One of many different kinds of cyber attack, phishing involves a message—sent by email or otherwise—where a malicious actor purports to be reputable in some way to convince individuals to reveal personal information that the criminal can then exploit for gain.
What may sound simple isn’t, in fact—having evolved considerably, phishing has become incredibly complex since emerging as a cyber threat. Now, several different types of attack fall under the phishing umbrella, such as email phishing, spear phishing, whaling, SMS phishing, pharming, and many more.
Because all these threats exist and continue to grow more sophisticated all the time, we—as cybersecurity experts—want to help you understand this type of attack a bit better. In this article, we’ll discuss the origin of phishing, overviews of the most common phishing attacks, why you should be worried, and how you can best prevent falling victim.
The Origin of Phishing
“Phishing” may seem like a funny term, so let’s explain it first.
It originally became cyber terminology like this: Given the nature of the attack—scammers using emails to deceive individuals—an analogy was drawn. The fraudulent email was the “fishing hook” criminals used to “catch” important information from victims who chose to bite, and the “ph” wording was adopted from another, older technological concept—“phone phreaking.”
Again, the way all phishing works is by sending a message that looks like it’s from a reputable source—something like your chosen financial institution or a government agency. Because it looks legitimate and serious, potential victims are more inclined to react and respond to said message, which usually creates a sense of urgency through claims that “there’s an issue” or a request that you click a (likely malicious) link or attachment.
Whatever the correspondence says or asks, the next step usually requires you to enter personal information for verification—maybe your password, username, or more specific information like your bank details or social security number—all of which is then stolen and used to exploit you in some potentially devastating way.
5 Common Phishing Attacks
That being said, a phishing attack can take different forms:
|
Phishing Attack |
How It Works |
|---|---|
|
Email |
Arguably the most common phishing attack, it involves a malicious individual masking themselves as someone more trustworthy and sending a generic email, usually with suspicious attachments that they want a victim to click on, or other tricks/threats to entice individuals into giving up personal information—with general phishing attacks like this, quantity of potential victims is prioritized.
Example: Many individuals using the same credit card all receive an email telling them that their accounts have each been compromised and will be deactivated unless they confirm their credit card details. |
|
Spear |
If email phishing is like using a net, spear phishing is exactly what it sounds like—a more of a targeted form of phishing where the malicious individual will first research the specific person they want to target ahead of sending a message, as what they learn can help the attacker make more customized messages that make it more likely for the specific target to click them. Due to the quality of the attack and highly personalized message, spear phishing is often more successful than more general phishing. Example: An attacker impersonates someone you know, having gleaned that information from their research, and sends a request for you to wire them money. |
|
Whaling |
Even more targeted than spear phishing, this attack specifically targets more leading and prominent individuals of an organization like management and executives, using a particularly crafted and solid understanding of business language and tone to trick those people into handing over sensitive information like bank account numbers or personnel details of employees or customers, and they may even ask the victims to make wire transfers.
Example: An attacker sends an email pretending to set up a business meeting with a CEO using a phony Zoom link that, when clicked, instead installs malware on the company network, allowing the attacker to siphon information or divert bank company transfers. |
|
Smishing |
Though emails are the most common approach for criminals perpetrating phishing attacks, sometimes they do instead use smishing—or SMS text messages—to target individuals, albeit in a similar process to regular phishing. Example: You receive a text message from an unknown number telling you that you’ve been selected as a winner of a prize, but to claim it, you have to follow the link, which may contain malware or ask for your personal information\. |
|
Vishing |
Short for voice-phishing, these are phishing attacks made via phone calls in which the criminals often rely on social norms and expectations to convince you to follow their demands—that’s if they don’t outright threaten you with things like arrest or a lock on your bank account in exchange for your personal information. With deep fakes developing all the time now, vishing attacks are growing more sophisticated as well. Example: You receive a call from a number—perhaps even with a local area code—and someone claiming to be from your bank asks for your account data “in order to better protect it from hackers.” (They may even already have some of your personal information to make it seem more legitimate.) |
|
Pharming |
Considered a more sophisticated phishing attack, this involves malicious individuals (re)directing victims to a fake website and where they enter their personal information—this attack can be rigged through malware infections, DNS cache poisoning, and host file modifications among other ways, so that when users attempt to navigate to the legitimate website, they’re instead redirected to the fake one where their sensitive information can be collected by the criminals.
Example: Cybercriminals spoof a bank’s website, redirecting all traffic—from unsuspecting users just trying to check accounts and make transactions—to a replica site, where those users’ login credentials are captured (which leads to financial loss). |
The Threat of Phishing Attacks
No matter what type of phishing it is, this cyberattack is an incredibly serious problem—take it from the statistics:
- According to AAG, phishing is the most common form of cybercrime with an estimated 3.4 billion spam emails sent every day.
- Verizon’s 2022 Data Breach Report found that phishing scam accounts make up nearly 36% of all data breaches.
- A survey by Ironscales discovered that email phishing is a key concern for 90% of IT professionals.
When you or your organization fall victim to a phishing attack, the cost and damages can vary and compound, including:
- Loss of business funds and reputation
- Data or service loss
- Malware infection or elevation to ransomware
- Identity fraud
- Regulatory fines or other financial losses—according to IBM, a phishing attack can cost an average of $4.91 million for an organization
Basic Best Practices to Prevent a Phishing Attack
To avoid falling victim, the best prevention strategy against phishing is to stay vigilant—if you’re ever unsure if a link is a phishing scam, check by going to the legitimate site directly on your browser separately from the one you were sent to see if the sites appear the same, with the same address (down to the letter). Make it a habit to second guess messages with odd greetings, inconsistent links, that seem to be too amazing to be true, or that make you put in personal details.
Moreover, don’t get intimidated by any message’s suggestion that awful things will happen to you if you don’t do what they ask. These malicious individuals are hoping for immediate action, so it’s best to try and stay calm and double-check the information in the message, especially before sharing any sensitive data like social security numbers or passwords.
Finally, it’s important to continuously educate yourself on phishing attacks as they continue to evolve so that you stay abreast of what to look for, ensuring you’re better prepared to catch such an attack on time.
Next Steps for Enhanced Cybersecurity
Phishing can hit you through a variety of methods—malicious individuals will use email, telephone, text messages, and even their voices as they disguise themselves as a trusted source to try and get you to provide your confidential, financial, and personal information. Unlike other data breaches brought on by technical control failures, phishing is a social engineering attack that can affect anyone if they’re not careful.
Now that you know more about the different forms phishing can take, you may be interested in conducting an assessment of your organization’s potential response to these attacks, and in this, Schellman can help.
To learn more about what a social engineering attack from us could look like, you can complete our scoping questionnaire. Otherwise, make sure to check out our other content that can help you elevate your cybersecurity against escalating threats: