Three Common and Three Unique Phishing Scams Explained

Phishing is among the most common cyber attacks facing individuals and businesses alike today. It is also one of the most diverse attacks in that the attack can be carried out in a multitude of ways. Because of this, it is important to be aware of phishing and all of the different varieties of phishing scams that are out there.

What is Phishing?

Phishing is a type of social engineering or manipulation in which cybercriminals maliciously send messages to individuals or businesses in an attempt to trick them into divulging sensitive information or so that the malicious actors can deploy malware to infect the device or system of devices utilized by the recipient of the message.

Common Phishing Scams

• Classic Email phishing -- 96% of phishing attacks are delivered via email and this is the most commonly known phishing scam. These emails are usually urgent or threatening in nature and can be identified by this as well as a few other key factors; the subject line will usually be similar to the content of the email in that it is demanding some sort of immediate action like clicking on a link in the email or replying to the malicious actor with some sensitive data quickly. Another key identifier to be aware of that you may need to look a little closer in order to find is a false sender email - typically, in an attempt to further dupe the recipient, this will look similar to the structure of a legitimate email address from the entity that the cybercriminal is pretending to be. For example, if the malicious actor is attempting to present themselves as a legitimate leg of Walmart they may mimic a legitimate email address "customer-service@walmart.com" with something like "customerservice@wallmart.net." As is evident, the structure of the customer service piece of the email address is not quite right, there is a typo in the company name, and rather than ending in .com it ends in .net. At a glance, one might fall for this as being a legitimate email address, but this is why it is important to take a careful look at who is sending you an email before clicking on anything in the email.
• Spear phishing -- Spear phishing is an extension of the classic email phishing scam but it takes the commonly seen attack to another level. This type of phishing attack targets specific individuals in a premeditated way; the malicious actor will also usually know quite a bit of information about their target ahead of time including name, position, and their various contact information. This may be any person tied to the company and will often be an individual who the cybercriminals believe will be easily duped by such an attack. Multiple people can be included in a spear phishing attack so long as the attacker knows that key identifying information.
• Whaling -- Just as spear phishing expands on simple email phishing, whaling is an even more targeted version of spear phishing. This form of phishing specifically targets executives at a company, not just anyone who works there. A whaling attack is often carried out by highly skilled cybercriminal because of the high stakes of attacking a high level employee. Named after the white whale of Moby Dick, attackers set their sights on a high value target due to the high-level of sensitive data and deep access that these executives tend to have. It's a high-risk high-reward situation for the malicious actors.

Phishing Scams You May Not Have Heard Of

• Smishing -- Though the phrase may be unfamiliar, this is a phishing scam you likely have seen come your way quite often. A smishing attack is just the SMS text message equivalent to the classic email scam and it occurs when you get a text from someone you do not know. These are typically scams that are more reliant on tricking you into clicking on links in the body of the message; this link will likely infect your phone with malware once clicked. Sometimes, the attacker will try to get you to reply and have a conversation with them in order to pull personal information out of you.
• Evil Twin -- This form of phishing sees the victim being duped by the malicious actor setting up a fake Wi-Fi network. The network will appear real, which encourages a person trying to connect to the Internet to click on it as though it were a legitimate. When the person logging into the fake Wi-Fi enters any sensitive information, it is communicated straight to the cybercriminals.
• Voice phishing -- Also known as vishing, is similar to smishing's relationship with the classic scam, only this is conducted over the phone. Though the email scam is considered the classic phishing dupe, the voice phishing scam has been around arguably much longer in the form of false phone salesmen who have been around since before the Internet. These scams tend to be more heavily targeted at the older generation and the malicious actors will pretend to be a child or grandchild in order to prey on the elderly victim's sweetness and trick them into sending money or giving over sensitive information. This form of attack does also affect the younger generation though -- fake IRS scammers will call adults of any age pretending to be the tax entity. In the case of a voice phishing scam or any other phishing scam for that matter, do not panic; reach out to the person claiming to be legitimately contacting you through a different means of communication and verify that they are actually trying to contact you, if they are not, block and do not reply to the person who was phishing you. Entities like the IRS will never contact you via phone and they even mention this fact on their website.

Image by Freepik.