Phishing: replace “f” with “ph” in fishing, relating to the term used for past generation hackers – “phreaks”. As mentioned in a previous post about phishing, phishing is a cybercrime in which scammers send malicious emails to individuals or mass users of any organization by impersonating a known individual or a business partner or a service provider. Phishing attack has different types which we will discuss in this article.
The emails sent by attackers are carefully crafted such that you open it without any suspicion. These types of phishing attacks open the door for different types of hackers and attackers to enter into your system and access confidential data like bank account details, credit card numbers, social security number, passwords, etc.
Once the information is obtained and they do identity theft, the phishers immediately send or sell it to people who misuse them. Sometimes, phishing not only results in loss of information but also injects viruses into the victim’s computer or phone.
Once infected, phishers gain control over devices, through which they can send emails and messages to other people connected through the server.
Categories of Phishing
Vishing refers to phishing done over phone calls. Since voice is used for this type of phishing, it is called vishing → voice + phishing = vishing.
Considering the ease and enormity of data available in social networks, it is no surprise that phishers communicate confidently over a call in the name of friends, relatives or any related brand, without raising any suspicion.
SMS phishing or SMiShing is one of the easiest types of phishing attacks. The user is targeted by using SMS alerts.
In SMiShing, users may receive a fake DM or fake order detail with a cancellation link. The link would actually be a fake page designed to gather personal details.
3. Search Engine Phishing
Search engine phishing is the type of phishing that refers to the creation of a fake webpage for targeting specific keywords and waiting for the searcher to land on the fake webpage.
Once a searcher clicks on the page link, s/he will never recognize that s/he is hooked until it is too late.
4. Spear Phishing
Unlike traditional phishing – which involves sending emails to millions of unknown users – spear phishing is typically targeted in nature, and the emails are carefully designed to target a particular user.
These attacks have a greater risk because phishers do a complete social profile research about the user and their organization – through their social media profile and company website.
Out of the different types of phishing attacks, Spear phishing is the most commonly used type of phishing attack – on individual users as well as organizations.
Whaling is not very different from spear phishing, but the targeted group becomes more specific and confined in this type of phishing attack.
This technique targets C-suite posts like CEO, CFO, COO – or any other senior management positions – who are considered to be big players in the information chain of any organization, commonly known as “whales” in phishing terms.
Technology, banking, and healthcare are the most targeted sectors for phishing attacks. This is because of two main factors: a huge number of users and higher dependency on data.
10 Types of Phishing Attacks
1. “Email Spoofing” Is One of 10 Types of Phishing Attack
Email spoofing is one of the easiest types of phishing used to get data from users without their knowledge.
It can be done in different ways:
- Sending an email through a familiar username,
- Sending an email impersonating your superiors and asking for some important data, or worse,
- Impersonating the identity of an organization and asking employees to share internal data.
Compare to other types of phishing attacks, email spoofing has a focused target with a well-developed structure:
“Whom to target?
What should be the content?
And, which action has the higher probability of conversion?”
An email crafted with these details has higher chances of being opened and phished.
2. CEO Fraud/Business Email compromise
In a nutshell, CEO fraud occurs when a cybercriminal sends an email to a lower-level employee — typically someone who works in the accounting or finance department — while pretending to be the company’s CEO or another executive, manager, etc. The goal of these emails is often to get their victim to transfer funds to a fake account. Just a bit of bonus info for your upcoming trivia night. In the U.S., CEO fraud is often referred to as business email compromise (BEC), which the FBI says costs businesses billions of dollars.
3. “Domain Spoofing” One of the Other Types of Phishing Attack
The next type of phishing we want to mention is known as domain spoofing. This method of attack uses either email or fraudulent websites. Domain spoofing occurs when a cybercriminal “spoofs” an organization or company’s domain to: make their emails look like they’re coming from the official domain, or make a fake website look like the real deal by adopting the real site’s design and using either a similar URL or Unicode characters that look like ASCII characters.
How’s that possible? In the case of an email-based attack, a cybercriminal forges a new email header that makes it appear like the email is originating from a company’s legitimate email address. In a website domain spoof, the cybercriminal creates a fraudulent website and with a domain that looks legitimate or is close to the original (apple.com vs apple.co, for example).
4. Pop-Up Messages: In-Session Phishing
Pop-up messages are the easiest way to run a successful phishing campaign. Through pop-up messages, attackers get a window to steal the login credentials by redirecting them to a fake website.
