0

Types of Phishing Attacks: Detection and Prevention

Cyberattack
Howard Poston
Nov 08, 2023
Types of Phishing Attacks: Detection and Prevention

A joint law enforcement sting coordinated by Interpol brought down the notorious phishing-as-a-service platform ‘16shop’ in August 2023. Exemplifying the extent of the threat posed by phishing attacks, Interpol reported that 16shop alone was responsible for compromising 70,000 users in 43 countries. Phishing is big business, with estimates showing that it causes worldwide losses of $17,700 per minute. 

 

Phishing attacks involve threat actors masquerading as trustworthy entities to deceive individuals into revealing sensitive information. These attacks use email, instant messaging, social media, or other communication platforms to deliver deceptive messages containing malicious links, attachments, or fraudulent requests. The primary objective of a phishing attack is to trick the recipient into taking a specific action—like clicking on a link or opening an attachment—using psychological manipulation. 

 

While often understood in the context of email-based attacks, there are, in fact, several different types of phishing attacks. Hackers constantly evolve their tactics and techniques to human psychology and behavior in different ways. 

 

>A robust cybersecurity strategy requires an in-depth understanding and awareness of all threats, including different types of phishing. This article takes a deep dive into the main types of phishing attacks, some high-profile recent examples and statistics highlighting the threat, and some prevention strategies to mitigate phishing attacks for your organization. 

Types of Phishing Attacks

Phishing attacks exploit a diverse range of tactics, each tailored to exploit distinct vulnerabilities in human psychology or behavior patterns. Threat actors meticulously craft deceptive messages that prey on emotions, trust, or habits and manipulate your employees into divulging sensitive information. Let’s unpack the different types of phishing attacks to truly understand this prevalent cyber threat. 

1. Smishing: SMS Phishing Attacks

Smishing is a type of phishing attack that uses fraudulent SMS messages to deceive recipients. One recent threat report found that 76 percent of organizations experienced smishing attacks during 2022. One plausible reason for the success and ubiquity of smishing is that awareness about this type of phishing attack remains low. 

Here are some of the tactics hackers employ in smishing campaigns:

  • Spoofed phone numbers: Cybercriminals manipulate caller ID systems to make it appear as though a text message comes from a different, often trusted, number. One technique exploits the fact that VoIP services allow users to set their own caller ID information. Spoofed phone numbers are particularly deceptive because recipients see a text from what appears to be their bank or boss, for instance, and believe it without question.
  • Sense of urgency: Many smishing messages prey on urgency. The wording of these texts encourages users to take immediate actions, such as warnings about their account being compromised.
  • Links that look legitimate: Smishing messages often include URLs that lead to counterfeit sites designed to look like genuine company websites. Once on these sites, your users might be prompted to enter login details, personal information, or even financial data, which then falls into the hands of the attacker.

In terms of noticing the signs of smishing, encourage employees to scrupulously examine URLs. There is often a giveaway detail that reveals itself during a closer examination, such as slight misspellings or additional characters from the legitimate domain name, URLs with unfamiliar top-level domains like URL “.me” or “.club”, or the use of URL shorteners.  

Also, encourage people to consider the broader context of the texts they receive. Unsolicited texts that demand urgent action are likely to be suspicious. If in doubt, tell employees to contact the company or person directly using contact details sourced from their official website or contact records. 

Security company Permiso uncovered a spate of smishing attacks that led to hackers accessing AWS infrastructure in April 2023. The attacks focused on compromising accounts belonging to AWS admins, which could’ve led to sensitive data access. 

2. Spear Phishing: Targeted Attacks

Spear phishing is a targeted form of phishing attack where cybercriminals customize their deceptive messages to a specific individual or organization. Unlike broad phishing campaigns that send messages en masse to a large net of potential bait, spear phishing is tailored to use detailed information about the target to make the attack more convincing.

The following tactics help threat actors craft more convincing messages tailored to specific people:

  • Social media research: Hackers scour platforms like LinkedIn, Facebook, and Twitter to gather detailed information about an individual’s work role, colleagues, recent activities, and more. People often leave their profiles visible to the public on these platforms, which provides an easy method of gathering personalized information. 
  • Analyzing company websites and publications: Beyond social media, analyzing your company’s public documents, press releases, and other publications can provide attackers with insights into company operations, ongoing projects, and internal hierarchies.
  • Email harvesting: Various tools help cybercriminals gather lists of internal email addresses used by your employees. Not only does finding these email addresses help hone targets to focus on, but the harvested list offers up the chance to spoof emails belonging to other employees and increases the success of duping the recipient. 
  • Storytelling: Weaving a convincing narrative into spear phishing messages via intricate storytelling is a key tactic for this type of phishing attack. Messages might reference recent company events or events that happened in the lives of a mutual colleague and were posted online (e.g. becoming a parent). 
  • Believable attachments: Spear phishing messages are more successful when the attachment is customized to the target. Instead of randomly sending a PDF, more believable attachments will reflect the person’s job role to increase the chances of the target opening them. 

