Plenty of Phish: The Various Types of Phishing Attacks

Phishing is one of the most common types of cyber attacks; below, we will take a look at four common variants of this scheme.

Email Phishing -- This is the most common form of phishing attack and what we typically think of when we hear the term. Malicious actors send fraudulent emails to recipients under the guise of being legitimate senders. The phisher will often create an email address that looks very similar to the legitimate sender they are trying to mimic, for example, a phisher trying to steal information may use the email address customer-suppport@microsoft.edu. Notice that the email address is close enough that if the recipient just glanced at the address that it would be easy to mistake it for the real thing. Additionally, there is a typo on in the name as well as the incorrect website domain (microsoft.edu as opposed to microsoft.com). If the attackers are able to fool the recipient with the email address, their hope is that the unsuspecting victim will click on the links embedded in the email which then infect the computer with some sort of malware. These are typically created so that the attacker can send to many people at a time in order to try to dupe as many victims as possible. How to Protect: Look for the telltale signs of the fake email: misspellings, grammar mistakes, links, and demands for quick action. Many email phishing attacks will call for quick action or else, causing panic for many and making them act out of fear. Do not fall for this, and instead, try to find another way to contact whoever is trying to contact you to determine if it is legitimate.

Spear Phishing -- This type of phishing attack is a more direct, personal form of the first. As opposed to the email phishing attacks, spear phishing emails target specific individuals within an organization to try and use them as access points to steal information. Spear phishers use tailored emails that are created to be specific to each individual being targeted. These attackers collect information on victims ahead of time and create emails personalized to a level beyond the typical, standard-issue phishing attack which tends to lower recipient's suspicions. How to Protect: Because these are harder to detect than a typical email phishing scam, education is key in protecting against this attack. For businesses, be sure to have your employees participate in continuous security awareness trainings. Additionally, try to invest in automated solutions if possible in order to take this burden off of employees. If this is financially not a reasonable option, have a dedicated email address for employees to send suspicious emails to in order to help prevent them clicking on suspicious links and protecting coworkers from similar attacks.

Whaling -- Whaling is similar to spear phishing, but targeted to another level -- the executive level to be exact. Whaling attacks do not use the same approaches as the email phishing attacks, like suspicious links or timeline demands, because executives tend to be more aware of the issues that could be out there. This is also called CEO Fraud, though it tends to affect other high level execs like CFOs, COOs, and even CIOs (Chief Information Officers -- the cybersecurity head honchos!). Similarly to the spear phishing attack, malicious actors tend to use the victim's name, job title, and basic details that tend to be easily guessable. In recent years, there have been trends of attackers using this sort of phishing attack with the theme of fake tax returns which are of more concern to these employees that make more money and likely have more complicated tax returns. How to Protect: Do not only provide employee cybersecurity training to employees, but make it mandatory for them and all executives as well. Cybersecurity is not something you can test out of based on position, so continued education at all levels is necessary for long-term success of the business.

Vishing -- This type of phishing attack is not carried out over email like the others, but is verbally completed via telephone. Though the term vishing may be new to you, you have likely heard of this happening to yourself or someone you know. These typically become common around tax filing time where malicious actors call victims on the phone and act as though they are from the IRS. They say something like you owe so much in taxes and they will have to issue a warrant for your arrest if you don't do something. They will then tell you that if you pay over the phone, that it will be resolved. Or they say they need to verify your credit card number. In case you do not already know, the IRS does not contact people via any other means than snail mail, so this particular scam is an easy red flag. However, I myself received a call from someone acting as though they were from the university I was attending at the time; they said I had some issue on campus and then said I needed to give over some sort of information otherwise something bad was going to happen. I had only attended the university online and knew that this was not a real issue, but what was concerning is that the attacker disguised their phone number to match the exact Admission's office number. When I called the number back, it was the legitimate office and I let them know what was going on, but it was disconcerting to see that the attacker could so easily mask themselves as the university. How to Protect: Stay calm. As mentioned before, the common IRS issue is easily resolved because the IRS doesn't call people. Don't believe scammers who claim to be from this entity. For other instances like my own experience, do not provide any private information to these malicious actors. Hang up, and reach out to the alleged company trying to contact you and see if this was a legitimate request. It likely was not, and they now know of the issue of someone posing as them.

Image by Freepik.