Once upon a time, cyber attacks were generally carried out by hackers who identified and exploited weaknesses in corporate networks. These days, though, it’s just as likely to be human weakness that is the target of choice.
The majority of cyber attacks now begin with phishing — as many as two thirds, according to an analysis by Comcast Business. And it’s a rapidly-increasing problem, with a recent report from security firm Vade finding that the number of phishing attacks rocketed by 173% during the third quarter of 2023.
Let’s take a look at the different phishing techniques, and how organizations and individuals can avoid falling for them.
What Is Phishing?
Put simply, phishing is the practice of tricking victims into revealing confidential data through scam emails, texts or phone calls — and it’s one of the biggest headaches for cybersecurity professionals.
In general terms, phishing is usually carried out by criminals masquerading as a trusted business contact or other legitimate institution. Once attackers have gained trust, they’ll usually ask for “confirmation” of personal data, or persuade their victim to click on a fraudulent link that leads to a website that may download a virus or steal bank details or other personal information. Usually, the attackers are simply after money, but many attacks are aimed at stealing secrets, often at the behest of a nation state. Thus, the victims can be anyone from private individuals to corporate executives or political figures.
Types Of Phishing Scams
Given that phishing involves psychological trickery, there are potentially unlimited methods. Email remains the most popular tactic, as well as the oldest. However, with every new form of communication, a new attack vector appears.
Phishing scams involving voice calls — so-called vishing — are common, and when SMS was introduced, cyber criminals were quick to exploit the new technology. Since then, attackers have been refining their techniques, sometimes using deep fake videos or other AI methods to make their efforts more convincing. They have also in many cases become more selective, targeting particular individuals, through what’s known as spear phishing or whaling (see below). Such attacks can be based on highly personalized approaches, and thus particularly convincing. Meanwhile, technological techniques aimed at bypassing precautions, such as pharming and email spoofing, can make these scams harder for victims to spot.
Smishing
Deriving from “SMS” and “phishing,” smishing is the use of text messages to carry out the initial contact with a victim. People tend to be less suspicious of text messages than emails, and often respond to them in a hurry, or absent-mindedly.
Attackers will frequently attempt to pose as the victim’s bank, asking for verification details or, ironically, claiming that the recipient has been a victim of fraud; the victim is then asked to confirm their banking credentials or click on a (fraudulent) link to verify their account. Other common smishing scams include impersonating tech support, the tax authorities, or lottery operators promising a win. And while most smishing attacks are generally aimed at gaining access to individuals’ personal finances, the increase in remote working and bring-your-own-device policies means they can often also be used to target corporate networks.
Vishing
The term “vishing” — and you may see a pattern emerging here — derives from phishing that uses voice as the attack method. It can be very successful, as voice calls often catch their victims on the hop, so there’s less time to stop and consider whether the approach is genuine.
The commonest type of attack is one we’ve all experienced: the phone call purporting to come “from Microsoft” telling you there’s a problem with your computer. Other frequently-impersonated organizations include banks, again often purporting to be alerting the recipient to fraud, tax authorities or companies offering compensation for accidents. The attackers may well use fake caller ID to appear legitimate. Once the scammers have won the victim’s trust, they will then attempt to persuade them to hand over credit card numbers, bank account details or passwords. And while many vishing attempts use robocalls in a scatter-shot approach, the advent of AI means that it’s easier for criminals to clone particular voices.
Spearphishing
Spearphishing is the term for a phishing attack that targets a particular individual — often a middle-ranking or senior executive within an organization, or a political figure.
Spearphishing attacks are generally carefully crafted, with the attacker first gathering information about the victim, through publicly-available resources such as social media accounts, in an effort to make the initial approach more convincing. The scam message itself will likely be highly personalized. When successful, such attacks will often give the scammer access to corporate data, in the case of executives, or to confidential political information. State-sponsored attackers such as the Russia-based group Star Blizzard have, for example, been detected targeting academics, defense, governmental organizations, NGOs, think tanks and politicians. The group also creates fake social media or networking profiles that impersonate respected experts, and has used supposed conference or event invitations as lures.
