Phishing attacks make up over 90% of all data breaches (according to Cisco's 2021 Cybersecurity Threat Trends Report), far outnumbering malware and ransomware attacks, affecting millions of users yearly. The main issue with phishing attacks is that users and organizations are poorly trained to identify them. Even with the latest security protocols and software in place, it's impossible to fully protect against cyber threats without proper security awareness training.
As technology advances, hackers and cybercriminals will find new phishing techniques to steal sensitive data. To protect yourself from an inevitable phishing attempt, follow this comprehensive guide to the most common types of phishing attacks used today.
What is a Phishing Attack?
A phishing attack is a type of cyber attack that uses social engineering tactics to steal sensitive information from victims. Most successful attacks trick users into opening malicious links or files by appearing to come from a reputable source. Phishing attacks are often used in conjunction with malware attacks to cripple the user or organization further.
Behind every successful phishing attack, a threat actor has studied user behavior to identify the easiest route to stealing information and data. Nearly every type of phishing attack requires a user to click a link or open a file to provide entry into a system or automatically download malicious software. Cybercriminals have become experts at crafting seemingly harmless, targeted attacks to exploit unsuspecting users.
Learning basic cybersecurity practices is the best way to protect and prevent phishing attacks. Practicing safe web surfing, data security, email security, and recognizing different types of phishing scams can greatly reduce the risk of becoming a victim.
Common Signs of Phishing Attempts
- Requests for personal data, login credentials, or credit card information
- Unreasonable threats
- Sense of urgency
- Spelling or grammatical errors
- Suspicious URLs
- Once-in-a-lifetime offers
Most Common Types of Phishing Attacks and How to Identify Them
1. Email Phishing
Phishing emails top this list as one of the oldest and most commonly used types of phishing attacks. Most attempts use emails to target individuals by pretending to come from a trustworthy sender. Dedicated hackers will copy the exact email format from a legitimate company and include a malicious link, document, or image file that can trick the user into "confirming" their personal information or automatically download malicious code.
How to Identify Email Phishing:
- Requests for personal information - Legitimate companies will NEVER ask for your personal information through email.
- Urgent problem - Many scammers will disguise their phishing attempt with an urgent notice, such as an account breach, payment failure, login verification, or copyright infringement. Do NOT click on any links and go directly to the website to check.
- Shortened links - Shortened or condensed links are ways to mask malicious URLs. Services like Bitly or TinyURL can hide the actual web address the link will take you.
- Non-domain email addresses - Fraudulent email addresses often use third-party providers or variations of legitimate email domains (ex. @upguardnow.com instead of @upguard.com). Always hover over the sender's email address to ensure it matches the user's or company's name.
- Spelling & grammar mistakes - Any misspellings or grammar issues in an email should trigger a red flag. Scammers often come from non-English speaking countries.
- Any file attachments - Unless the source is verified, a good rule of thumb is never to open any attachments, especially if they include .exe, .zip, and .scr extensions. Most companies will direct you to their website to download files or documents.
- Single or blank image - If the email is a screenshot of an email or a blank box but with no real text, do NOT click on the image. Malware code may be tied to the image that can trigger an automatic download.
2. Spear Phishing
Spear phishing attacks are a more targeted approach to email phishing that focuses on specific individuals and organizations. Using open-source intelligence (OSINT), criminals can gather publicly available information and target entire businesses or subdepartments. They may trick users into believing the email is an internal communication or from a trustworthy source due to access to personal information.
How to Identify Spear Phishing:
- Unusual requests - If the requests come from within your company asking for credentials above their pay grade, message the individual directly using another communication channel for confirmation. Using direct messaging methods can also be helpful in the event of a hacked email.
- Links to shared drives - If the scammer pretends to be from an internal or other trustworthy sources, there is no need to share links to a drive you should already have access to. The link is most likely corrupted and can redirect you to a fake website.
- Unsolicited emails - If the email provides an "important document" to download and view, but you didn't request it, it could be a fake email. ALWAYS verify the sender before opening.
- Specific mentions of personal details - Scammers may be trying to justify themselves as a trustworthy source by providing otherwise unnecessary information about you. Obvious attempts to gain your trust should be viewed with suspicion.
