks and how to identify them, organizations can more effectively protect their users and data.
1. E-mail Phishing
E-mail phishing also called “spoofing phishing,” is one of the most well-known types of attacks. Malicious hackers send users e-mails that impersonate a known brand or organization. These e-mails often use social engineering tactics to create a heightened sense of urgency and then get people to click on a link or download an asset. Their purpose is to reveal a specific action from the victim, such as clicking on a malicious link that takes them to a fake login page. After entering their credentials, victims, unfortunately, deliver their personal information directly into the hands of the scammer. Downloads, usually PDFs, contain malicious content that installs malware when the user opens the document.
Email Phishing Example
An unauthorized computer attack targeting two employees was carried out at a US healthcare provider. The attacker accessed employees’ e-mail accounts, exposing the personal information of more than 100,000 elderly patients, including names, dates of birth, financial and banking information, Social Security numbers, driver’s license numbers, and insurance information.
How to identify E-mail Phishing:
Most people are familiar with some of the primary indicators of an E-mail Phishing attack. However, some traditional things to consider when trying to reduce risk include:
• Legitimate information: Look for contact information or other legitimate information about the fraudulent organization. Then look to identify things like typos or the wrong domain name, sender e-mail address.
• Malicious and harmless code: Beware of anything, including downloads or links with typos.
• Shortened links: Make sure the link is in the original, long-tail format and shows all parts of the URL. Do not click on any shortened links.
• Fake brand logo: Review the message for real-looking logos as they may contain fake, malicious HTML features.
• Small text: Beware of e-mails with only one image and very little text, as the image may be hiding malicious code.
• Hypertext: These are “clickable” links embedded in the text to hide the real URL.
2. Spear Phishing
Although Spear uses phishing e-mail, it requires a more targeted approach. Cybercriminals start by using open-source intelligence (OSINT) to gather information from published or publicly available sources, such as social media or a company’s website. They then target specific contacts within the organization using real names, business functions, or business phone numbers to make the recipient think the e-mail is from someone else within the organization. Ultimately, the person takes action indicated in the e-mail, as the recipient believes this is an internal request.
Spear phishing involves sending malicious e-mails to specific individuals in an organization. Rather than sending mass e-mails to thousands of recipients, this method targets specific employees at specially selected companies. These types of e-mails are often more personalized to make the victim believe they have a relationship with the sender.
Spear Phishing Example
A Spear phishing attack was carried out against an executive at a company named one of the top 50 innovative companies in the world. The e-mail contained an attachment that looked like an internal financial report that redirected the administrator to a fake Microsoft Office 365 login page. On the fake login page, the username of the administrator is pre-entered on the page, which is added in addition to the appearance of the fake web page.
How to identify spear phishing:
• Abnormal request: Beware of internal requests from people in other departments or that seem unusual given the function of the job.
• Shared drive links: Be wary of links to documents stored on shared drives such as Google Suite, Office 365 and Dropbox as they may lead to a fake, malicious website.
• Password protected documents: Any document that requires a user login ID and password may be an attempt to steal credentials.
3. Smishing
SMS phishing or Smishing uses text messages instead of e-mail to carry out a phishing attack. The practice is to send texts requesting a person to take action. They work in much the same way as email-based phishing attacks: Attackers send a text with malicious links from seemingly legitimate sources (such as trusted businesses). Usually, the text contains a link that, when clicked, installs malware on the user’s device. The links may be disguised as a coupon code (20% off your next order!) or an offer for a chance to win something like concert tickets.
Smishing Example
Using a post office’s information as a smishing campaign, the attackers sent SMS messages informing buyers that they had to click on a link to view important information about delivery. The malicious link took victims to various websites intended to steal the visitors’ Google account credentials.
How to identify Smishing:
• Change of delivery status: A text requesting the buyer to take action to change the delivery will contain a link, so always search for e-mails or go directly to the delivery service website to check the status.
• Abnormal area code: Before responding to a text or taking a suggested action, review the area code and compare it to your contact list.
4. Whaling/CEO Fraud
Another type of corporate phishing that exploits OSINT is Whaling Phishing, also called Whaling or CEO Fraud. Attackers use social media or the corporate website to find the name of the organization’s CEO or another senior leadership member. Then, they impersonate the victim by using an identical e-mail address. With the compromised account in their possession, they send e-mails to employees within the organization to initiate a fraudulent bank transfer or obtain money through fraudulent invoices. The e-mail can request a money transfer or ask the recipient to review a document.
Whaling Phishing is very similar to Spear phishing, but instead of going after any employee at a company, scammers specifically target senior executives (or “big fish”, hence the term whaling). This includes the CEO, CFO or any senior executive who has access to more sensitive data than lower-level employees. Usually, these e-mails use a high-pressure situation to bind their victims, such as conveying a statement from the sued company. This encourages buyers to click on the malicious link or attachment to learn more.
