Although many tech-savvy people think they can spot a malicious email, phishing attacks are becoming more sophisticated every day. According to Verizon, nearly one-third of all data breaches involved some type of phishing attack.
Knowing how to spot phishing emails can be your best line of defense against increasingly complex email scams. In this article, we will go over 12 phishing attack examples so you can learn how to identify and prevent them.
Phishing is when criminals pose as legitimate people or institutions to trick you into giving them sensitive material such as banking, credit card and password information. These criminals will then use this information to commit fraud, identity theft and even corporate espionage. Phishing attacks often use social engineering to manipulate people into sharing information they would not otherwise give up.
In 2019, 88% of businesses faced a spear phishing attack. Instead of sending a generic phishing email to thousands of email addresses at once, scammers go after specific targets. Companies that store customer data or high-profile individuals like senior executives are often targeted.
Deceptive phishing is one of the most common types of phishing attacks. A criminal impersonates a recognized sender in this scam to get information like personal data or login credentials. These emails will trick victims into revealing information by asking them to verify account information, change a password or make a payment.
To protect your business from deceptive phishing, teach your team to read the sender’s email address carefully, not just the sender’s name. Look for generic greetings or unprofessional grammar and spelling, which are common indicators of deceptive phishing.
Spear phishing is a type of phishing attack aimed at specific individuals or companies. These phishing scams use personalized information to lull victims into a false sense of security, convincing them to share their data. They will research a victim’s online behavior, from where they shop to what they share on social media, to collect personal details that make them seem like a trustworthy source.
When someone sees a phishing email customized with their name, position and even phone number, they might be more likely to let their guard down. A spear phishing email often contains malicious attachments or links to websites that seem legitimate. Even if the source appears to be trustworthy, always be careful when receiving unexpected emails.
CEO fraud is also known as business email compromise (BEC). CEO fraud is when a scammer poses as a company’s CEO and emails an employee, often in the accounting or finance department. A CEO fraud phishing scam’s typical goal is to manipulate someone into transferring funds to a fake account. Because these emails usually target lower-level employees, they are less personalized, often contain typos and originate from phony email addresses. CEO fraud can cost businesses billions of dollars.
Many executives do not attend company-required security training, making them even more vulnerable to phishing scams. Whaling, or whale phishing, is like an inverse version of CEO fraud. Rather than going after lower-level employees, whaling attacks target senior executives such as CEOs, CFOs and COOs.
Like spear phishing, these types of phishing attacks are customized to their targets. The goal is to trick high-profile targets into revealing sensitive information only they would have, such as payroll information or intellectual property. Some whale phishing attacks use fake email addresses, but many fraudsters attempt to access an executive’s email account directly to defraud other executives.
A hacker creates almost identical versions of legitimate emails from reputable sources in a clone phishing attack to trick you into sharing sensitive information. Sometimes these emails can appear to come from your boss asking you to provide them with login credentials or a vendor requesting that you confirm payment information.
A clone phishing scammer will often claim to resend an email because of an incorrect link or a missing attachment in the original message to trick the recipient into clicking them. Instead, the original link or attachment has been replaced with a malicious link that downloads malware onto the victim’s device. Before clicking a link in an email, always hover over the link to verify the URL first.
Vishing refers to “voice phishing,” or phishing over the phone. A criminal calls a target’s phone in a vishing scam to get them to share personal or financial information. These scammers often spoof their phone numbers so they can appear to be calling from a trusted source, such as your bank or even the IRS, so they cannot be reported.
These scams often rely on social engineering tactics, such as creating a sense of urgency or fear to trick a victim into giving up sensitive information. Remember that legitimate institutions will never call you to ask for private information, such as your Social Security number or login credentials.
Smishing refers to “SMS phishing,” or phishing via SMS text message. With smishing, criminals trick people into clicking links to malicious websites.
These messages typically appear to come from trustworthy sources and entice victims by offering a coupon code or a chance to win a free prize. Smishing attacks are an example of phishing attacks that are easy to avoid: Don’t click links sent to you in an unsolicited text message.
Pharming is a sophisticated type of phishing attack where a scammer can redirect victims to the site of their choosing. They do this through “cache poisoning,” or targeting the domain name system (DNS), which is how the internet converts website names like “www.google.com” to IP addresses. The scammer will then change the IP address associated with a website name to redirect the victim to a malicious website.
Before entering login credentials, always check to make sure the URL starts with “HTTPS,” which usually indicates that your connection is secure (see HTTPS phishing below).
Angler phishing is a newer type of phishing attack. This scam targets victims through social media, cloned websites and even fake private messages.
In angler phishing, a scammer finds their targets through social media by looking for people who post public complaints about a well-known company, such as a bank or an online retailer. The attacker will impersonate a customer service account from that company to trick the complainer into giving the hacker access to their personal data or account credentials.
In a watering hole phishing attack, a criminal targets businesses by identifying specific websites that your employees often visit and then infecting one or more of those sites with malware. The malware enables the scammer access to your network and other sensitive information. You can protect your organization by practicing regular patch management and using network security tools to defend against malicious attacks.
In an HTTPS phishing attack, a scammer will send an email with a link to a “secure” website in the email body. Even if the link seems legitimate and contains “HTTPS” in the URL, it could lead to a malicious website.
One report found that more than half of all phishing scams are hosted on websites whose addresses include both the HTTPS designation and the padlock icon.
An evil twin attack is when a malicious wireless access point is disguised as a trustworthy WiFi network. These types of phishing attacks are often called the “Starbucks scam” because it often happens in coffee shops.
Once someone connects to a fake wireless network, the attacker can steal account credentials and corporate data that the user accessed while using the network. Avoid accessing private accounts when connected to unsecured public wireless networks or use a VPN to keep your data secure.
Does your business need protection against phishing attacks? With phishing emails coming from almost every direction, you might feel like your cybersecurity strategy could use a boost.
Helixstorm offers a wide range of solutions, including 24/7 managed IT services, application migration and professional consulting.Learn more about how Helixstorm can protect your business from all types of phishing attacks by scheduling a complimentary IT strategy session today.