If spear phishing emails target specific groups or individuals, whaling is the practice of targeting high-level executives. Also known as CEO fraud, whaling attacks are typically much more sophisticated, relying on OSINT, plenty of research into the company's business practices, and even a deep dive into social media accounts. Because the goal is to successfully dupe the executive, the emails are usually extremely fluent in business communications with near-perfect English.
How to Identify Whaling Attacks:
- Incorrect domain address - Unless an email has been hacked, scammers will attempt to use similar, but incorrect, domain addresses (ex. @upgaurd.con instead of @upguard.com). It's important to keep a detailed eye when viewing email communications.
- Use of personal email - Any communication from other executives or business partners should be done through work emails and NEVER through personal emails. Even if the individual asks for help outside of work, communicate with them directly through another offline channel to verify their identity.
- New contact requests - If you receive an email from a partner or supplier that has never contacted you for business dealings, it may signify a phishing attempt. Verify the communication through the proper channels or the individual responsible for the account.
4. Business Email Compromise (BEC)
A business email compromise is similar to whaling, but instead of attempting to trick the executive, it impersonates them. Criminals will impersonate or obtain access to an executive email account with decision-making authority and send internal requests to lower-level employees.
In 2014, Omaha-based agriculture company Scoular became a victim of a BEC attack. The corporate controller, Keith McMurtry, received an email from his CEO asking for an immediate wire transfer to acquire a Chinese-based company. The email detailed a lawyer who would be in charge of the transaction, and McMurtry wired in total $17.2 million to an offshore account. However, the email was ultimately fraudulent, containing fake phone numbers and email addresses.
How to Identify Business Email Compromise Attacks:
- Sense of urgency - Large transactions and important business deals usually take time and pass through multiple sets of eyes before finalizing. It should raise red flags if the communication sounds especially urgent and does not have more than 2 or 3 people on the email.
- Unusual behaviors - Sophisticated BEC attacks will try to sound as professional as possible, but it may be possible to notice differences in tone or personality. If an executive talks or writes differently than usual, keep an eye out for other signs of a phishing attack.
- No legal correspondence - All business deals should involve a legal team or lawyer to ensure legitimacy and legality. If no lawyer is looped into the email, seek out the correct party through the company chain of command to verify the email's legitimacy.
5. Voice Phishing
Voice phishing, also known as "vishing," is when a scammer calls your phone number in an attempt to steal information or money. New sophisticated technology allows criminals to spoof caller IDs and pretend to be from a trusted source. Typically, the caller will create a sense of urgency to appear authoritative and prevent the recipient from thinking clearly.
Some commonly used vishing attack tactics include:
- A family member is in trouble and needs monetary help
- IRS needs your social security number (SSN) to confirm tax returns
- Pay a small fee to redeem a fake prize or vacation that you didn't sign up for
- A warrant has been issued for your arrest
- Vehicle qualifies for extended warranty
- Your bank account has been flagged for suspicious activity
- Guaranteed returns on investment opportunities
- A large sum of debt that needs to be paid
How to Identify Voice Phishing:
- Blocked or unidentified number - Phishing calls tend to come from blocked numbers. If you answer and the caller sounds suspicious, hang up immediately.
- Requests for sensitive information or money - Government organizations always conduct business through official mail and will NEVER ask for your personal information over a phone call.
6. HTTPS Phishing
HTTPS (hypertext transfer protocol secure) phishing is a URL-based attack that attempts to trick users into clicking a seemingly safe link. HTTPS is the standard protocol for traffic encryption between browsers and websites and requires TSL/SSL certificates to be enabled. In the past, browsers could detect sites that did not have HTTPS enabled as the first line of protection against cybercrime.
However, hackers now can obtain these certificates for free and add HTTPS to their phishing sites, making it harder to distinguish between what is safe and what is not.
How to Identify HTTPS Phishing:
- Shortened URLs - Shortened links can hide the link's true address and are a great way for scammers to hide phishing attempts. Links should be in their original format so you can verify their source.
- Hyperlinked text - Text with clickable links can also lead you to malicious websites. Make sure to hover over the link (without clicking on it) to see the source URL.