To mitigate spear phishing, it’s essential for users to develop a habit of verifying sender identities and promptly reporting suspicious emails. Encourage people to always check the email address, not just the display name. Tell employees to double-check urgent or suspicious email requests with the apparent sender by using a separate communication channel (like a phone call) to confirm the email’s legitimacy. Lastly, create a security culture that encourages people to report suspicious emails to your IT department or security team.

3. Vishing: Voice-Based Phishing

Among the different types of phishing, vishing is one that uses phone calls or voice messages to trick victims into revealing sensitive information or performing certain actions that may compromise their security. Some common scenarios for this type of phishing attack include:

  • Fake tech support calls: In a business context, the fake tech support call is the most common vishing scam targeting employees. This takes the form of an attacker posing as a representative from a tech company, like Microsoft or Apple. The caller warns the victim that their computer has a virus or is at risk and offers to assist in “resolving” the issue. Victims may be guided to download malicious software or grant remote access to their computers. 
  • Service provider scams: Some attackers pretend to be from utility companies, ISPs, or other service providers. The caller asserts that a company bill is overdue and uses fear or urgency to encourage immediate payment from company accounts. These scams only really work when targeting employees at accounting or finance teams. 
  • Deep fake call scams: Advancements in deep fake technology make it easier than ever for threat actors to impersonate individuals at businesses with high profiles. CEOs or departmental managers might have a lot of public-facing content featuring their voices. Hackers can then feed this info into deep fake generators and use them to make convincing calls to individuals at your company. 

To guard against vishing, encourage skepticism among employees about unsolicited phone calls, especially if the caller presses for immediate action or payment. People shouldn’t trust the caller’s ID blindly because scammers can spoof official numbers to appear legitimate. Hanging up and verifying the authenticity of the call by dialing the official number might take more time, but it could save your company from being hacked. 

4. Whaling Phishing: Targeting High-Profile Individuals

Whaling phishing, or just  “whaling,” is a type of phishing attack aimed at high-ranking executives, managers, CEOs, or other prominent figures within an organization. These prominent figures (whales) represent lucrative targets due to their potential access to highly sensitive information or financial resources. And due to their busy schedules, they might be less scrupulous in examining emails. 

 

Aside from the unfettered access to sensitive data and ability to authorize financial transactions that high-profile individuals have, attackers can take over their accounts and send phishing emails to subordinates who might not question an instruction from their superiors. This type of scam relies on psychological manipulation through authority. 

 

Whaling attack mitigation should involve the following components: 

 

  • Education and awareness: Executives, like all staff, should undergo regular cybersecurity training to recognize and respond to phishing attempts.
  • Multi-factor authentication (MFA): MFA requires more than one category of verification to access accounts, which adds an extra layer of security even if hackers compromise an executive’s login details. 
  • Least privilege access: High-profile individuals should still only get access to the data and resources needed to perform their daily work. 

    5. Business Email Compromise (BEC)

    Business Email Compromise (BEC) is a sophisticated type of cyber attack where cybercriminals impersonate or compromise legitimate business email accounts. The goal is usually to defraud your company or its employees, partners, or customers out of money or sensitive information. 

    BEC is one of the fastest-growing and most damaging online attacks. An FBI report highlighted losses to companies and individuals exceeding $2,4 billion in 2021 alone from BEC attacks. BEC tactics mirror those used in some other types of phishing attacks, including spoofed email addresses or domains.  

    To recognize BEC attempts, encourage users to:

    • Be suspicious of unexpected requests for fund transfers or sensitive information.
    • Always check the sender’s email address closely, especially if the display name is familiar but the actual email seems odd.
    • Check email content for generic greetings, spelling mistakes, or unusual language that the apparent sender wouldn’t typically use.
    • Examine emails for inconsistent or missing email signatures.

