What are the different types of phishing attacks and how to counter them?

What are the different types of phishing attacks and how to counter them?

What is a phishing attack?

Social engineering attacks, such as phishing, are the most common types of cyber-attacks along with ransomware, malware, data breach and Distributed Denial of Service (DDoS).

So common that 91% of cyberattacks start with a phishing email, according to Trend Micro.

But what is phishing exactly?

Phishing is a type of cybersecurity threat that targets users through emails, text messages or sometimes direct messages. The objectives of phishing can be to:

Cybercriminals use several tactics to trick users into doing what they want, and these evolve every month. As time goes on, schemes grow more sophisticated and more difficult to detect. They are also increasing in quite a concerning manner. A staggering statistic from the Phishing and Fraud Report (2020) shows that phishing incidents rose 220% during the global pandemic compared to the yearly average.

Phishing is a large concept and getting familiar with the different types of attacks is the first step to protecting yourself and your organization from them.

Email Phishing

Email phishing is the most common type of phishing attack, one that has been around since 1996 (January 2, 1996 to be exact). This attack consists of a generated email that looks legitimate, targeting a huge list of emails. This email is designed to trick the recipient into providing confidential information or browsing a malicious site that an attacker can use to steal data or download a file onto the user’s device.

Example:

Example of Email Phishing

Spear Phishing

Spear phishing is an advanced version of phishing, also the most common one, comprising 65% of all phishing attacks.  It is more elaborated and only targets a specific group or type of individuals, such as a company’s HR or financial department employees. With spear phishing, attackers customize their emails with information about the targeted users (first name, last name, phone number, etc.). The targeting company name is often spoofed (disguising a communication from an unknown source as being from a known, trusted source) in order to look more legitimate to the user’s eyes. Most of the time, a spear phishing email will ask targets to access a malicious website where a login form is used to steal credentials. Attackers often play the emergency card for users to respond as quickly as possible.

Example:

Example of Spear Phishing

Whaling

In the same category as spear phishing, whaling attacks target only senior executives of a company. These individuals often have deep access to the corporate network. Thus, a successful attack on one of these people can lead to disastrous consequences. (i.e: installation of malware spreading easily due to the access level of the targeted user).

Smishing and Vishing

Smishing and Vishing are both types of phishing that don’t use emails. The first one is done through some form of a text message or SMS (fake UPS delivery message for example). The second one is done through voice phishing, meaning that a criminal will pretend to represent a trusted institution and ask for confidential information.

CEO Fraud

Most of these types of phishing can be combined together to increase attack success. For example, a known attack called “CEO Fraud” could combine Whaling and Vishing. For example, a spoof email is generated coming from the CEO to the secretary asking him/her to make a bank transfer for an important deal. In the next 30 minutes, the attackers call the secretary in order to make the demand more legitimate and more urgent.

Example of CEO Fraud

Advanced methods have also been documented recently. To know more about those, Mr. Dox’s blog is a great source of information.

Best practices to protect yourself and your business safe

Here are some of the best practices that will protect you from being phished:

Ready to put your employees at test?

Let our ethical hackers run fictitious phishing campaigns based on scenarios that we establish together to test your employees’ awareness to this type of threat. Contact us here!