Most Common Types of Phishing
Attacks
and How to Identify Them
1. Email Phishing
Phishing emails top this list as one of the
oldest and most commonly used types of phishing attacks. Most attempts
use emails to target individuals by pretending to come from a
trustworthy sender. Dedicated hackers will copy the exact email format
from a legitimate company and include a malicious link, document, or
image file that can trick the user into "confirming" their personal
information or automatically download malicious code.
How to Identify Email Phishing:
- Requests for personal information
- Legitimate companies will NEVER ask for your
personal information through email.
- Urgent problem - Many
scammers will disguise their phishing attempt with an urgent notice,
such as an account breach, payment failure, login verification, or
copyright infringement. Do NOT click on any links
and go directly to the website to check.
- Shortened links -
Shortened or condensed links are ways to mask malicious URLs.
Services like Bitly or TinyURL can hide the actual web address the
link will take you.
- Non-domain email addresses
- Fraudulent email addresses often use third-party providers or
variations of legitimate email domains (ex. @upguardnow.com instead
of @upguard.com). Always hover over the sender's email address to
ensure it matches the user's or company's name.
- Spelling & grammar mistakes
- Any misspellings or grammar issues in an email should trigger a
red flag. Scammers often come from non-English speaking countries.
- Any file attachments -
Unless the source is verified, a good rule of thumb is never to open
any attachments, especially if they include .exe, .zip, and .scr
extensions. Most companies will direct you to their website to
download files or documents.
- Single or blank image - If
the email is a screenshot of an email or a blank box but with no
real text, do NOT click on the image. Malware code
may be tied to the image that can trigger an automatic download.
2. Spear Phishing
Spear phishing attacks are a more targeted approach to email
phishing that focuses on specific individuals and organizations. Using
open-source intelligence (OSINT), criminals can gather publicly
available information and target entire businesses or subdepartments.
They may trick users into believing the email is an internal
communication or from a trustworthy source due to access to personal
information.
How to Identify Spear Phishing:
- Unusual requests - If the
requests come from within your company asking for credentials above
their pay grade, message the individual directly using another
communication channel for confirmation. Using direct messaging
methods can also be helpful in the event of a hacked email.
- Links to shared drives -
If the scammer pretends to be from an internal or other trustworthy
sources, there is no need to share links to a drive you should
already have access to. The link is most likely corrupted and can
redirect you to a fake website.
- Unsolicited emails - If
the email provides an "important document" to download and view, but
you didn't request it, it could be a fake email. ALWAYS
verify the sender before opening.
- Specific mentions of personal
details - Scammers may be trying to justify themselves as a
trustworthy source by providing otherwise unnecessary information
about you. Obvious attempts to gain your trust should be viewed with
suspicion.
3. Whaling
If spear phishing emails target specific groups
or individuals,
whaling is the practice of targeting high-level executives. Also
known as CEO fraud, whaling attacks are typically much more
sophisticated, relying on OSINT, plenty of research into the company's
business practices, and even a deep dive into social media accounts.
Because the goal is to successfully dupe the executive, the emails are
usually extremely fluent in business communications with near-perfect
English.
How to Identify Whaling Attacks:
- Incorrect domain address -
Unless an email has been hacked, scammers will attempt to use
similar, but incorrect, domain addresses (ex. @upgaurd.con
instead of @upguard.com). It's important to keep a
detailed eye when viewing email communications.
- Use of personal email -
Any communication from other executives or business partners should
be done through work emails and NEVER through
personal emails. Even if the individual asks for help outside of
work, communicate with them directly through another offline channel
to verify their identity.
- New contact requests - If
you receive an email from a partner or supplier that has never
contacted you for business dealings, it may signify a phishing
attempt. Verify the communication through the proper channels or the
individual responsible for the account.
Learn more about whaling attacks here.
4. Business Email Compromise
(BEC)
A
business email compromise is similar to whaling, but instead of
attempting to trick the executive, it impersonates them. Criminals will
impersonate or obtain access to an executive email account with
decision-making authority and send internal requests to lower-level
employees.