    6. Watering Hole Attacks

    A watering hole attack is a slightly different type of phishing that involves hackers exploiting trusted websites or online resources and getting visitors to download malicious software. The initial compromise of a trusted site can stem from vulnerabilities in a website’s code or infrastructure. 

    After taking over the trusted resource, hackers insert malicious scripts or payloads that either execute automatically on the visitor’s machine or come disguised as legitimate updates or software. 

    Staying safe against watering hole attacks requires using ad blockers to prevent malicious ads from loading, keeping browsers up to date, using reputable antivirus and antimalware software on user endpoints, and running browser apps in isolated environments (sandboxes) so that any malware can’t spread to the rest of your network. 

    7. Clone Phishing:

    Clone phishing is an emerging type of phishing attack in which threat actors replicate a legitimate and previously delivered email but replace its content or attachments with malicious versions. The cloned email looks like it comes from the original sender, which makes it hard for recipients to distinguish it from the genuine email.

    This phishing attack can take the form of cloning previous email replies or cloning commonly sent messages by your company, such as a business newsletter, and replacing any genuine attachments with malicious ones. 

    Red flags to remain vigilant about include misspellings or unusual phrases in emails, unsolicited attachments or links, and odd URLs that aren’t consistent with a purported legitimate site. For prevention, directly verify an email’s legitimacy where any doubt exists.

    8. Social Media Phishing

    Social media phishing attacks involve cybercriminals using social platforms to trick individuals into divulging personal information, credentials, or other sensitive data. Unlike email-based phishing attacks, this method leverages the inherent trust and familiarity associated with popular social networks. 

    A popular technique in social media phishing is where threat actors create accounts pretending to be customer service representatives from reputable companies. Another avenue is to use irresistible offers, contests, or giveaways to lure victims into clicking links or revealing personal info.

    Mitigating against this type of phishing calls for avoiding the sharing of personal details, login credentials, or financial information through social media DMs, especially for unsolicited requests. Several social platforms also have verification badges to confirm the authenticity of companies or people that a profile represents; always check for these indicators. 

    Recent Examples and Statistics

    Armed now with a thorough understanding of different types of phishing attacks, here are some recent high-profile examples that illustrate the ongoing threat:

    • Russian threat actors masqueraded as tech support on Microsoft Teamsto steal employee credentials at 40 organizations in August 2023.  
    • A large-scale phishing campaign between March and June 2023 featured an extensive whaling component that saw 39% of compromised users being C-level executives.

    To further highlight the problem, some notable stats about phishing include:

    • Phishing is the most common type of cybercrime with over 3.4 billion malicious emails sent every day. 
    • Financial institutions are the most targeted industries by phishing, representing 27.7 percent of all attacks in 2022. 

    In terms of how phishing attacks might manifest in terms of targeting different industries, here are four use cases spread across four sectors:

    1. E-commerce—During peak sales seasons like Black Friday or Cyber Monday, scammers capitalize on the increased online shopping activity. They may send fake promotional emails that impersonate popular fans. Customers get scammed or suffer from identity theft while e-commerce businesses face reputational damage and loss of customer trust. 
    2. Financial Services—Phishing in financial services often focuses on stealing banking login credentials, credit card numbers, or other sensitive financial details. Fake bank emails might alert users to a “security breach” that prompts them to click a link and enter their login details on a fraudulent site. Affected customers may blame the financial institution rather than the threat actors and lose confidence in digital financial services. 
    3. Healthcare—This sector is a prime target due to the sensitivity of patient healthcare data. Attackers might send emails posing as insurance companies, medical billing services, or third-party contractors to gain access to healthcare systems and data. Healthcare providers may suffer from costly compliance penalties due to breaches of patient healthcare data. 
    4. Education—Educational institutions are targets because of their diverse user base of faculty, staff, and students, who may not always be aware of phishing threats. Attackers might send emails about tuition fee adjustments, library fines, or course registrations to lure victims into sharing personal details or login credentials.

    Phishing Case Studies

    Now that the threat has been contextualized by diving into the different types of phishing attacks and highlighting recent trends, prevention is the challenge to solve. Real-life case studies in which organizations successfully mitigated phishing threats can provide both inspiration and serve as a useful guideline for dealing with the threat. 

    Case study: An educational organization in the UK successfully prevented phishing-related breaches by developing a dedicated incident response plan and reporting process for dealing with phishing emails. Central to mitigation was encouraging communication between different departments. Other controls included email security filtering solutions and security awareness training. 