Whaling
Whaling is essentially a subset of spearphishing — going after the really big fish (yes, we know). It involves targeting individuals at the very highest level of an organization, such as a CEO or CFO.
The aim is to access highly valuable information, such as confidential company financial data, trade secrets or passwords to high-level corporate accounts. Financial institutions and payment services are the most targeted organizations, although cloud storage and file hosting sites, online services and e-commerce sites are starting to get a larger share of attacks. Many whaling attacks go unreported, as there’s likely to be clear reputational damage. However, some examples are in the public domain, including a 2020 incident in which a fake Zoom invitation sent to one of the co-founders of hedge fund Levitas Capital led to the company paying out $8.7 million in fraudulent invoices; the firm went out of business soon after.
Pharming
Pharming involves redirecting a website’s traffic to a malicious website. However, unlike phishing attacks, this is done through technical rather than social means: exploiting the Domain Name System (DNS) — the internet’s “phone book,” which translates normal domain names to machine-readable IP addresses.
This can be done in a number of ways. However, the most common method is probably the use of DNS poisoning, also known as DNS spoofing or DNS cache poisoning. This allows attackers to compromise the target’s DNS server so that it directs queries to the attacker’s IP address instead of the genuine one. Pharming can also involve installing a virus, Trojan or keylogger on a user’s computer, altering the host file on a user’s computer or the DNS configuration on a local network, or setting up a “rogue” DNS server. Unlike a phishing attack, there’s no need for the user to click on a fraudulent link for the attack to be successful.
Email Spoofing
Email spoofing refers to the sending of emails that appear to be from someone else — and as there’s no authentication process built in to email transmission protocols, it can be hard to spot.
An email consists of three different elements: the envelope, which the user generally doesn’t see, and which tells the email server who sent it and where it’s going; the header, which consists of the sender’s name and email address, the email subject, the reply-to address and the email send date; and finally the body of the message itself. Criminals can tailor some or all of these to fool their victim, with emails purporting to come from PayPal or banks the most common. Spoofed emails can be used to trick the recipient into handing over their personal data, or to spread malware.
Common Email Phishing Examples
Phishing scammers are often extremely opportunistic, targeting emails to time with holidays, major sporting events and tax deadlines. However, according to a recent report from security firm Cofense, phishing emails are usually centred around certain themes.
Finance-themed phishing emails, relating to invoices, payments, pay slips, statements, orders, remittances, or receipts are the most common type, at 54%. Those relating to notifications such as password expiry or appointments were the second most common, at 35%, while shipping-related emails accounted for 7%. Other widespread phishing emails included those related to documents and document signatures; voicemail-themed emails; travel assistance; and legal-themed emails. Meanwhile, according to a report from Check Point Research, Microsoft was the most-impersonated brand in the second quarter of last year, followed by Google, Apple, Wells Fargo and Amazon.
How To Prevent Phishing Attacks
Defending effectively against phishing attacks involves a multi-layered approach, through the use of both staff awareness training and technical measures.
Individuals should be suspicious whenever they’re asked to click on a link or supply personal or financial information. Other signs that an email isn’t genuine include spelling and grammatical errors, claims of urgency or slightly-off email addresses. Hovering the cursor over a link should reveal whether the destination URL matches the legitimate website. Organizations should engage in regular training programs, and should make sure that it’s easy for staff to report suspicious emails. Meanwhile, multi-factor authentication should be used, and software and browsers kept up to date. There’s advice from the Federal Trade Commission here. And anyone that’s fallen for a phishing email should report it to their IT department or email provider, change passwords and monitor their accounts for malware.
Bottom Line
With phishing on the rise, organizations and individuals need to be on their guard, particularly as the advent of AI is making scams ever harder to spot. However, a healthy level of suspicion, along with technical measures and the right organizational strategies, can help keep the risk to a minimum.