It might look like an important email from your company’s CEO. The message is personalized and asks you to pick up gift cards. It’s urgent, of course. And be discreet!
It’s a phishing attack. Usually, typos and stilted language are dead giveaways. Email signatures and display names might appear identical. But the actual email address will be suspicious.
This type of email is an example of a common phishing attack where a fraudster pretends to be a trusted person like a colleague, family member, friend or business representative in order to get money or personal information through trickery or malware.
What is phishing?
“Phishing is a scam technique that uses fake messages, websites and social engineering to lure information or money out of people and businesses. It mostly depends on peoples’ habits and emotions to cloud their judgment,” said David Nuti, senior vice president of Nord Security-North America to Built In via email. “Although phishing has been around since the early days of the internet, it’s still one of the most widespread forms of cyberattack, where 32 percent of all data breaches in more recent years involved phishing.”
Don’t let cybercriminals steal your money and information. Be on the lookout for these 18 different types of phishing attacks.
Types of Phishing Attacks
Spear phishing is when an attacker targets a specific individual in an organization in an attempt to steal their workplace credentials. They use sources like LinkedIn to find out information about the recipient like their name, employer, job title, contact information and trusted colleagues.
They will also use public sources to find information about the person they’re impersonating. This information is used to make the scammer look legitimate and allow them to manipulate the recipients into tasks like sending money or clicking a dangerous URL.
“The spear phishing one is actually the most dangerous one that we’ve seen, the ones that people are most likely to fall for,” said Jason Hong, a professor of computer science at Carnegie Mellon University. He and his colleagues did some research with employees at their university, sending fake phishing emails from an information security officer, and they found that nearly 50 percent of people fell for these fake emails.
One spear phishing attack cost Google and Facebook $100 million from the scammer creating a fake business email scheme
Whaling is spear phishing, but it’s an attack that specifically targets a senior executive or people in management roles with access to highly sensitive information. These attacks usually involve highly personalized messages based on information found publicly about the leaders. Messages will include fake links to steal the executive’s credentials and gain access to sensitive company information. CEO fraud can happen through whaling where a cybercriminal compromises the CEO’s accounts and sends messages to initiate wire transfers or request sensitive employee information like W2s in order to sell the data on the dark web.
Email phishing broadly occurs when a cybercriminal sends an email that looks legitimate in an attempt to trick the recipient into replying or clicking on a link that will allow them to steal their personal information or install malware. They can be posing as trusted entities like friends, family members or company representatives.
Oftentimes, fraudsters will register fake domain names and email addresses to look like legitimate people and organizations. They might simply add or subtract a letter from an official email account, so their fraudulent account isn’t easy to detect.
Deceptive phishing involves the scammer impersonating a legitimate company or real person to steal personal data or login credentials. There’s usually a sense of urgency or a threat in the email to scare the recipient into acting.
These are those unsolicited calls you get about your “loan application” or to follow up on your “car insurance.” Vishing, or voice phishing, is when a scammer uses the phone to try to steal personal information, often pretending to be a trusted friend or business representative.
Cybercriminals will try to use vishing to obtain payment information or other personal data over the phone under the guise of verifying the recipient’s identity.
Smishing is the practice of sending fraudulent text messages with the intention of getting the recipient to send personal information or to click a malicious link. Sometimes clicking such a link will prompt the automatic download of a dangerous app that deploys malware.
For example, scammers have posed as American Express via text, sending messages about supposed offers or account activities. Don’t click on any links that are part of these unsolicited texts.
HTTPS phishing occurs when a scammer sends an email with a link to a fake HTTPS website. Victims are usually prompted to enter their private information on the site. HTTPS addresses are typically considered secure because they use encryption for added security, but advanced scammers are even using HTTPS for their fraudulent websites.
More broadly, website spoofing is the creation of a fake website that looks like a legitimate company’s website. The URL is just changed slightly like “amazon.com” could be changed to something like “arnazon.com.” On a quick glance, the “r” and “n” together could look like an “m” and trick users into thinking they are on the real Amazon website. If a victim falls for the trick, they might put their login credentials into the wrong site, which the hacker promptly steals.