    Case study 2: A UK financial sector company with over 4,000 employees successfully prevented becoming victim to a mass phishing attack by layering its cybersecurity defenses. An email filter blocked 1,750 out of 1,800 emails. Of the 50 emails that reached user inboxes, 36 were ignored and 14 were clicked on by user to unintentionally launch malware. Of the 14 malware installations, 13 were blocked by up-to-date endpoint anti-virus software. A more advanced endpoint detection and response tool identified and quarantined the one malware installation that managed to slip by anti-virus scanning.   

    Phishing Prevention Strategies

    Going beyond case studies, it’s time for actionable prevention strategies. While the analysis of the different types of phishing attacks included some mitigation and defense tips for various attacks, here are some common practices that can increase the robustness of your company’s ability to prevent phishing, whatever form it takes.

    • User Education and Awareness

    Relying solely on technological defenses is insufficient for phishing prevention. These attacks, after all, exploit the human element in cybersecurity. Equip your users with more awareness by ensuring that training materials delve into different types of phishing. 

    Training sessions should teach users about common signs of phishing emails. This includes scrutinizing sender addresses, noticing spelling and grammar mistakes, and being wary of unsolicited requests for sensitive information.

    Educate users about the dangers of unexpected attachments or links, even if they appear to come from known contacts. Checking the URL by hovering over it without clicking often reveals malicious destinations that warrant red flags or reporting.

    • Multi-Factor Authentication (MFA)

    Even if a threat actor compromises a user’s credentials in a phishing attack, MFA requires an additional category of evidence for authentication. Lacking this piece of evidence, the attacker can’t gain unauthorized access to your systems or data. The mere presence of MFA can act as a deterrent to even continue with a phishing attack. 

    • Email Filtering and Security Solutions

    Advanced email filtering and security solutions can arm you with the tools to fend off today’s advanced forms of phishing attacks. For example, advanced filters employ heuristic methods to examine the characteristics of an email. This might involve looking at the email’s structure, the language used, or the presence of certain red flags like embedded links with mismatched URLs.

    Some solutions use sandboxing to test suspicious emails in a controlled environment. By “detonating” suspicious links or attachments in a safe space, the tool can determine if they’re malicious without risking the recipient’s endpoint system or your wider network environment. 

    Advancements in AI also carry the potential to benefit phishing detection. Deep learning tools trained on millions of legitimate and phishing emails can achieve high accuracy rates in real-time detection. AI systems equipped with natural language processing (NLP) can scrutinize the content of emails more effectively to identify manipulative language or subtle cues that might indicate a phishing attempt against your employees.

    • Regular Software Updates

    Hackers exploit vulnerabilities in email software or web browsers for some phishing attacks (recall the section on watering hole attacks). Furthermore, if vulnerabilities exist in web applications, especially those used for login or user authentication, attackers can craft phishing websites that not only harvest credentials but exploit these vulnerabilities to gain unauthorized access or retrieve user data. 

    All of this is to say that staying on top of security patches with regular software updates is a vital prevention strategy for some types of phishing attacks. Use patch management solutions that take an accurate inventory of software, operating systems, and endpoint devices in your environment. 

    • Phishing-Resistant Authentication

    With several advanced threat groups exploiting some types of MFA implementations, the US Cybersecurity and Infrastructure Agency’s (CISA) advice now points companies toward adopting phishing-resistant authentication. This government body regularly advises federal government departments and US companies on cybersecurity best practices.  Biometric passes provide one way to authenticate users with the highest level of confidence compared to passwords and one-time codes, which are far more prone to phishing. 

    Conclusion

    From broad-reaching deceptive emails to highly targeted spear-phishing campaigns aimed at specific individuals, understanding the diverse landscape of phishing is important. Recognizing the hallmarks of different types of phishing attacks equips individuals and your business with the knowledge to spot and thwart these attacks before they can cause harm.

    Proactive defenses are the cornerstone of effective cybersecurity. Implementing technologies and strategies like advanced email filters, multi-factor authentication, and patch management solutions are vital. But equally crucial is cultivating a culture of cybersecurity awareness.

    At Kelvin Zero, we are going a step beyond by building next-gen authentication and trust solutions to help secure organizations in today’s digital world. With Multi-Pass, we are replacing passwords with enterprise-grade, phishing-resistant passwordless authentication so you can stay one step ahead. 

    Book a demo today to learn more about Multi-Pass and how Kelvin Zero can help your organization integrate trust throughout all of its operations.

Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant.