Phishing has been a popular tactic for hackers and cybercriminals since the 90s and only has become more advanced over the years. When people think of phishing, they usually think of email scams, but most aren’t aware that there are various types of phishing in today’s day and age; not just email. It is important to recognize and understand the many kinds of phishing attacks and how to recognize them for the safety of you and your business’s information.
What is Phishing?
Phishing is a type of cybercrime in which a target(s) are contacted by a form of communication (email, phone, text message, etc.) posing as a legit organization or company to lure the target into providing sensitive data (personal information, bank/card details, account credentials, etc.)
Categories of Phishing
1. Vishing
This phishing is done over phone calls. Voice Phishing = Vishing. Vishing relies on social engineering to trick you into providing sensitive information that can be used to access your important accounts. These attackers pretend to be from a trustworthy business.
Scenario: A voice message disguised as communication from a financial institute asking for the target to call a number and validate their account information for security or official purposes.
2. Smishing
This phishing is done over text or SMS alerts. “SMiShing.” Since a lot of people rely so much on texting nowadays, this kind of phishing attack is a growing threat. Most people are aware of the threat of clicking a link through email, but this is less true when it comes to text messages.
Scenario: A recipient may receive a fake message or order detail with a cancellation link that would actually be a fake page designed to harvest your personal details.
3. Search Engine Phishing
This phishing is a relatively new kind of phishing and refers to the creation of fake web pages that target specific keywords and wait for an unfortunate user to click on the site link.
Scenario: A too-good-to-be-true discount or giveaway from a site pops up when searching for shoes on Google. The site appears to be a typical online retailer, but the products are fake and you will never receive your item. These scammers will take your money and likely the information you’ve provided, as well.
4. Spear Phishing
This phishing is a targeted take on email phishing. Spear phishing is usually extremely successful because scammers spend a lot of time researching their target (on social media and company websites) and especially crafting the information they send to them, making it more believable. This is the most commonly used type of phishing.
Scenario: The attacker will pose as a business you trust, like your bank. They will send an email about a great deal, say you are owed money, an account is about to be frozen, etc., and will get you to enter your personal information.
5. Whaling
Whaling isn’t far off from spear phishing. The difference is that the targeted group becomes even more specific and personalized, making it almost impossible to detect. These attacks target enterprises’ top executives (CFO, CEO, COO), or “whales” in phishing terms. Technology, banking, and healthcare organizations are the most targeted sectors here because of the large number of users and high dependency on data. The idea here is that information or credentials from one of these high-value executives will open more doors than an entry-level employee. The goal is to steal employee information, sensitive data, and cash.
Scenario: An executive gets an email from what looks like a “trusted” source asking for their current and former employees’ W-2 forms. The executive sends the information, leading to a breach of income tax data for all current and former employees. Employees are now susceptible to income tax refund fraud and other identity theft schemes. This was an actual happening with Seagate.
Always remember: If it looks fishy, it probably is. It’s unfortunate that we have to live in a society where we have to be extremely conscious about what we click on and who we are sending our information to, but that’s the life we live in. Next time you open an email or text, answer a phone call or even shop online, BE WARY.
Stay tuned for the second part of this article which will go over the types of phishing! Here is more about recognizing and understanding the threat of phishing.