In 2014,
Omaha-based agriculture company Scoular became a victim of a BEC attack.
The corporate controller, Keith McMurtry, received an email from his CEO
asking for an immediate wire transfer to acquire a Chinese-based
company. The email detailed a lawyer who would be in charge of the
transaction, and McMurtry wired in total $17.2 million to an offshore
account. However, the email was ultimately fraudulent, containing fake
phone numbers and email addresses.
How to Identify Business Email
Compromise Attacks:
- Sense of urgency - Large
transactions and important business deals usually take time and pass
through multiple sets of eyes before finalizing. It should raise red
flags if the communication sounds especially urgent and does not
have more than 2 or 3 people on the email.
- Unusual behaviors -
Sophisticated BEC attacks will try to sound as professional as
possible, but it may be possible to notice differences in tone or
personality. If an executive talks or writes differently than usual,
keep an eye out for other signs of a phishing attack.
- No legal correspondence -
All business deals should involve a legal team or lawyer to ensure
legitimacy and legality. If no lawyer is looped into the email, seek
out the correct party through the company chain of command to verify
the email's legitimacy.
Learn more about business email compromise (BEC) here.
5. Voice Phishing
Voice phishing, also known as "vishing," is when
a scammer calls your phone number in an attempt to steal information or
money. New sophisticated technology allows criminals to spoof caller IDs
and pretend to be from a trusted source. Typically, the caller will
create a sense of urgency to appear authoritative and prevent the
recipient from thinking clearly.
Some commonly used vishing attack tactics
include:
- A family member is in trouble and needs
monetary help
- IRS needs your social security number (SSN)
to confirm tax returns
- Pay a small fee to redeem a fake prize or
vacation that you didn't sign up for
- A warrant has been issued for your arrest
- Vehicle qualifies for extended warranty
- Your bank account has been flagged for
suspicious activity
- Guaranteed returns on investment
opportunities
- A large sum of debt that needs to be paid
How to Identify Voice Phishing:
- Blocked or unidentified number
- Phishing calls tend to come from blocked numbers. If you answer
and the caller sounds suspicious, hang up immediately.
- Requests for sensitive information
or money - Government organizations always conduct business
through official mail and will NEVER ask for your
personal information over a phone call.
6. HTTPS Phishing
HTTPS (hypertext transfer protocol secure) phishing is a URL-based
attack that attempts to trick users into clicking a seemingly safe link.
HTTPS is the standard protocol for traffic encryption between browsers
and websites and requires
TSL/SSL certificates to be enabled. In the past, browsers could
detect sites that did not have HTTPS enabled as the first line of
protection against cybercrime.
However, hackers now can obtain these
certificates for free and add HTTPS to their phishing sites, making it
harder to distinguish between what is safe and what is not.
How to Identify HTTPS Phishing:
- Shortened URLs - Shortened
links can hide the link's true address and are a great way for
scammers to hide phishing attempts. Links should be in their
original format so you can verify their source.
- Hyperlinked text - Text
with clickable links can also lead you to malicious websites. Make
sure to hover over the link (without clicking on it) to see the
source URL.
- URL misspellings - Any
misspellings in the email domain are an immediate telltale sign that
the email is fake.
7. Clone Phishing
Instead of sending fake emails, clone phishing
takes a real email sent by an individual or company, copies it to
near-identical levels, and resends it to the target with a new corrupted
attachment or link. The email will appear as a resend and display at the
top of the victim's inbox. In some cases, the phisher will use a fake
but similar email, but more sophisticated hackers will
spoof the email address to appear as if sent by a legitimate domain.
How to Identify Clone Phishing:
- Duplicate emails - The
best way to recognize clone phishing is to review your recent
emails. If a duplicate appears, look for any new links in the more
recent email that may be a sign of phishing. ALWAYS
verify the correct link and compare it to previous email
communications.
- Misspelled email addresses
- Although minor, fake emails will usually always have a slight
error that an untrained eye might miss.
- Hyperlinked text - When
hovering over a link, browsers will show the real address in the
bottom left of the screen. If the URL doesn't match the text that
it's linked to, it could be a sign of phishing.
