A phishing attack is an attempt to gain access to one’s personal information through social engineering and manipulation. Phishing attacks often take the form of emails or text messages written in a way to get the reader to perform an action that compromises their security or privacy.
What is phishing?
For example, a hacker may send an employee an email pretending to be the company’s CEO. The email may look important, but it may make a strange ask like encouraging the employee to pick up gift cards. It may also stress urgency and discretion. All these signs point to the fact that something seems ... fishy.
What Is a Phishing Attack?
Phishing is a form of social engineering where a scammer uses psychological manipulation to trick people into completing actions that benefit the scammer. In phishing attacks, fraudsters often send emails pretending to be a trusted person like a colleague, family member, friend or business representative. The goal of a phishing email is either to get the reader to reveal sensitive information or click a link that exposes their device to malware.
Phishing “mostly depends on peoples’ habits and emotions to cloud their judgment,” said David Nuti, senior vice president of Nord Security-North America.
While phishing emails can be difficult to distinguish from legitimate emails, typos and stilted language are usually giveaways. Email signatures and display names might also appear identical to the real source, but the actual email address will be suspicious. That said, hackers may leverage other mediums at their disposal to carry out a phishing scheme, depending on the type of attack.
Types of Phishing Attacks
To avoid falling victim to this common trap set by cybercriminals, be on the lookout for these 18 different types of phishing attacks.
Spear Phishing
Spear phishing is when an attacker targets a specific individual in an organization in an attempt to steal their workplace credentials. They use publicly available sources to find out information about the recipient — like their name, employer, job title, contact information and trusted colleagues — as well as the person they’re impersonating. This information is used to make the scammer look legitimate and allow them to manipulate the recipients into tasks like sending money or clicking a dangerous link.
“The spear phishing one is actually the most dangerous one that we’ve seen, the ones that people are most likely to fall for,” said Jason Hong, a professor of computer science at Carnegie Mellon University. He and his colleagues did some research on employees at their university, sending fake phishing emails from an information security officer, and they found that nearly 50 percent of people fell for these fake emails.
Whaling
Whaling is spear phishing, but it’s an attack that specifically targets a senior executive or people in management roles with access to highly sensitive information. These attacks usually involve highly personalized messages based on information found publicly about the leaders. Messages will include fake links to steal the executive’s credentials and gain access to sensitive company information. CEO fraud can happen through whaling where a cybercriminal compromises the CEO’s accounts and sends messages to initiate wire transfers or request sensitive employee information like W2s in order to sell the data on the dark web.
Email Phishing
Email phishing broadly occurs when a cybercriminal sends an email that looks legitimate in an attempt to trick the recipient into replying or clicking on a link that will allow them to steal their personal information or install malware. They can be posing as trusted entities like friends, family members or company representatives.
Oftentimes, fraudsters will register fake domain names and email addresses to look like legitimate people and organizations. They might simply add or subtract a letter from an official email account, so their fraudulent account isn’t easy to detect.
Deceptive Phishing
Deceptive phishing involves the scammer impersonating a legitimate company or real person to steal personal data or login credentials. There’s usually a sense of urgency or a threat in the email to scare the recipient into acting.
Vishing
Vishing, or voice phishing, is when a scammer uses the phone to try to steal personal information, often pretending to be a trusted friend or business representative. These are those unsolicited calls you get about your “loan application” or to follow up on your “car insurance.”
Smishing
Smishing is the practice of sending fraudulent text messages with the intention of getting the recipient to send personal information or to click a malicious link. Sometimes clicking such a link will prompt the automatic download of a dangerous app that deploys malware.
HTTPS Phishing
HTTPS phishing occurs when a scammer sends an email with a link to a fake HTTPS website. Victims are usually prompted to enter their private information on the site. HTTPS addresses are typically considered secure because they use encryption for added security, but advanced scammers are even using HTTPS for their fraudulent websites.
Website Spoofing
Website spoofing refers to the creation of a fake website that looks like a legitimate company’s website. The URL is just changed slightly, like “amazon.com” being changed to something like “arnazon.com.” On a quick glance, the “r” and “n” together could look like an “m” and trick users into thinking they are on the real Amazon website. If a victim falls for the trick, they might put their login credentials into the wrong site, which the hacker promptly steals.