Pharming happens when a victim accidentally installs malicious code on their computer by clicking a fake website link. The scammer alters domain name system (DNS) records to redirect the user from a legitimate website to a malicious site.
Pop-up phishing attacks involve receiving a pop-up message on a computer usually about a security issue on their device and prompting the user to click the button to connect with a support center. Doing that will often initiate the download of a dangerous malware file. While advanced hackers can get around these measures, users can protect themselves in some cases by using pop-up blockers and not allowing a website to send notifications.
For example, Apple has warned customers that hackers have used pop-up phishing and vishing pretending to be Apple support staff. In this case, the company reminds users to be sure to contact Apple directly themselves and not respond to unsolicited calls or pop-ups.
Watering Hole Phishing
Watering hole phishing happens when a scammer targets a group of users by identifying a site they frequently visit. The hackers lure the victims to a malicious site where they install malware to try to gain access to an organization’s network.
Clone phishing occurs when a scammer sends a message that’s identical to one already received, but they change a link to a malicious one. The fraudster might frame the email as “resending” of the original and use the same original sender name.
Evil Twin Phishing
Evil twin phishing happens when a cybercriminal sets up a fake Wi-Fi network that looks legitimate. Victims often log into the fake account using their real credentials, and the hacker captures that information. This can also look like a fraudulent Wi-Fi hotspot that can intercept sensitive data. Be sure to avoid WiFi addresses that prompt “unsecure” warnings.
Angler phishing is the use of fraudulent social media accounts to trick people into providing personal information or install malware. Angler phishing might take the form of a scammer creating a social media account that looks like a legitimate company page, but there’s a slight change in the username from the official account.
Man-in-the-middle attacks happen when a scammer gets in the middle of a user’s communications with an application to steal the information exchanged between them, like login credentials.
Equifax’s 2017 data breach was an example of a man-in-the-middle attack where hackers accessed the account information of users who used the Equifax website without the HTTPS encryption, intercepting their login credentials.
Image phishing involves a scammer hiding dangerous code in images and HTML files that automatically downloads malware when a user clicks on it. This allows a hacker to steal personal information or infect the computer through downloaded malware.
Search Engine Phishing
Search engine phishing involves the creation of fake products that pop up on a search engine. The victim is prompted to enter financial and personal information to purchase, which the scammer steals.
File Sharing Phishing
Scammers are known to conduct Dropbox and Google Docs phishing by sending emails that appear to be from these file sharing websites, prompting the recipient to log in. The hacker can then access private files and photos to take the account hostage and steal sensitive information. Two-factor authentication is one protection against this type of scam.
Tips to Avoid a Phishing Attack
As long as the internet has been around, cybercriminals have used phishing to trick people into handing over sensitive information or access to their device. Phishing is a form of social engineering where a fraudster conducts psychological manipulation to trick people into these actions that benefit the scammer.
And it’s not just those who are less computer savvy who fall for these tricks – even highly advanced tech companies and government agencies can fall victim, Hong said. “It’s really hard to identify these sometimes, so that’s why you have to be really vigilant,” he said.
Just about anyone can be targeted for a phishing attack. Even Hong himself who started studying phishing in 2005 said he has been targeted. “I almost fell for one of these one time because it was pretending to be a bank, and they wanted to do a survey,” he said. “I was filling things out, and then it asked, what’s your account number? Then I was like, wait a second, that seems sketchy. I looked at it, and it was like, ‘Oh, this is fake.’”
Through a National Science Foundation grant, Hong and other computer scientists began studying why people fall for these attacks. One of the main reasons was that a lot of people didn’t pay attention to the URLs in their browser. He and his colleagues then created a popular online game called Anti-Phishing Phil to help people practice identifying dangerous URLs. Hong has also worked with companies to conduct simulated phishing attacks and subsequent training for employees who clicked on the pretend phishing emails, providing tips for how to steer clear of these scams.
“Avoid clicking on weird links. Use search engines,” Hong said. “If someone is also asking you to do something, and it seems unusual, just confirm with the individual.”