- URL misspellings - Any misspellings in the email domain are an immediate telltale sign that the email is fake.
7. Clone Phishing
Instead of sending fake emails, clone phishing takes a real email sent by an individual or company, copies it to near-identical levels, and resends it to the target with a new corrupted attachment or link. The email will appear as a resend and display at the top of the victim's inbox. In some cases, the phisher will use a fake but similar email, but more sophisticated hackers will spoof the email address to appear as if sent by a legitimate domain.
How to Identify Clone Phishing:
- Duplicate emails - The best way to recognize clone phishing is to review your recent emails. If a duplicate appears, look for any new links in the more recent email that may be a sign of phishing. ALWAYS verify the correct link and compare it to previous email communications.
- Misspelled email addresses - Although minor, fake emails will usually always have a slight error that an untrained eye might miss.
- Hyperlinked text - When hovering over a link, browsers will show the real address in the bottom left of the screen. If the URL doesn't match the text that it's linked to, it could be a sign of phishing.
8. SMS Phishing
SMS phishing, or "smishing," is similar to vishing, but instead of calling, scammers will send SMS text messages with links or attachments. Because personal phone numbers are generally less accessible to the public, individuals tend to trust text messages more. However, with today's smartphones, it's just as easy for hackers to steal personal data through text message URLs.
How to Identify SMS Phishing:
- Unsolicited texts - Unless you signed up for SMS message alerts directly, phishing messages offering a free coupon or an amazing deal for a product you don't use are an obvious sign of phishing. Other tactics may ask for you to confirm account information, check on the status of an order, or verify medical information.
- Unknown numbers - Getting a request for information over text messaging should be a red flag. Use a free number lookup service to see if you can get any more information about the source of the text or contact related individuals to get verification. As a good rule of thumb, don't click on the link provided in the text and don't engage.
- Authentication request - If you receive an unauthorized authentication request, someone may be trying to access one of your accounts. You should change your password immediately if you receive one of these texts to prevent further access.
9. Pop-Up Phishing
Although most people have an ad or pop-up blocker installed on their web browsers, hackers can still embed malware on websites. They may come as notification boxes or look like legitimate ads on a web page. Anyone that clicks on these pop-ups or ads will become infected with malware.
How to Identify Pop-Up Phishing:
- Browser notifications - Many browsers, including Chrome and Safari, will prompt users to either "Allow" or "Decline" notifications when they visit a new site. Browsers don't filter out spam notifications, so if the user accidentally clicks "Allow," malicious code could be automatically downloaded.
- New tab or window - Web surfing without pop-up blockers can be dangerous, particularly for mobile devices. Visiting certain sites can trigger a new tab or window to open with links to download malware.
- Urgent messages - Pop-ups claiming that you need to update your antivirus or renew a subscription are clear indicators of phishing. You should resolve any updates, renewals, payments, or account issues on the main website and not through a pop-up on an unrelated website.
10. Social Media Phishing
Aside from email, social media has become a popular attack vector for phishing attacks. With so much personal information displayed through social media, attackers can easily use social engineering attacks to access sensitive data. Billions of people around the world use platforms like Facebook, Instagram, Snapchat, and LinkedIn to network, which also increases the risk of phishing attempts.
These attacks usually involve a link that can send you to malicious websites to steal important information. In some cases, a scammer will befriend you in an attempt to steal money from you by pretending to be in trouble.
The most commonly used tactics include:
- Offers or online discounts
- Surveys or contests
- Friend requests
- Fake videos
- Comments on videos or photos
How to Identify Social Media Phishing:
- Suspicious links - Even if you receive a link from your friend, it's possible that their account may have been hacked. If the link contains spelling errors or includes a random assortment of numbers, letters, and symbols, it may be in your best interest to ignore the link.
- Suspicious account - If you receive a message or friend request from an unknown individual, do NOT accept. These accounts have little to no activity in nearly all cases because they are new accounts looking for phishing victims.
11. Angler Phishing
Attackers can take social media phishing to another level by posing as customer support staff in an angler phishing attack. The scammers will create a fake account and contact a disgruntled user they found through comments or posts on a social media account.
