Gone Phishing: Understanding Different Phishing Types and How to Protect Yourself

Phishing attacks have become an epidemic. Approximately 3.4 billion phishing emails are sent worldwide each day, making it the leading attack vector in 41% of all data breaches. And it’s not just e-mail—phishing has expanded to voice, text, social media, and even fake websites, targeting users across multiple platforms to steal sensitive information and compromise accounts.

The aim of a phishing scam is to steal your credentials, and it’s no wonder why—according to Verizon, 86% of data breaches in 2023 involved compromised credentials.  And AI is making the various phishing schemes easier than ever – from improving the quality of the e-mails themselves and removing the tell-tale grammatical errors to using fake voices in vishing scams, the effectiveness of these scams is only increasing.  

Below, we explore the different types of phishing and how they work, and then discuss how you can protect yourself from this ever-growing threat.

Classic Phishing Attacks

Classic phishing attacks typically involve deceitful emails designed to trick recipients into revealing personal information or clicking malicious links. These emails often mimic legitimate companies or organizations to gain the victim’s trust. Google intercepts around 100 million phishing emails daily, but that leaves quite a few still making it through. Telltale signs of a phishing e-mail are links that do not look right (perhaps a misspelled domain name like amazone.com or extra words like amazon.customersupport.com), some odd grammar choices, and a sense of urgency that seems out of place (“update info now or your account will be disabled!”)

SMShing (or Smishing)

“You won a $1,000 gift card!” “USPS cannot deliver your package, click here to update your address!” “Unusual activity detected on your bank account!”  Chances are, you’ve gotten a text message like that, which is an attempt at SMShing, or phishing via SMS.  Like e-mails, they often contain an unusual sense of urgency and some misplaced links, but the link shorteners commonly used in legitimate text messages make these harder to spot.  Always go directly to the company’s website to confirm any messages asking you to do anything (and any US government entity like the USPS or IRS) is not going to communicate with you solely via text.

If you’re in the US, did you know you can forward SMShing messages to the FTC?  Send to 7726 (AKA SPAM on your phone’s keypad) and it will help your wireless provider identify and block these messages in the future.  

Vishing

Vishing (short for “voice phishing”) is a type of phishing attack that uses voice communication, typically phone calls, to deceive victims into revealing sensitive information, such as login credentials, financial details, or personal data.   A very common one in the US purports to be from the IRS, threatening penalties and jail time due to back taxes.  This one has been around for a while – a viral video from 2018 shows a police officer in Midland, Texas talking to a scammer who tells him to clear his back taxes by buying Apple gift cards or the police would be en route to arrest him within 45 minutes.    

Spear Phishing

Spear phishing is a refined and highly targeted form of phishing that requires more effort and research from the attacker. Unlike general phishing, which casts a wide net hoping to snare any unsuspecting victim, spear phishing focuses on specific individuals or organizations. Attackers gather detailed information about their targets to create highly convincing messages that appear legitimate and relevant.

These attackers often utilize information from social media profiles, company websites, and other publicly available sources to customize their approach. The crafted messages may reference recent activities, personal interests, or professional responsibilities, making them difficult to distinguish from genuine communications. This personalization increases the chances of the victim being deceived.

For instance, an attacker targeting an executive might send an email that appears to be from a trusted colleague or business partner. The message might discuss a recent meeting or project, encouraging the recipient to click on a link or download an attachment. Once the victim takes the bait, they could unknowingly download malware or reveal sensitive information, potentially compromising the entire organization.

Spear phishing is not limited to email. Attackers may also use phone calls, social media messages, or even physical mail to carry out their schemes. Given the targeted nature of these attacks, they can have severe consequences, including data breaches, financial loss, and reputational damage.

Recognizing and defending against spear phishing requires a keen eye and a proactive approach. Employees should be trained to scrutinize unexpected communications, even if they seem to come from known contacts. Encourage staff to verify the legitimacy of suspicious messages by contacting the sender through a different, trusted method.

In addition to awareness training, employing technical defenses can help mitigate the risk of spear phishing. Advanced email filters, multi-factor authentication, and robust cybersecurity protocols add layers of protection. By combining vigilance with technological safeguards, individuals and organizations can better protect themselves against the sophisticated tactics of spear phishers.

Whaling

A whaling attack is a highly targeted phishing attack aimed at high-level executives, such as CEOs, CFOs, or other senior leaders within an organization. The goal is to deceive these individuals into sharing sensitive information, transferring funds, or granting access to confidential systems.  Unlike the first two methods, these attacks are often carefully crafted to appear legit, banking on busy executives who may get careless with doing their due diligence.  In addition to the usual compromised credentials, they might also target intellectual property or strategic competitive intelligence (but they’re not above wire fraud, either!)

Clone Phishing

Clone phishing is a type of phishing attack in which a legitimate email or message that the victim has previously received is copied (“cloned”) and slightly altered by an attacker. The goal is to trick the recipient into believing the new, fraudulent message is a genuine follow-up or update.  

This might not seem different than regular phishing, but the key is that it’s coming from a trusted source.  For instance, during the Okta breach, the targets were customers who had actually used Okta support recently.  Since they might be expecting a message from Okta, the recipients might have understandably not been as vigilant as normal in spotting any irregularities.  

Angler Phishing

Angler phishing is a type of social media phishing attack in which cybercriminals impersonate customer service accounts to deceive users into revealing sensitive information or downloading malware. The term “angler” comes from the way attackers “fish” for victims on social platforms.  When you consider that messaging company accounts on Facebook and/or Twitter has become an established way to get better support than going through traditional channels like phone or e-mail, this type of attack targets users who are already frustrated (and thus perhaps more likely to be careless.) 

Reducing Phishing Risks with Passwordless Login

Transitioning to passwordless certificate-based authentication is a promising strategy to counter phishing attacks. This method uses certificates for authentication, eliminating the need for passwords altogether. This means attackers cannot steal passwords through phishing, significantly reducing the risks of compromise.

In addition to a higher level of security, passwordless authentication simplifies the login process for users. Instead of remembering complex passwords, authentication is handled through the secure exchange of cryptographic keys, where a digital certificate issued by a trusted authority verifies the user’s identity. This enhances security and improves the user experience, making it more convenient and efficient.

Organizations adopting passwordless authentication can benefit from reduced helpdesk calls related to password resets and improved compliance with security policies. This transition also aligns with modern security standards and best practices, positioning organizations ahead of evolving cyber threats.

Embracing passwordless authentication can fortify your defenses against phishing and other cyberattacks, paving the way for a more secure and user-friendly digital environment.