8. SMS Phishing
SMS phishing, or "smishing," is similar to
vishing, but instead of calling, scammers will send SMS text messages
with links or attachments. Because personal phone numbers are generally
less accessible to the public, individuals tend to trust text messages
more. However, with today's smartphones, it's just as easy for hackers
to
steal personal data through text message URLs.
How to Identify SMS Phishing:
- Unsolicited texts - Unless
you signed up for SMS message alerts directly, phishing messages
offering a free coupon or an amazing deal for a product you don't
use are an obvious sign of phishing. Other tactics may ask for you
to confirm account information, check on the status of an order, or
verify medical information.
- Unknown numbers - Getting
a request for information over text messaging should be a red flag.
Use a free number lookup service to see if you can get any more
information about the source of the text or contact related
individuals to get verification. As a good rule of thumb, don't
click on the link provided in the text and don't engage.
- Authentication request -
If you receive an unauthorized
authentication request, someone may be trying to access one of
your accounts. You should change your password immediately if you
receive one of these texts to prevent further access.
9. Pop-Up Phishing
Although most people have an ad or pop-up
blocker installed on their web browsers, hackers can still embed malware
on websites. They may come as notification boxes or look like legitimate
ads on a web page. Anyone that clicks on these pop-ups or ads will
become infected with malware.
How to Identify Pop-Up Phishing:
- Browser notifications -
Many browsers, including Chrome and Safari, will prompt users to
either "Allow" or "Decline" notifications when they visit a new
site. Browsers don't filter out spam notifications, so if the user
accidentally clicks "Allow," malicious code could be automatically
downloaded.
- New tab or window - Web
surfing without pop-up blockers can be dangerous, particularly for
mobile devices. Visiting certain sites can trigger a new tab or
window to open with links to download malware.
- Urgent messages - Pop-ups
claiming that you need to update your antivirus or renew a
subscription are clear indicators of phishing. You should resolve
any updates, renewals, payments, or account issues on the main
website and not through a pop-up on an unrelated website.
10. Social Media Phishing
Aside from email, social media has become a
popular
attack vector for phishing attacks. With so much personal
information displayed through social media, attackers can easily use
social engineering attacks to access sensitive data. Billions of people
around the world use platforms like Facebook, Instagram, Snapchat, and
LinkedIn to network, which also increases the risk of phishing attempts.
These attacks usually involve a link that can
send you to malicious websites to steal important information. In some
cases, a scammer will befriend you in an attempt to steal money from you
by pretending to be in trouble.
The most commonly used tactics include:
- Offers or online discounts
- Surveys or contests
- Friend requests
- Fake videos
- Comments on videos or photos
How to Identify Social
Media Phishing:
- Suspicious links - Even if
you receive a link from your friend, it's possible that their
account may have been hacked. If the link contains spelling errors
or includes a random assortment of numbers, letters, and symbols, it
may be in your best interest to ignore the link.
- Suspicious account - If
you receive a message or friend request from an unknown individual,
do NOT accept. These accounts have little to no
activity in nearly all cases because they are new accounts looking
for phishing victims.
11. Angler Phishing
Attackers can take social media phishing to
another level by posing as customer support staff in an angler phishing
attack. The scammers will create a fake account and contact a
disgruntled user they found through comments or posts on a social media
account.
During the interaction, the scammer offers
assistance after verifying a few personal details and then provides a
link to help resolve the issues. Of course, the link contains malware
and the attacker has successfully exploited another victim.
How to Identify Angler Phishing:
- Non-verified account - An
official support page or account for a company will typically be
verified and be directly linked to the main page. If a large company
such as Twitter or Facebook contacts you, make sure they have a blue
checkmark next to their name. You can also check the company website
for their official support page or contact information.
- Lack of profile history -
For smaller businesses that may not be verified yet, they should
still have an extensive history of other customer interactions.
Accounts that have very few followers and no posts are most likely
brand new accounts trying to take advantage of people that won’t
bother checking.