During the interaction, the scammer offers assistance after verifying a few personal details and then provides a link to help resolve the issues. Of course, the link contains malware and the attacker has successfully exploited another victim.
How to Identify Angler Phishing:
- Non-verified account - An official support page or account for a company will typically be verified and be directly linked to the main page. If a large company such as Twitter or Facebook contacts you, make sure they have a blue checkmark next to their name. You can also check the company website for their official support page or contact information.
- Lack of profile history - For smaller businesses that may not be verified yet, they should still have an extensive history of other customer interactions. Accounts that have very few followers and no posts are most likely brand new accounts trying to take advantage of people that won’t bother checking.
12. Evil Twin Phishing
An evil twin phishing attack creates an unsecured Wi-Fi hotspot access point that baits unsuspecting users into connecting. Once connected, all inbound and outbound data can be intercepted, including personal data or financial information. Hackers can also prompt the users to visit a fake website portal in hopes the user will provide valuable authentication details.
Evil twin phishing attacks are most common in public areas with free Wi-Fi, like coffee shops, libraries, airports, or hotels. The best way to prevent becoming an evil twin phishing target is to use a virtual private network (VPN) while using public Wi-Fi.
How to Identify Evil Twin Phishing:
- Duplicate Wi-Fi hotspots - If you notice multiple Wi-Fi access points with the same name, look for the one that is secured and requires a password (given by the establishment) to connect. If both access points are unsecured, it is highly discouraged to connect to be safe.
- Unsecure warnings - Some laptops or mobile devices will trigger a notification that the network you're connecting to is unsecured. If you receive this message, consider connecting to a secure network or not connecting at all.
13. Website Spoofing
Attackers will create an entirely fake website in a website spoofing attempt to steal your personal information. A well-made fake website will contain the same elements as the original, including logos, text, colors, and functionality. Finance, healthcare, and social media websites are commonly spoofed because they often contain your most important information.
How to Identify Website Spoofing:
- URL misspellings - Attacks often take advantage of homograph attacks, which exploit the similarities between characters. For example, you might notice an "rn" in place of an "m" or "vv" (two v's) instead of a "w."
- Website errors - Very rarely are websites perfectly spoofed to match the original. Sometimes the site logos are slightly more pixelated, or you might notice the text is misaligned. If anything looks off, stop using the website immediately, especially if you had accessed it from a link sent to you through email or messaging. It always helps to keep the original website bookmarked so you can easily access it.
14. Email Spoofing
Email spoofing is when a scammer creates an entirely fake email domain to try and fool users into believing they are legitimate. To avoid detection, the attackers can edit the header of the email to include the name of a legitimate domain in hopes that the targeted user won't check the domain address where it was actually sent from. Because there is no domain verification under the Simple Mail Transfer Protocol (SMTP), so attackers can spoof emails easily.
Phishers can also choose to hide the sender's address to display only the name. They may try to use a real name that the targeted user will recognize so that they'll open the email. When the attacker combines both a real name and the legitimate domain name in the header, it can easily trick unsuspecting users.
Domain spoofing is different from DNS spoofing because it creates an entirely new domain rather than hacking the DNS server.
How to Identify Domain Spoofing:
- Unsolicited emails - Any unexpected emails, particularly ones that make requests, should be the first red flag of a phishing attempt. Take a closer look at the messaging and use another communication channel to verify the email.
- Email address misspellings - Fake domains are supposed to look legitimate at first glance, but upon closer look, there could be homograph attacks involved. If you suspect the email might be from a fake domain, copy and paste the link into a notepad or Microsoft Word document to identify any misspellings.
15. DNS Spoofing
DNS spoofing attacks (also known as DNS server poisoning or pharming attacks) are a more technical process that requires cybercriminals to hack a Domain Name Server (DNS), a server that translates domain names into IP addresses. When a DNS server is hacked, it can automatically redirect a URL entry to a malicious website under an alternate IP address.
Once the user lands on the corrupted website, one of two things may happen - 1) Malware is automatically downloaded onto the device, or 2) A spoofed website may appear, prompting the user to enter their login information or ask to confirm personal information or credit card numbers.