This technique of phishing is also known as “In-session phishing.”
Prevent in-session phishing
5. Clone Phishing
The idea behind a clone phishing attack is to take advantage of legitimate messages that the victim may have already received and create a malicious version of it. The attack creates a virtual replica of a legitimate message — hence, the attack’s clever name — and sends the message from an email address that looks legitimate. Any links or attachments in the original email are swapped out for malicious ones. The cybercriminal often uses the excuse that they’re re-sending the original message because of an issue with the previous email’s link or attachment to lure end-users into clicking on them. We wish we could say that this doesn’t work; unfortunately, though, it often does because it catches users unawares.
6. “URL Phishing” One of the Other Types of Phishing Attack
In URL phishing attacks, scammers use the phishing page’s URL to infect the target.
This has a higher opening rate because:
- People are “social” enough to click on links sent by strangers,
- They are ready to accept friend requests and messages – DM links or email notifications, and
- They are even ready to share their email and contact details.
One way to hook a person with a phishing bait is by using a hidden link. We have all received emails with the action phrase “CLICK HERE” or “DOWNLOAD NOW” or “SUBSCRIBE.”
Another way to hide phishing links is by using link-shortening tools like TinyURL to shorten the URL and make it look authentic.
Instead of tiny URLs, phishers also use misspelled URLs. Hackers buy domains that sound similar to popular websites. Then, they phish users by creating an identical website, where they ask targets to log in by submitting personal information.
Homograph attacks involve the usage of similar-looking words – characters or combinations – that can be easily misread.
Once you land on an attacker’s site, the fake page will prompt you to enter login credentials or financial data like credit card information or other personally identifiable information.
7. Website Spoofing
Website spoofing is similar to email spoofing, though it requires the attacker to put in a lot more effort.
How is website spoofing done?
Phishers publish a website by copying the design, content, and user interface of a legitimate website.
Some scammers also use URL shortening tools to create a similar URL for the fake site.
8. “Scripting” Is One of the Other Types of Phishing Attack
Scripting or cross-site scripting (XSS) uses malicious scripts deployed on the victim’s computer or phone using emails as the medium.
Hackers infect the script of a legitimate website – which you visit regularly, identified through social engineering – with a script that will redirect you to a phishing page.
When the browser loads the phishing page, it will execute the malicious script, and the attack would take place without the victim’s knowledge.
9. Man-in-the-Middle Attack
In Man-in-the-Middle– MITM, MitM, MiM, or MIM – attack, a malicious actor intercepts online interaction between two parties.
Hackers impersonate themselves on both sides to access confidential information like transactions, conversations, or other data.
Major targets of MiTM:
- Financial website: between login and authentication
- Public or private key-protected conversations/connections
MITM use two major spoofing execution techniques: ARP spoofing and DNS spoofing.
- ARP spoofing: ARP spoofing is an attack in which a malicious actor sends a fake ARP (Address Resolution Protocol) message over a local area network. This links the attacker’s MAC (Machine address) address to the IP address of a legitimate computer or server on the network.
- DNS spoofing: Domain Name System (DNS) spoofing or DNS Cache Poisoning is a form of hacking that corrupts the DNS data in the resolver cache, causing the name server to return incorrect result records.
Prevent MiTM phishing attacks
10. Malware Injection
Injecting malware into a system or network through emails is a common form of phishing.
The usual objectives of a malware attack are:
- Hijacking a user’s computer or an online session,
- Stealing a user’s confidential data,
- Conducting fraudulent activities, and
- Launching a DDoS attack.
How to Avoid These Many Types of Phishing Attacks?
Truly effective cybersecurity is a multi-layered approach. Here are some of the things you can do to help prevent your business from becoming the next phishing-related headline:
Train Employees to Adopt Email Best Practices
This should go without saying, but it bears repeating since this still seems to be a sticking point for some businesses: train your employees. All of them. This includes everyone from the janitors to the CEO.
Implement the use of Email Signing Certificates
As I mentioned earlier for the CEO fraud section, we use email signing certificates here at the SSL Store™. These digital security certificates are known as S/MIME certificates because they use secure/multipurpose internet mail extensions to encrypt the content of our emails (and any attachments) and to digitally sign our communications.
This post is also available in: Español (Spanish)