Phishing is a type of social engineering attack used by cybercriminals to access information that is sensitive and private to individuals and organizations.
It has been around ever since the advent of the internet and was used to steal credit card and login information. However, the tactics used by cybercriminals have evolved over the years and have become much more sophisticated than it used to be compared to when the internet was relatively new.
Today, there are several types of phishing attacks that everyone who uses the internet is susceptible to. Here are the 5 most commonly used types of attacks and signs to spot them.
- Email phishing
The most common type of attack – email phishing is done to trick people into disclosing banking or other sensitive information. Cybercriminals send emails with attractive offers that need you to take immediate action.
For example, they could claim you have won a million-dollar lottery and you can claim the money when you click on the link within the next few minutes. Clicking the link may trigger a virus to install on your system or you may be prompted to enter your banking information on a webpage. In both cases, the attacker receives all your private information and can use it to drain your finances.
Phishing emails usually can be spotted by poor language, attractive offers, immediate action required, mismatched email and website addresses. They will use credible company names yet public or uncommon email domains are displayed instead of a business domain.
- Spear phishing
Spear phishing is a more targeted form of email phishing where the attackers target high-authority individuals within an organization such as CEOs. The main goal is to gain access to individuals’ credentials which can be used to access all the sensitive information.
Since CEOs or any other employees at equivalent designations have access to virtually all the data in an organization, accessing their credentials is able to help cybercriminals launch large-scale attacks against the organization. They may even use the authority’s email to request on performing various actions from other employees.
You can spot a spear-phishing attempt the same way as email phishing attempt. Look out for poor language, mismatched domains, credible company names with public domain email addresses, hyperlinked URLs, and unwarranted attachments.
It is also known as CEO fraud. Whaling is a type of phishing attack where the attacker impersonates the CEO of a company and emails their internal and external stakeholders. They may ask the individual to review documents by downloading or transferring money into an account.
Consider that a CEO would never ask you to transfer money to their account or even ask you to review a document unless you report your task directly to them. If you receive such a request, it is best to ignore and report the email to the organization as a phishing attempt.
These emails usually come from an email address similar to the one the CEO uses, but will use a public domain such as “@gmail.com” or a completely unrelated domain. Also, keep in mind that any official email would be sent to your work address, so if you receive such email in your personal address, it is most likely a whaling attempt.
- Smishing and vishing
Vishing is short for “voice phishing”. It is when an attacker calls an individual and creates a sense of urgency so that the person is pushed into taking immediate action. It usually involves asking the person to disclose their banking information or login credentials by telling them about a “crisis” that can only be solved using that data.
Attackers make these phone calls during peak periods such as the tax season. They may claim to be a representative of the IRS (internal revenue system) and ask you for your social security number so they can perform an audit. The calls and messages may be from unknown regions and ask you to take actions that you do not expect legitimate organizations won’t ask for.
Smishing, or SMS phishing, is an evolved form of vishing where the attacker sends a text message asking the person to open a link. This link will usually contain malicious software that is installed on the device as soon as they click on the link.
- Angler phishing
Angler phishing is similar to smishing except it uses social media messaging instead of text messaging.
Remember to not open any links in a direct message unless you know the sender and they regularly share external links with you on social media. Also, do not respond to notifications of being added to a post by someone you don’t recognize!