How to Identify Pharming Attacks:
- Unsecure website - Typically, unsecured websites are a sign of phishing attempts or are at risk of becoming infected by malware. In most cases, the site will begin with HTTP instead of HTTPS.
- Website errors - A fake website usually contains errors, including misspellings, buttons that don't work, low-quality images, misaligned text, or wrong colors.
16. Image-Based Phishing
Image-based phishing usually finds itself in the content of a phishing email. In addition to hyperlinks and malicious URLs, images can also contain links to infected websites. In some cases, the image included may be the only thing in the email that has a phishing intention just to fool users into thinking the email is safe.
How to Identify Image-Based Phishing:
- Embedded image link - Hover over the image to check if there’s a link to a non-official, third-party website. Does the link have spelling errors? Generally, it’s safe to open and read an email to investigate, as long as you don’t click on anything.
- Spam email - Any email that was sent straight to the spam folder could be a sign of a phishing attempt, even if it seems like an official email from the company or individual. There are many ways to make an email seem legitimate, but if it has been flagged as spam, there may be phishing elements detected by the email server.
- Large CTA buttons - A popular phishing tactic is to include an inviting and eye-catching call-to-action (CTA) button, similar to sales promotional emails. Individuals that act mindlessly may not think twice and click on the button just because it told them to. Make sure that you verify the sender, URLs, and email content before clicking on the CTA image.
17. Search Engine Phishing
In search engine phishing, scammers create legitimate pages based on high-value keywords and searches to get them ranked on popular search engines, such as Google or Bing. These pages often feature an eye-catching offer to lure unsuspecting users. Once the users land on these pages, they're asked to enter banking information or their SSN. These fake pages often include:
- Free products
- Free vacation
- Investment opportunities
- Discount codes
- Job offers
- Dating matches
- Infected by computer virus
How to Identify Search Engine Phishing:
- Once-in-a-lifetime offers - Nothing is truly free, and if it sounds too good to be true, it probably is. Criminals are looking to take advantage of people trying to make a quick buck or cut corners on spending. Do your due diligence and properly research a website or offer before you accept and start entering your personal information.
- Poorly made websites - Many of these websites are made extremely quickly because they tend to get shut down once they get reported. If it looks like a low-quality site with minimal functionality and excess links, avoid it at all costs.
18. Watering Hole Phishing
Watering hole phishing is a tactic that targets one particular company or group of people by infecting a third-party website they frequently visit. The attackers find and exploit a vulnerability on the website, infect the site with malware, and then bait users by sending emails directing them to the site.
Although this type of attack is less common than the others, once the hackers infect a single user, they can gain access to the entire network and system. Additional site visitors can also become victims, even if they have no relation to the main targeted group.
How to Identify Watering Hole Phishing:
- Security alerts - One of the first signs of a phishing attack is when your antivirus or anti-malware software detects an attack. That's why it's important to keep your security solutions updated so the software can detect phishing attempts automatically.
- Security testing - Because it's hard to control third-party risk, the best way to identify potential cyber threats is to continually test your security defenses and install security patches. If the third-party site is frequently visited, installing endpoint protection software can protect against watering hole phishing attacks.
19. Man-in-the-Middle (MITM) Phishing
A man-in-the-middle phishing attack is when an attacker intercepts and alters a communication chain, effectively becoming the "middleman." The attacker then controls the communication flow and is responsible for sending and receiving all messages. While the attacker is intercepting the data, he can manipulate it to gain personal information from both parties.
How to Identify MITM attacks:
Generally, MITM attacks are hard to detect, as URL errors are more likely the result of another phishing method. Network administrators must constantly monitor traffic to detect altered communication. Some signs that should raise red flags are:
- Unsecured websites - If you are web browsing, always give a quick look for the padlock next to the URL in the search bar in the browser. Typically, a locked padlock shows that the website has a valid SSL certificate and HTTPS protocol (instead of HTTP).
- URL misspellings - If the URL is misspelled or has random numbers inserted in between, double-check the website with a different device.
- Noticeably slower messaging - Instant messaging platforms typically have little to no delay when sending messages. However, platforms that don’t use end-to-end encryption can fall victim to a MITM attack. Messages that take noticeably longer to send could be a sign of an attack.