12. Evil Twin Phishing
An evil twin phishing attack creates an
unsecured Wi-Fi hotspot access point that baits unsuspecting users into
connecting. Once connected, all inbound and outbound data can be
intercepted, including personal data or financial information. Hackers
can also prompt the users to visit a fake website portal in hopes the
user will provide valuable authentication details.
Evil twin phishing attacks are most common in
public areas with free Wi-Fi, like coffee shops, libraries,
airports, or hotels. The best way to prevent becoming an evil twin
phishing target is to use a virtual private network (VPN) while using
public Wi-Fi.
How to Identify Evil Twin Phishing:
- Duplicate Wi-Fi hotspots -
If you notice multiple Wi-Fi access points with the same name, look
for the one that is secured and requires a password (given by the
establishment) to connect. If both access points are unsecured, it
is highly discouraged to connect to be safe.
- Unsecure warnings - Some
laptops or mobile devices will trigger a notification that the
network you're connecting to is unsecured. If you receive this
message, consider connecting to a secure network or not connecting
at all.
13. Website Spoofing
Attackers will create an entirely fake website
in a website spoofing attempt to steal your personal information. A
well-made fake website will contain the same elements as the original,
including logos, text, colors, and functionality. Finance, healthcare,
and social media websites are commonly spoofed because they often
contain your most important information.
How to Identify Website
Spoofing:
- URL misspellings - Attacks
often take advantage of homograph attacks, which exploit the
similarities between characters. For example, you might notice an "rn"
in place of an "m" or "vv" (two v's) instead of a "w."
- Website errors - Very
rarely are websites perfectly spoofed to match the original.
Sometimes the site logos are slightly more pixelated, or you might
notice the text is misaligned. If anything looks off, stop using the
website immediately, especially if you had accessed it from a link
sent to you through email or messaging. It always helps to keep the
original website bookmarked so you can easily access it.
14. Email Spoofing
Email spoofing is when a scammer creates an entirely fake email
domain to try and fool users into believing they are legitimate. To
avoid detection, the attackers can edit the header of the email to
include the name of a legitimate domain in hopes that the targeted user
won't check the domain address where it was actually sent from. Because
there is no domain verification under the Simple Mail Transfer Protocol
(SMTP), so attackers can spoof emails easily.
Phishers can also choose to hide the sender's
address to display only the name. They may try to use a real name that
the targeted user will recognize so that they'll open the email. When
the attacker combines both a real name and the legitimate domain name in
the header, it can easily trick unsuspecting users.
Domain spoofing is different from
DNS
spoofing because it creates an entirely new domain rather than
hacking the DNS server.
Learn more about email spoofing here.
How to Identify Domain Spoofing:
- Unsolicited emails - Any
unexpected emails, particularly ones that make requests, should be
the first red flag of a phishing attempt. Take a closer look at the
messaging and use another communication channel to verify the email.
- Email address misspellings
- Fake domains are supposed to look legitimate at first glance, but
upon closer look, there could be homograph attacks involved. If you
suspect the email might be from a fake domain, copy and paste the
link into a notepad or Microsoft Word document to identify any
misspellings.
15. DNS Spoofing
DNS
spoofing attacks (also known as DNS server poisoning or pharming
attacks) are a more technical process that requires cybercriminals to
hack a Domain Name Server (DNS), a server that translates domain names
into IP addresses. When a DNS server is hacked, it can automatically
redirect a URL entry to a malicious website under an alternate IP
address.
Once the user lands on the corrupted website,
one of two things may happen - 1) Malware is
automatically downloaded onto the device, or 2) A
spoofed website may appear, prompting the user to enter their login
information or ask to confirm personal information or credit card
numbers.
How to Identify Pharming Attacks:
- Unsecure website -
Typically, unsecured websites are a sign of phishing attempts or are
at risk of becoming infected by malware. In most cases, the site
will begin with HTTP instead of HTTPS.
- Website errors - A fake
website usually contains errors, including misspellings, buttons
that don't work, low-quality images, misaligned text, or wrong
colors.
Learn more about DNS spoofing here.