Whaling Phishing Examples
1) In November 2020, a whaling attack was carried out against the co-founder of a prominent company in Australia. The co-founder received an e-mail containing a fake Zoom link that had malware embedded in the hedge fund’s corporate network, resulting in a loss of almost $8.7 million in fake invoices. The company ultimately lost just $800,000 financially. But the ensuing reputational loss resulted in the loss of the hedge fund’s largest client, forcing the company to shut down permanently.
2) A CEO fraud attack was carried out against an aerospace company in Austria. This attack involved a phishing e-mail sent to a low-level accountant who appeared to belong to the company’s CEO. The e-mail relayed information about the funding needed for a new project, and the accountant unknowingly transferred $61 million into fake foreign accounts.
How to identify Whaling Phishing:
• Abnormal request: If a senior leadership member has never communicated before, be cautious about taking the requested action.
• Recipient e-mail: Since many people use e-mail applications that connect all e-mail addresses, make sure that any seemingly normal request is sent to a non-personal business e-mail.
5. Vishing
Voice phishing or “vishing” occurs when a cybercriminal calls a phone number and creates a high sense of urgency that causes a person to take action against their own best interests. Vishing is similar to Smishing in that a phone is used as an attack tool, but instead of exploiting victims via text message, it is done with a phone call. These calls normally occur during stressful times. A vishing call usually forwards an automated voice message from a place intended to appear as a legitimate institution, such as a bank or a government agency.
Vishing Examples
For example, many people receive fake calls during tax season from alleged Tax people saying they want to do an audit and need a social security number. Because the call creates a sense of panic and urgency, the recipient can be tricked into giving their personal information.
Attackers may claim that you owe a large amount of debt, your auto insurance has expired, or your credit card has a suspicious activity that needs to be fixed immediately. At this point, the victim is often told that they must provide personal information such as credit card identification or social security number to verify their identity before taking action if any allegations are made.
How to determine vishing:
• Caller number: The number may be from an unusual location, or it may have been blocked.
• Timing: The timing of the call coincides with a season or event that is causing the stress.
• Requested action: The call requests personal information that seems unusual for the caller type.
6. Angler Phishing
Angler phishing is when a cybercriminal uses notifications or direct messaging features in a social media app to persuade someone to take action.
As a relatively new attack vector, social media offers a variety of ways for criminals to deceive people. Fake URLs; cloned websites, posts and tweets; and instant messaging (essentially the same as Smishing) can be used to entice people to disclose sensitive information or download malware.
Alternatively, criminals can use data that people willingly share on social media to create highly targeted attacks.
Angler Phishing Example
In 2016, thousands of Facebook users received messages saying they were mentioned in a post. The message was initiated by criminals and launched a two-stage attack. The first stage downloaded a Trojan horse containing a malicious Chrome browser extension onto the user’s computer.
The next time the user logs into Facebook using the compromised browser, the culprit manages to hijack the user’s account. They were able to change their privacy settings, steal data and spread the infection through the victim’s Facebook friends.
How to identify Angler phishing:
• Notifications: Be wary of notifications that say they’ve been attached to a post, as they may contain links that direct recipients to malicious websites.
• Abnormal direct messages: Beware of direct messages from people who rarely use the feature, as the account may be fake or fraudulently recreated.
• Links to websites: Never click on a link in a direct message, even if it seems legitimate, unless the sender regularly posts interesting links in this way.
7. Pharming
A combination of the words “Phishing” and “Pharming”, Pharming involves hackers using web browsing mechanics to redirect users to malicious websites, often by targeting DNS (Domain Name System) servers. Pharming is more technical and often harder to detect.
DNS servers are used to redirect web requests to the right IP address. Attackers hijack DNS. Then, when a user types the website address, the DNS server redirects the user to the IP address of a malicious website that may appear real. Victims’ personal data becomes vulnerable to hacker stealing when they enter the website with a broken DNS server.
Pharming Example
In 2019, there was a pharming attack targeting a volunteer humanitarian campaign in Venezuela. The campaign included a website where volunteers could sign up to join the campaign, and the site asked them to provide data such as name, personal ID, mobile phone number, home location.
A few days after the website was launched, an almost identical website with a similar domain surfaced. The hacker has created this fake domain with an IP address that is the same that was used to create the original website. Every time a volunteer opened the real website, all the personal data he entered was filtered into the fake website, resulting in data theft of thousands of volunteers.
How to determine Pharming:
• Unsafe website: Look for a website that is HTTP, not HTTPS.
• Website inconsistencies: Be aware of inconsistencies that indicate a fake website, including incompatible colours, typos, or strange fonts.
8. Pop-up Phishing
Although most people use pop-up blockers, pop-up phishing is still a risk. Hackers can insert malicious code into small notification boxes called pop-ups that appear when people go to websites. The most recent version of pop-up-phishing makes use of Web browser’s “notifications” feature.