Pharming
Pharming happens when a victim accidentally installs malicious code on their computer by clicking a fake website link. The scammer alters domain name system (DNS) records to redirect the user from a legitimate website to a malicious site.
Pop-up Phishing
Pop-up phishing attacks involve receiving a pop-up message on a computer usually about a security issue on their device and prompting the user to click the button to connect with a support center. Doing that will often initiate the download of a dangerous malware file. While advanced hackers can get around these measures, users can protect themselves in some cases by using pop-up blockers and not allowing a website to send notifications.
Watering Hole Phishing
Watering hole phishing happens when a scammer targets a group of users by identifying a site they frequently visit. The hackers lure the victims to a malicious site where they install malware to try to gain access to an organization’s network.
Clone Phishing
Clone phishing occurs when a scammer sends a message that’s identical to one already received, but they change a link to a malicious one. The fraudster might frame the email as “resending” of the original and use the same original sender name.
Evil Twin Phishing
Evil twin phishing happens when a cybercriminal sets up a fake Wi-Fi network that looks legitimate. Victims often log into the fake account using their real credentials, and the hacker captures that information. This can also look like a fraudulent Wi-Fi hotspot that can intercept sensitive data. Be sure to avoid WiFi addresses that prompt “unsecure” warnings.
Angler Phishing
Angler phishing is the use of fraudulent social media accounts to trick people into providing personal information or install malware. Angler phishing might take the form of a scammer creating a social media account that looks like a legitimate company page, but there’s a slight change in the username from the official account.
Man-in-the-Middle Attacks
Man-in-the-middle attacks happen when a scammer gets in the middle of a user’s communications with an application to steal the information exchanged between them, like login credentials.
Image Phishing
Image phishing involves a scammer hiding dangerous code in images and HTML files that automatically downloads malware when a user clicks on it. This allows a hacker to steal personal information or infect the computer through downloaded malware.
Search Engine Phishing
Search engine phishing involves the creation of fake products that pop up on a search engine. The victim is prompted to enter financial and personal information to purchase, which the scammer steals.
File Sharing Phishing
Scammers are known to conduct Dropbox and Google Docs phishing by sending emails that appear to be from these file-sharing websites, prompting the recipient to log in. The hacker can then access private files and photos to take the account hostage and steal sensitive information. Two-factor authentication is one protection against this type of scam.
Phishing vs. Smishing
Both phishing and smishing employ social engineering techniques like impersonating a trusted contact to trick someone into revealing personal information or compromising their device’s security. However, smishing solely involves sending messages via text or messaging apps to deceive a victim while phishing mostly takes place via email.
Tips to Avoid a Phishing Attack
As long as the internet has been around, cybercriminals have used phishing to trick people into handing over sensitive information or access to their device. But individuals and organizations can avoid phishing attacks by following a few tips.
1. Remain Aware in All Settings
It’s not just those who are less computer savvy who fall for these tricks — even highly advanced tech companies and government agencies can fall victim, Hong said. “It’s really hard to identify these sometimes, so that’s why you have to be really vigilant.”
2. Read URLs and Other Links Carefully
Through a National Science Foundation grant, Hong and other computer scientists began studying why people fall for phishing attacks. One of the main reasons was that a lot of people didn’t pay attention to the URLs in their browser. He and his colleagues then created a popular online game called Anti-Phishing Phil to help people practice identifying dangerous URLs.
3. Seek Confirmation From the Supposed Source
Hong has also worked with companies to conduct simulated phishing attacks and subsequent training for employees who clicked on the pretend phishing emails, providing tips for how to steer clear of these scams.
“Avoid clicking on weird links. Use search engines,” Hong said. “If someone is also asking you to do something, and it seems unusual, just confirm with the individual.”
Frequently Asked Questions
What is a phishing attack?
A phishing attack is when a hacker impersonates a trusted person to trick someone into revealing sensitive information or exposing their device to malware. Phishing attacks often occur in the form of emails that may emphasize urgency and discretion while making an unusual or suspicious ask of the reader.
What are the most common phishing attacks?
Common phishing attacks include email phishing, spear phishing, vishing and smishing.
What is the difference between phishing and smishing?
Phishing involves sending deceitful messages via email while smishing focuses on sending messages via text or other messaging apps.