16. Image-Based Phishing
Image-based phishing usually finds itself in the
content of a phishing email. In addition to hyperlinks and malicious
URLs, images can also contain links to infected websites. In some cases,
the image included may be the only thing in the email that has a
phishing intention just to fool users into thinking the email is safe.
How to Identify Image-Based Phishing:
- Embedded image link -
Hover over the image to check if there’s a link to a non-official,
third-party website. Does the link have spelling errors? Generally,
it’s safe to open and read an email to investigate, as long as you
don’t click on anything.
- Spam email - Any email
that was sent straight to the spam folder could be a sign of a
phishing attempt, even if it seems like an official email from the
company or individual. There are many ways to make an email seem
legitimate, but if it has been flagged as spam, there may be
phishing elements detected by the email server.
- Large CTA buttons - A
popular phishing tactic is to include an inviting and eye-catching
call-to-action (CTA) button, similar to sales promotional emails.
Individuals that act mindlessly may not think twice and click on the
button just because it told them to. Make sure that you verify the
sender, URLs, and email content before clicking on the CTA image.
17. Search Engine Phishing
In search engine phishing, scammers create
legitimate pages based on high-value keywords and searches to get them
ranked on popular search engines, such as Google or Bing. These pages
often feature an eye-catching offer to lure unsuspecting users. Once the
users land on these pages, they're asked to enter banking information or
their SSN. These fake pages often include:
- Free products
- Free vacation
- Investment opportunities
- Discount codes
- Job offers
- Dating matches
- Infected by computer virus
How to Identify Search Engine Phishing:
- Once-in-a-lifetime offers
- Nothing is truly free, and if it sounds too good to be true, it
probably is. Criminals are looking to take advantage of people
trying to make a quick buck or cut corners on spending. Do your due
diligence and properly research a website or offer before you accept
and start entering your personal information.
- Poorly made websites -
Many of these websites are made extremely quickly because they tend
to get shut down once they get reported. If it looks like a
low-quality site with minimal functionality and excess links, avoid
it at all costs.
18. Watering Hole Phishing
Watering hole phishing is a tactic that targets
one particular company or group of people by infecting a third-party
website they frequently visit. The attackers find and exploit a
vulnerability on the website, infect the site with malware, and then
bait users by sending emails directing them to the site.
Although this type of attack is less common than
the others, once the hackers infect a single user, they can gain access
to the entire network and system. Additional site visitors can also
become victims, even if they have no relation to the main targeted
group.
How to Identify Watering Hole Phishing:
- Security alerts - One of
the first signs of a phishing attack is when your antivirus or
anti-malware software detects an attack. That's why it's important
to keep your security solutions updated so the software can detect
phishing attempts automatically.
- Security testing - Because
it's hard to control
third-party risk, the best way to identify potential cyber
threats is to continually test your security defenses and install
security patches. If the third-party site is frequently visited,
installing endpoint protection software can protect against watering
hole phishing attacks.
19. Man-in-the-Middle (MITM) Phishing
A
man-in-the-middle phishing attack is when an attacker intercepts and
alters a communication chain, effectively becoming the "middleman." The
attacker then controls the communication flow and is responsible for
sending and receiving all messages. While the attacker is intercepting
the data, he can manipulate it to gain personal information from both
parties.
How to Identify MITM attacks:
Generally, MITM attacks are hard to detect, as
URL errors are more likely the result of another phishing method.
Network administrators must constantly monitor traffic to detect altered
communication. Some signs that should raise red flags are:
- Unsecured websites - If
you are web browsing, always give a quick look for the padlock next
to the URL in the search bar in the browser. Typically, a locked
padlock shows that the website has a valid SSL certificate and HTTPS
protocol (instead of HTTP).
- URL misspellings - If the
URL is misspelled or has random numbers inserted in between,
double-check the website with a different device.
- Noticeably slower messaging
- Instant messaging platforms typically have little to no delay when
sending messages. However, platforms that don’t use
end-to-end encryption can fall victim to a MITM attack. Messages
that take noticeably longer to send could be a sign of an attack.