Pop-up Phishing Example
For example, when someone visits a website, the browser sends the message “www.thisisabadlifechoice.com wants to show notifications” to the person. When the user clicks “Allow”, the pop-up loads malicious code.
How to identify pop-up phishing:
• Irregularities: Review for typos or abnormal colour schemes.
• Switching to full-screen mode: Malicious pop-ups can switch the browser to full-screen mode, so any automatic change in screen size can be an indicator.
9. Clone Phishing
If you’ve ever received a legitimate e-mail from a company only to receive the same message shortly after, you’ve witnessed clone phishing at work. This phishing method works by making a malicious copy of a message you’ve recently received and resending it from an ostensibly trusted source. Any links or attachments in the original e-mail are replaced with malicious ones. Attackers often use the excuse of resending the message because of problems with the link or attachments in the previous e-mail.
Examples of Clone Phishing
A security researcher has demonstrated the possibility of tracking an e-mail link to a fake website that appears to display the correct URL in the browser window but tricks users into using characters that look very similar to the legitimate domain name. Always visit websites from your own bookmarks or by typing the URL yourself, and never click on a link (even if it seems legitimate) from an unexpected e-mail.
For example, many organizations use DocuSign to send and receive electronic contracts, so malicious people can create fake e-mails for this service.
How to identify clone phishing:
• Abnormal scheduling: Be alert to unexpected e-mails from a service provider, even if it is part of the normal daily business function.
• Personal information: Beware of e-mails that request personal information that the service provider never asks for.
10. Evil Twin Phishing
Evil Twin Phishing uses a fake WiFi hotspot that can block data in transit, often making it appear legitimate. When they enter the site, they are often asked to enter their personal data, such as login credentials, and then it goes straight to the hacker. Once the hacker has these details, they can gain access to the network, gain control of the network, monitor unencrypted traffic, and find ways to steal sensitive information and data.
Evil Twin Phishing Example
In September 2020, a data breach occurred against the internal systems of the US Department of the Interior. Hackers employed Evil Twin Phishing in order to obtain credentials, and gain access to departments’ WiFi network. Further investigation revealed that the department was not operating within a secure wireless network infrastructure and that the department’s network policy had failed to ensure that bureaus implemented strong user authentication measures, periodically tested network security, or required network monitoring to detect and manage common attacks.
How to identify Evil Twin Phishing:
• “Not secure”: Be wary of any hotspot that triggers an “unsafe” alert on a device, even if it looks familiar.
• Requires login: Any hotspot that does not normally require login credentials but suddenly prompts for login is suspect.
11. Watering Hole Phishing
Another sophisticated phishing attack, Watering Hole Phishing, begins when hackers investigate websites frequently visited by company employees and then infect the IP address with malicious code or downloads. These may be websites that provide industry news or websites of third-party vendors. It downloads the malicious code when the user visits the website.
Watering Hole Phishing Example
First, the attacker identifies a website or service that the targeted victim is already using and familiar with. Overall, the target site has relatively low security, is frequently visited, and is popular with the targeted victim. The attacker then compromises the target site and adds a malicious code payload to the site, usually in the form of JavaScript or HyperText Markup Language (HTML). When the victim visits the compromised site, the payload is triggered and initiates an exploit chain to infect the victim’s computer.
How to identify watering hole phishing:
• Pay attention to browser warnings: If a browser indicates that a site may have malicious code, do not continue to the website, even if it is being used normally.
• Monitor firewall rules: Make sure firewall rules are constantly updated and monitored to prevent traffic from a compromised website.
12. Social Media Phishing
Social media phishing is when attackers use social networking sites such as Facebook, Twitter, and Instagram to obtain sensitive data from victims or persuade them to click on malicious links. Hackers can create fake accounts by impersonating someone the victim knows to lure them in or impersonate a well-known brand’s customer service account to hunt down victims who reach out to the brand for support.
Social Media Phishing Example
A victim received a private message from an official North Face account claiming a copyright infringement, asking him to follow a link to “InstagramHelpNotice.com,” an apparently legitimate website where users are asked to enter their login credentials. The trapped victims eventually gave hackers access to their account information and other personal data linked to their Instagram accounts.
13. Search Engine Phishing
Search Engine Phishing involves hackers creating their own websites and indexing them on legitimate search engines. These websites often offer cheap products and incredible deals to lure unsuspecting online shoppers who see the website on a Google search result page. If they click, they are usually asked to open an account or enter their bank account information to complete a purchase. Of course, scammers come back later and steal this personal data to be used for financial gain or identity theft.
Example of Search Engine Phishing
In 2020, Google reported that 25 billion spam pages were detected every day, from spam websites to phishing web pages. Additionally, it was reported that a new phishing site was launched every 20 seconds in 2020. This means that three new phishing sites appear on search engines every minute!
