On the cybercrime timeline, phishing dates back to the mid-1990s when hackers exploited one of the earliest internet service providers to steal passwords and credit card data from unsuspecting users. Technology has evolved significantly since then, but phishing remains a popular attack method because it’s specifically designed to take advantage of human nature.
Phishing is the practice of using fake, fraudulent, or deceptive communication to lure or convince a targeted person (or group) to hand over sensitive information.
Cybercriminals pretend to be legitimate, trustworthy sources and contact their victims by email, phone, or SMS with the goal of acquiring anything from personal data and banking details to usernames and passwords.
The scammers then leverage the newly acquired information for their own illicit purposes, which may include identity theft, credit card fraud, or privileged account access, among other things.
Email phishing, spear phishing, whaling, smishing, and vishing are five common types of phishing attacks. Learn to recognise the warning signs so that you’re less likely to be fooled by a scam message.
Email phishing (also called deception phishing or deceptive phishing) is perhaps the most well-known type of phishing. In this kind of scam, attackers impersonate a real company, organisation, or group and send out mass emails to as many email addresses as they can find. This so-called “spray and pray” approach is a numbers game for the perpetrators, and even if they only hook a handful of victims, the attack may still prove worthwhile and lucrative.
How do they do it? The scam email message is intended to make you perform an action, like downloading an attachment or clicking on a link. Malware embedded inside the attachment is activated when you open the file, and the link destination is often a malicious website primed to steal your credentials or install nefarious code on your device.
Consider this example… You receive a legitimate-looking email from your streaming service, saying your account has been temporarily suspended because of unusual activity. You’re instructed to click on a link inside the email, to verify your account credentials. You expect to be directed to the streaming service’s login page, but the link actually takes you to a lookalike login page that harvests your username and password.
Spear phishing takes the concept of email phishing and applies it to a specific individual or group. Instead of the bulk, generic communication associated with regular email phishing, spear phishing involves customised messaging for a selected target. As the name implies, spear phishing is a pointed attack, not a wide-net manoeuvre, and scammers will often leverage publicly available corporate collateral to fine-tune the elements of their email trap.
How do they do it? Detailed, personalised messaging is key to the success of any spear-phishing campaign – because the attackers have to make you, the recipient, trust them enough to do what is asked in the email. They may spend days or even weeks on research and information-gathering (from your company’s website, social media pages, and published reports) as part of their efforts to trick you into action.
Consider this example… You’re the accounting clerk responsible for processing vendor invoices. You receive an email from an unknown vendor, with a PDF invoice attached. The message is well-written and friendly. The email sender knows your name and is knowledgeable about your company; they even send their best wishes to your colleague, John, whose motorcycle accident was addressed in your company newsletter last week. You believe that the vendor is legitimate and open the attachment, which then delivers malware to your laptop.
Whaling (also called whale phishing) is the term used to describe phishing attacks aimed at a company’s most senior, most connected, or most influential leaders – the whales. The chief executive officer, chief operating officer, chief financial officer, chief technology officer, and other senior managers are attractive targets because of their high-level access to company resources. With an executive’s login credentials in their possession, scammers may be able to transfer corporate funds, expose private data, or impersonate the target to disrupt or damage the business.
How do they do it? Like spear phishing, whaling requires a tailored approach. Cybercriminals may have to profile the chosen individual for months to gain sufficient insight into their personal and professional lives. But as soon as the phishers have enough information, they can create believable, persuasive messages to try to deceive their victims into downloading malicious files or visiting compromised websites.
Consider this example… A new email lands in your inbox – and it’s from a law firm. The subject line and the content of the message imply that your company is being sued for millions by a former employee. The preliminary paperwork is attached to the email. As the chief legal officer, it’s your responsibility to investigate – but you don’t realise that the attachment is tainted.
Smishing (also called SMS phishing) uses a text message rather than an email message to conduct a phishing attack, but the rationale is the same: scammers want to fool you into clicking on a risky link, downloading a malicious application, or surrendering your personal information.
How do they do it? Digital fraudsters take advantage of the fact that you keep your smartphone within reach and probably read your text messages soon after they arrive. And, as with other phishing methods, deception is their key tool. By masquerading as bona fide businesses (like your supermarket) or trusted sources (like your bank), they can deliver compelling texts directly to you – quickly, easily, and more than once.
Consider this example… You receive an SMS offering 20% off your next clothing purchase. The offer appears to come from your favourite fashion outlet, and uses the same language and style (right down to the abbreviations and emojis) that you’ve seen from the store in the past. To receive the discount, which is only available to the first 100 customers, you need to click the link and claim your coupon code online. You don’t know that the link, when clicked, installs malware on your phone.
Vishing (also called voice phishing or phone phishing) is when scammers call you directly – on your home landline, your work phone, or your cell – and try to make you give out personal or corporate information. Often, they will exploit annual trends and public concerns, or create a sense of panic that makes you feel compelled to comply with their requests.
How do they do it? The person making the fraudulent phone call may pretend to be a tax official who needs your company registration number for verification before refunding money to you. They may claim to be a health official calling to put you on the list for a COVID-19 vaccination. They may even claim to be a customer service agent from your bank, alerting you to suspicious withdrawals from your account. In every scenario, the phisher on the other end of the line will do their utmost to extract sensitive information from you.
Consider this example… You’re called by someone who claims to be from an insurance firm. They say that you’ve been named as a beneficiary in the estate of their deceased client, and you stand to receive a substantial sum of money if you can verify your identity in line with the facts in their possession. You may be asked for your full name, your ID number, your physical address, and your other phone numbers as the impersonator tricks you into providing confidential, high-value information over the phone.
These five types of phishing attacks are among the most prevalent, but they’re not the only ones used by cybercriminals. You need to be able to spot the tactics (and teach your teams to spot them, too) so that would-be phishers do not succeed when they target you and your staff.
Prepare your business teams for the dangers of cyberspace with comprehensive security training from BUI and Cyber Risk Aware.
Check out the on-demand webinar featuring our own Wayne Nel and Cyber Risk Aware CEO Stephen Burke to learn more.