What is a phishing attack and what does it mean?
Phishing is a form of cyberattack that is aimed to trick users into giving away their sensitive information, such as credit card details, passwords, bank accounts and any personally identifiable information. It can also be used to deceive users to click a link, which in turn will automatically download malicious files that install malware, ransomware, virus on their computer or phone.
Cybercriminals launch phishing attacks mainly through sending phishing emails, enticing users to open and click them through a false sense of urgency or alert. In fact, 96% of phishing attacks arrive by email, whereas social media, phone calls and any form of communication they can use make up the remaining 4%. Regardless of how the phishing attacks are launched, cybercriminals launch them to try to achieve these goals:
- Distribute malware and malicious programs to infect users’ devices.
- Steal private information for financial gains or identity theft.
- Gain control of your online accounts to further launch more cyberattacks to your connections.
- Persuade you to send money or valuable info to them.
Needless to say, both individuals and businesses are equally at risk from phishing attacks without discrimination, because they are highly profitable for cybercriminals. According to data published by Verizon’s 2021 Data Breach Investigations Report (DBIR), phishing is the most common form of security incidents last year, whereby 36% of them involve phishing. FBI also stated that in 2020, phishing was the top incident of the year, and its frequency doubled from 2019. These statistics show us that we will be exposed to phishing attacks eventually, and we should educate ourselves to understand the many types of phishing attacks out there, as well as ways to prevent them.
Understand the different types of phishing attacks
Before getting into the types of phishing attacks, it is important to understand that they can happen through any medium, including emails, phone calls, SMS, social media, hijacked legitimate websites, impersonating websites which look extremely identical to the original websites, or even your Internet connection.
Hence, we have many different types of phishing attacks, based on how they are delivered. Since technology is rapidly changing and improving, therefore phishing attacks are also the same, which is why this list of phishing attack types will constantly grow and change as well. We list out a number of common ones below:
As mentioned above, 96% of phishing attacks are delivered through phishing emails. Cybercriminals incite fear, greed and urgency by sending fake emails to users, which request them to click a link, reply with personal info, open an attachment or send a payment etc.
This type of phishing attack works by impersonating email addresses of valid businesses or websites to send phishing emails. Cybercriminals use very similar characters to replace certain characters in the original sender’s email address, which looks very alike if not observed in detail. For example, imitating @microsoft.com with @micros0ft.com.
Voice phishing (vishing)
Vishing is a phishing attack whereby scammers call you, impersonating as a valid person or representative from a company, government agency or charitable organisation. Their aim is to trick you into giving up your personal information or steal money from you.
SMS phishing (smishing)
Smishing is a type of phishing attack which is delivered through SMS messages. The scammer imitates a valid organisation and sends short messages to trick you into clicking a link to visit a site. The site is malicious and usually contains dangerous programs for the next stage of attack.
Social media phishing
Scammers use social media to create posts or send direct messages to persuade unsuspecting users into clicking a link. They usually use too good to be true offers/giveaways, skeptical “official” business profiles, or pretend as your friend to ask for your help, in order to attract users into doing something. Some go as far as acting as your friend and building a relationship with you before going in for the final attack, which is known as social engineering.
This type of phishing attack is also known as targeted phishing attack. It targets a specific individual or a group of individuals by researching their interests and profiling them based on their online activities. Then, scammers will use specifically structured messages or details to appeal to the victims and trick them into giving valuable information or details. For example, a mid-level executive might be targeted to trick him into giving info about higher executives because they have access to even more valuable information, in which they become the target for the next phase of attacks.
Whaling is also known as business email compromise (BEC), which is a form of spear phishing that targets high-profile employees. Examples include CEO, CFO or any C-suite employees, whereby they are impersonated by scammers to pressure others into wiring transfers or sharing credentials. It can also include pretending to be a vendor with a fake invoice requesting for payment.
In this type of attack, scammers duplicate previously sent legitimate messages to send to users again. However, they have replaced the original links and attachments with malicious ones. The messages can be emails, fake social media accounts or any text messages to trick users.
There are also cases where legitimate websites are hijacked or imitated to deliver phishing attacks. Here are a few examples:
Watering hole phishing
This type of phishing attack is done by cybercriminals through targeting popular sites that many users use. The aim is to try to exploit the sites’ security weaknesses to launch other phishing attacks to compromise the users, such as delivering malware, malicious links redirection and other cyberattacks.
Pharming also means DNS cache poisoning, where cybercriminals install malicious programs to redirect a website’s traffic to another fake phishing website. This form of attack is done by modifying host files on a server or exploiting DNS server vulnerability.
Typosquatting refers to URL hijacking, and it is done by targeting people who type incorrect URLs. Cybercriminals create a website with a URL that looks identical to a targeted safe website, but with a very small spelling variation. For example, google.com was targeted in 2006 using goggle.com to trick users into using another fake phishing website.
In clickjacking phishing attacks, cybercriminals use website vulnerabilities to insert unseen malicious links to the website’s UI elements, so that users unsuspectingly clicked the malicious links. Clickjacking can also be done by using dangerous pop-ups to entice users to click them via inducing greed, fear or urgency.
This type of phishing attack happens when a user has opened a lot of tabs and left them inactive, during the course of his multitasking. This provides an opportunity for cybercriminals to reload the tabs into fraudulent websites, tricking users into thinking the tabs are the same and handing over their credentials. This can be done because cybercriminals have compromised the network.
In the past, malicious websites usually do not have HTTPS, and we can easily identify them. However, now any site can get this, and cybercriminals can create a HTTPS website easily, giving the illusion of a classic “safe website with a padlock next to the URL”. In reality, it is a malicious website, and any info submitted to the website will be in the hands of the cybercriminals.
Some other phishing attacks worth mentioning that we should be aware of include:
- Evil twin – public wifi Internet connection mimicking
- Search engine results phishing – fraudulent websites appearing on search results before a legitimate one
- Angler phishing – impersonating a company’s official customer representative to trick users to give details
- Cryptocurrency phishing – phishing attacks that target cryptocurrency wallets
The Internet landscape is constantly evolving, and so do the different ways of phishing attacks. This list on the types of phishing attacks is not exhaustive and it will always be changing. The ultimate objective is to trick users into clicking a link and tricking them to give up their credentials. Fortunately, due to this common nature, it is possible to correctly identify phishing scams and prevent them. Stay tuned for the next blog on how to identify, avoid and prevent them.
WebNIC operates a digital reseller platform covering primarily domain name registration for over 800 TLDs, web security services, email and cloud services. With offices in Singapore, Kuala Lumpur, Beijing, Taipei and Jakarta, we serve 5,000 active resellers in over 70 countries. With over 20 years’ experience, we accelerate our partner’s growth through a robust platform, attentive support and wholesale pricing. To join us and become a reseller, live chat with us or email us at [email protected].