6 Popular Types of Phishing Attacks
Updated: May 23, 2019
Phishing attacks are becoming more sophisticated and prevalent every year. It’s because this attack technique is cheap to deploy but effective in helping hackers and other digital threat actors to obtain sensitive information. And this proves to be very profitable for the perpetrators.
According to PhishMe’s Enterprise Phishing Resiliency and Defense Report published in 2017, a medium-sized business spends an average of $1.6 million annually dealing with phishing scams. Without a doubt, this can have serious negative consequences on your business.
Protecting your business against potential attack schemes is extremely essential, and it all starts off with making sure you’re fully informed of the types of phishing attacks you face. Here are 6 common types of phishing attacks:
1. Spear phishing
The spear phishing type of cyber-attack involves sending well-crafted emails that target specific individuals or group of an enterprise while purporting to be a reliable sender. It can involve the impersonation of employees, contractors, or suppliers.
This means that before the perpetrators send the targeted emails, they usually research first and gather important details about their potential victims. They can spend a couple of months researching their potential targets throughout their daily routine to get a good picture of their personal relationships.
Basically, using personal information in crafting messages gives attackers some kind of plausibility, which increases the probability of luring employees into downloading attachments, clicking links, or initiating undesired actions.
Waling is simply a branch of spear phishing, which specifically targets high-profile individuals that have access to administrative accounts with extremely valuable information, such as trade secrets of a company. In most cases, the victims are the CEOs and CFOs.
Once an attacker is equipped with highly personalized information, they will make their move by sending business emails that typically require critical attention. They’ll address a victim using their title, phone number, and company position. These details are easy to get from press releases, social media platforms, and company websites.
Unless you’re extremely careful, it’s not easy to spot the attacker because they usually present themselves as individuals with legitimate authority. For example, an imposter can send an email requesting payment as a known client of your company.
Or, they can include a note informing you of a certain report that has been published online. Since the cybercriminal already established some degree of trust, you can click through as usual to download the attached report, which is designed with a piece of malware to steal sensitive data.
3. Clone phishing
This type of phishing attack involves mimicking the details of a legitimate and previously delivered email to create an almost identical or cloned email.
Hackers mainly replace the original email with corrupt links or attachments, and then send it to the targeted individuals or organizations. A cloned email is spoofed, so it’s hard to differentiate it from the original one. Most people fall victim to this type of phishing scam because it's hard to detect cloned emails posed as resends or updates of the original version.
If your employees download the attachments or click on the links containing malicious software, your business will be subjected to a greater risk of a data breach. Dangerous software can wipe all your business information, take sensitive data hostage, or extract finances unnoticed.
4. Covert redirect
With the covert redirect phishing technique, the links will appear legitimate but are designed with one motive in mind — redirecting individuals to a hacking site that installs malware for criminal purposes. An attacker takes advantage of a security flaw on a site’s domain to create a deceitful login popup. They can also use a legit website but corrupt it with a fraudulent popup dialogue box, and ultimately get to steal your employees’ login details.
If, for example, you come across a phishing link with a ‘Facebook’ title and click on it, a popup box will appear requesting your authorization to load the app. The hacker will receive a sign if you approve the activity, and your sensitive data like email address, date of birth, work history, and contacts could easily be uncovered.
Sometimes even after opting not to authorize the app, you may still get redirected to a certain site that is controlled by the same perpetrators.
5. False promotional offers
Digital threat actors are also taking advantage of coupons or special deals to promote their phishing activities through an automated process, which is embedded with malware. And this strategy appears to be very rewarding, as it involves rolling out hard to resist deals and encourages people to share the initial link.
To claim such offers, you’ll be required to click on certain links that will redirect you to a phishing website. You can also be asked to sign up to receive free vouchers. Unfortunately, this can prove detrimental to those that use the same passwords to access a variety of sites. With the same sign-up information, the attacker can access your other financially rewarding accounts.
6. Voice phishing (Vishing)
It is important to keep in mind that not all phishing scams involve clicking on links and downloading attachments in emails. Scam artists still use the old-fashioned phishing attacks through text messages delivered to your mobile phone.
A hacker can send fake messages, notifying a victim that there’s an issue with their bank account and asks them to dial a certain phone number to fix the problem. If such a number is dialed, it is often answered by automated instructions prompting the victim to enter their account number, credit card number, and PIN on the keypad. That way, a cybercriminal can gain access to your personal and financial data.
How to protect your business from phishing attacks
Awareness alone isn’t enough to protect you from phishing attacks. Cybercriminals are always deploying more advanced attacks, which call for the services of cybersecurity experts. Working with a reliable cybersecurity company is the best course of action, as experienced cybersecurity professionals can help employ the best practices to contain and prevent your organization from phishing scams.