Phishing has existed since the birth of the internet. The first phishing attacks happened in the mid-1990s when hackers used America Online (AOL) to steal passwords and credit card information. Since then, these threats have evolved. Now, we see many more types of phishing attacks emerging. 

At its core, phishing is an illegal cyber activity that employs social engineering tactics to get a person to unknowingly fall victim to cybercrime by providing information to the attackers. Countless organizations have fallen victim to phishing schemes. Especially since cybercriminals have adopted more sophisticated tactics in carrying out their scams. But one way of protecting your enterprise is to understand the six types of phishing attacks and learn how to spot them. 

Find out how your organization can protect confidential information from cyber  attacks in the latest Gartner Market Guide for Email Security. Click here.

Deceptive/Email Phishing

Deceptive phishing is among the most rampant types of phishing. In this scheme, fraudsters pose as a legitimate company to steal people’s personal information or login credentials. These emails  are laden with threats and urgency to scare users into doing what the attackers want.

Real-Life Example:

There’s no shortage of deceptive phishing headlines. In July 2021, Microsoft Security Intelligence reported an attack operation that used spoofing techniques to disguise their sender email addresses to contain target usernames and domains. 

The following images show how they did it. 

The operation’s emails used a SharePoint lure to direct recipients to an Office 365 phishing page. 

Here, users received an email with an attachment to a document. This document could be anything from a Staff Report sheet to Pricebook Changes as seen in the next photo. 

After clicking the link, users are directed to a login page where users have to log in with their credentials. Unfortunately, the login page is just a dupe used to extract their information. 

The bait was effective and enabled the attackers to access sensitive corporate files like Staff Reports, Bonuses, and Price books. 

Spear Phishing

In spear phishing, attack emails are customized with the target’s personal information (e.g., name, address, phone number) to fool the recipient into thinking they have a connection with the sender. The goal is the same as with deceptive phishing: trick the victim into handing over their personal information.

Real-Life Example: 

In a press release from the US Department of Justice (DOJ), Oyedele Aro Benjamin, 27, was sentenced to two years in prison and was monitored by the US Probation Office for three years. Benjamin attempted to cash a $300,000 check out of Regions Bank obtained fraudulently through a business email compromise (BEC) scheme. BEC falls under spear-phishing since it uses seemingly legitimate information to lure victims. 

BEC has increased dramatically in the past year. This spike has been attributed to the prevalence of remote working, making email systems highly vulnerable. We have compiled some tips on preventing this type of phishing attack in this blog

New call-to-action

Whaling

Anyone in a company, including executives, can become the target in a spear-phishing scam. However, in a whaling attack, hackers attempt to only harpoon executives and steal their login information.

Real-Life Example: 

This report from Naked Security details the case of Evaldas Rimasauskas. A cyber attacker spent five years in prison for stealing $122 million from two large American corporations. He did this by sending out fake invoices while impersonating an executive from a Taiwanese company. 

Vishing

Most phishing attacks primarily use email. However, other channels are sometimes used to carry out their attacks. Consider vishing or “voice phishing.” This type of phishing attack uses a phone call instead of an email. 

Real-Life Example:

Threatpost wrote about a vishing campaign in June 2021 that sent out emails disguised as renewal notifications for an annual protection service. The emails had the legitimate branding from Geek Squad instructing recipients to call a phone number. If they called, they would go through the “billing department,” which then attempted to steal callers’ personal information and payment card details.

Smishing

Vishing isn’t the only type of phishing attack that digital criminals orchestrate through mobile phones. There’s also a “smishing” method that employs text messages to dupe users to click on a malicious link or disclose personal information.

Real-Life Example: 

In April 2021, Security Boulevard warned that malicious actors were using smishing messages disguised as USPS updates. Those messages directed recipients to a landing page intended to steal their credit card information and other personal information.

Pharming

Social media provides a host of opportunities for deception and fraud. Fake URLs, cloned websites, posts, and tweets are all used to trick targets into disclosing sensitive information or downloading malware. Criminals can also use the information that people willingly share on social media to launch focused attacks.

Real-Life Example: 

Back in 2016, thousands of Facebook users received notifications that someone mentioned them in a post. The message sent triggered a two-stage attack. The first stage installed a Trojan containing a malicious Chrome browser extension. In the second stage, the criminal was able to hijack the user’s account when the user next logged in to Facebook using the compromised browser.

Your Last Line of Defense

With phishing attacks increasing worldwide, it is crucial to stay vigilant. You can implement measures like getting quality email security services to safeguard your inbox. But when all else fails, engage your employees to act as the last line of defense against these attacks. You can do several things to get everyone on board like: 

  1. Including email security know-how in the onboarding process,
  2. Sending email reminders every month, 
  3. Keeping employees updated with the latest cyber threat trends,
  4. Including it in your all-hands meeting, 
  5. Allowing employees to participate in a discussion about cyber threats, and 
  6. Conducting drills to test how well-versed your employees are. 

Now more than ever, education and awareness about the different types of phishing attacks is needed. Luckily, getting informed is easy with Perception Point’s webinars. You can also read through our resources and news articles for more details on how Perception Point can help level up your email defenses. Remember, the first step to better email security starts with you.

gartner email security guide