In a study released in February 2022 by cybersecurity news site Dark Reading, it was revealed that 83% of organizations experienced a phishing attack via email in 2021- that’s 46% higher than in 2020. What’s even more surprising than that number is the fact that despite phishing attacks being one of the most common types of cyber threats, only 1 in 5 organizations conduct phishing cybersecurity training internally.
So before we move on to discuss the most prevalent types of phishing attacks, let us first understand what phishing is.
What is Phishing?
Phishing is a cyber threat in which an attacker poses as a trusted or credible person or entity to manipulate a user into performing a specific action such as downloading a malicious downloadable file or clicking a link with a request to input credit card information. This type of social engineering attack essentially attempts to trick users and can be executed in conjunction with other threats like malware and XSS injection. The term phishing is a spin on “fishing” since the attack requires a “lure” sent to users with the hopes of them “biting” it.
Five Common Types of Phishing Attacks
While phishing attacks commonly come in the form of email messages, there are actually different ways hackers can carry this out. Listed below are five of the most common types of phishing attacks:
1. Email Phishing
With an email account being one of the most standard requirements when it comes to any digital transaction, it comes as no surprise that email phishing is arguably the most popular type of phishing. With this type of phishing attack, the fraudster pretends to be a legitimate organization that sends a mass email with a subject line that invokes a sense of urgency or immediate threat that pushes the reader to do a particular action. Based on research done by KnowBe4, the top five subject lines used in phishing emails in Q2 of 2022 are:
- HR: Vacation Policy Update
- HR: Important: Dress Code Changes
- Password Check Required Immediately
- HR: Your performance evaluation is due
- Weekly Performance Report
The objective of these phishing emails is to get users to click on a link, enter their login credentials, or submit their credit card information. Most of the time, phishing emails are hard to identify because attackers either:
- Use a fake domain that is extremely close to the original organization’s domain;
- Use a subdomain or a variation of the domain;
- Or use the actual logo or brand messaging of the actual company.
2. Spear Phishing
Spear phishing is a more targeted type of phishing. With this type of attack, a hacker will focus on a specific individual, group, or organization by creating content that is relevant and likely for the users to click. This can then lead to links or other platforms that when visited can result in a compromised network, loss, or theft of data. Spear phishing requires prior research, so attacks look more credible as they can already include specific information like the user’s name, designation, and sometimes, even account numbers.
Also known as CEO fraud, whaling is a type of phishing attack specifically targeted to high-ranking officials in a company or organization. The term “whaling” is because the main victims are the “big phishes” of a business or group. This social engineering tactic involves an attacker masquerading as a senior player and sending what will seem to be key communication messages to other members of the company. This email typically manipulates the readers to either share sensitive data or do wire transfers. One infamous incident of a whaling attack was when Mattel’s top finance executive received an email from an attacker posing as the new CEO and requesting for a money transfer. That cyberattack nearly caused the company to lose $3 million.
Smishing is a form of phishing attack carried out by frauds via “SMS” or short message services, more commonly known as “texting”. The term “smishing” is a play on “SMS” and the word phishing. In essence, the only major differentiator of smishing is the channel through which it is carried out, but it is similar to email phishing in the way that it is done to steal personal information or execute a larger data breach attack.
Smishing messages are usually in the disguise of banks or financial institutions requesting you either perform account validation or update by clicking on a malicious link. This then leads to a landing page that emulates a bank’s website page containing forms that a user needs to fill out.
While most types of phishing attacks are done via email, some still rely on more traditional communication channels like phone calls. With Vishing campaigns, fraudsters place a call by setting up a Voice-over-Internet-Protocol or VoIP server with the objective of mimicking a legitimate organization. There are typical techniques used to conduct vishing such as “mumbling”, in which attackers target customer service representatives and answer questions by mumbling in the hopes that it will be enough to fool the agent.
With all types of phishing attacks seeming to become more and more prevalent and advanced, organizations should start focusing on building a stronger cybersecurity defense. Technology like SecureBrain’s cloud-based website scanner can help you against all types of phishing attacks through regular malware scans, 24/7 monitoring, and instant alert notification.
If you’re ready to start, don’t hesitate to reach out to our cybersecurity experts here at SecureBrain.