6 Types of Phishing Attacks & Real-Life Examples

Phishing has existed since the birth of the internet. The first phishing attacks happened in the mid-1990s when hackers used America Online (AOL) to steal passwords and credit card information. Since then, these threats have evolved.

Now, we see many more types of phishing attacks emerging. 

At its core, phishing is an illegal cyber activity that employs social engineering tactics to get a person to unknowingly fall victim to cybercrime by providing information to the attackers. Countless organizations have fallen victim to phishing schemes. Especially since cybercriminals have adopted more sophisticated tactics in carrying out their scams. But one way of protecting your enterprise is to understand the six types of phishing attacks and learn how to spot them. 

This article is part of a series about phishing.

1. Deceptive/Email Phishing

Deceptive phishing is among the most rampant types of phishing. In this scheme, fraudsters pose as a legitimate company to steal people’s personal information or login credentials. These emails  are laden with threats and urgency to scare users into doing what the attackers want.

Real-Life Example:

There’s no shortage of deceptive phishing headlines. In July 2021, Microsoft Security Intelligence reported an attack operation that used spoofing techniques to disguise their sender email addresses to contain target usernames and domains. 

The following images show how they did it. 

The operation’s emails used a SharePoint lure to direct recipients to an Office 365 phishing page. 

Here, users received an email with an attachment to a document. This document could be anything from a Staff Report sheet to Pricebook Changes as seen in the next photo. 

After clicking the link, users are directed to a login page where users have to log in with their credentials. Unfortunately, the login page is just a dupe used to extract their information. 

The bait was effective and enabled the attackers to access sensitive corporate files like Staff Reports, Bonuses, and Price books. 

Tal Zamir
CTO, Perception Point

Tal Zamir is a 20-year software industry leader with a track record of solving urgent business challenges by reimagining how technology works.

TIPS FROM THE EXPERTS

1. Deploy domain-based message authentication mechanisms. Utilize Domain-based Message Authentication, Reporting & Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) to help prevent attackers from spoofing your domain and protect against deceptive email phishing.
2. Leverage behavioral analysis for anomaly detection. Incorporate behavioral analysis tools that can detect anomalies in user email habits, such as logging in from unusual locations or accessing atypical data, which could indicate a compromised account or spear-phishing attack.
3. Use multi-factor authentication (MFA) with contextual prompts. Implement MFA solutions that use contextual factors (like device type, location, or time) to verify the authenticity of login attempts. This reduces the likelihood of credential theft success even in the event of a phishing attack.
4. Conduct simulated phishing attacks with varied difficulty levels. Regularly run phishing simulations with varying levels of sophistication. This not only tests employee awareness but also helps identify gaps in your defenses against advanced phishing tactics.
5. Establish a real-time incident response team
   Set up a dedicated team that can respond in real-time to phishing incidents. This team should have the authority to immediately take actions like blocking compromised accounts, halting fraudulent transactions, and alerting affected individuals.
6. Integrate email quarantine systems with AI-driven threat intelligence. Use AI-driven threat intelligence to enhance email quarantine systems. This allows for more precise identification of phishing attempts, minimizing false positives while still catching sophisticated threats.

2. Spear Phishing

In spear phishing, attack emails are customized with the target’s personal information (e.g., name, address, phone number) to fool the recipient into thinking they have a connection with the sender. The goal is the same as with deceptive phishing: trick the victim into handing over their personal information.

Real-Life Example: 

In a press release from the US Department of Justice (DOJ), Oyedele Aro Benjamin, 27, was sentenced to two years in prison and was monitored by the US Probation Office for three years. Benjamin attempted to cash a $300,000 check out of Regions Bank obtained fraudulently through a business email compromise (BEC) scheme. BEC falls under spear-phishing since it uses seemingly legitimate information to lure victims. 

BEC has increased dramatically in the past year. This spike has been attributed to the prevalence of remote working, making email systems highly vulnerable. We have compiled some tips on preventing this type of phishing attack in this blog. 

Related content: Read our guide about spear phishing.

3. Whaling

Anyone in a company, including executives, can become the target in a spear-phishing scam. However, in a whaling attack, hackers attempt to only harpoon executives and steal their login information.

Real-Life Example: 

This report from Naked Security details the case of Evaldas Rimasauskas. A cyber attacker spent five years in prison for stealing $122 million from two large American corporations. He did this by sending out fake invoices while impersonating an executive from a Taiwanese company. 

4. Vishing

Most phishing attacks primarily use email. However, other channels are sometimes used to carry out their attacks. Consider vishing or “voice phishing.” This type of phishing attack uses a phone call instead of an email. 

Real-Life Example:

Threatpost wrote about a vishing campaign in June 2021 that sent out emails disguised as renewal notifications for an annual protection service. The emails had the legitimate branding from Geek Squad instructing recipients to call a phone number. If they called, they would go through the “billing department,” which then attempted to steal callers’ personal information and payment card details.

5. Smishing

Vishing isn’t the only type of phishing attack that digital criminals orchestrate through mobile phones. There’s also a “smishing” method that employs text messages to dupe users to click on a malicious link or disclose personal information.

Real-Life Example: 

In April 2021, Security Boulevard warned that malicious actors were using smishing messages disguised as USPS updates. Those messages directed recipients to a landing page intended to steal their credit card information and other personal information.

Related content: Read our guide to smishing vs. phishing.

6. Pharming

Social media provides a host of opportunities for deception and fraud. Fake URLs, cloned websites, posts, and tweets are all used to trick targets into disclosing sensitive information or downloading malware. Criminals can also use the information that people willingly share on social media to launch focused attacks.

Real-Life Example: 

Back in 2016, thousands of Facebook users received notifications that someone mentioned them in a post. The message sent triggered a two-stage attack. The first stage installed a Trojan containing a malicious Chrome browser extension. In the second stage, the criminal was able to hijack the user’s account when the user next logged in to Facebook using the compromised browser.

Your Last Line of Defense

With phishing attacks increasing worldwide, it is crucial to stay vigilant. You can implement measures like getting quality email security services to safeguard your inbox. But when all else fails, engage your employees to act as the last line of defense against these attacks. You can do several things to get everyone on board like: 

1. Including email security know-how in the onboarding process,
2. Sending email reminders every month, 
3. Keeping employees updated with the latest cyber threat trends,
4. Including it in your all-hands meeting, 
5. Allowing employees to participate in a discussion about cyber threats, and 
6. Conducting drills to test how well-versed your employees are. 

Now more than ever, education and awareness about the different types of phishing attacks is needed. Luckily, getting informed is easy with Perception Point’s webinars. You can also read through our resources and news articles for more details on how Perception Point can help level up your email defenses. Remember, the first step to better email security starts with you.

Here’s some related content you may enjoy: How to Prevent Phishing