Most Common Type Of Phishing Attack You Need To Know
Phishing is one of the easiest and cost-effective way to trick individuals into revealing sensitive information and defined as:
“Phishing is the use of digital communications to trick people into revealing sensitive data or deploy malicious software.” We will discuss some common type of phishing attack, you need to know as cybersecurity professional. Threat actors attack people as their victims to run a successful phishing campaign.
5 common type of phishing attack
Business Email Compromise (BEC)
A threat actor sends an email message that seems to be from a known source to make a legitimate request for information in order to gain financial advantage.
Business Email Compromise (BEC) is a type of phishing attack where cybercriminals use fake emails to trick people into sending money or sensitive information. Here’s a simple example to illustrate how it works:
Jane works in the finance department of a company. She often receives emails from her boss, Mr. Smith, asking her to make payments to various vendors.
A cybercriminal hacks into Mr. Smith’s email account or creates a fake email address that looks very similar to his. Let’s say the real email is smith@company.com
, and the fake one is smith@compamy.com
.
The criminal sends an email to Jane from the fake email address. The email looks just like the ones Mr. Smith usually sends. It says something like, “Jane, please transfer $10,000 to this new vendor immediately. It’s urgent!”
Trusting that the email is from her boss, Jane quickly transfers the money to the account provided in the email. However, the account belongs to the criminal.
The company loses $10,000, and the criminal gets away with the money.
The criminal pretends to be someone trusted, like a boss or a vendor. The email often has a sense of urgency, making the victim feel they need to act quickly without double-checking. The company loses money or sensitive information.
To prevent BEC, always verify unexpected or urgent requests through a separate communication channel, like a phone call, to ensure they are legitimate.
Spear phishing
A malicious actor targets a specific user or group of users seeking sensitive information.
Spear phishing is another type of phishing attack where cybercriminals send targeted emails to trick specific people into giving away personal information or clicking on malicious links. Here’s an example to make it clear:
Lisa works at a marketing company. She gets an email that looks like it’s from her favorite online store, saying she has won a $100 gift card. The email includes her name and mentions recent purchases she made, making it look very convincing.
Excited about the prize, Lisa clicks on the link in the email to claim the gift card. The link takes her to a website that looks just like the real online store. It asks her to log in with her username and password. Thinking it’s legitimate, Lisa enters her details.
Unfortunately, the website is fake, created by the cybercriminals. They now have Lisa’s login information for her favorite online store. They use this information to make unauthorized purchases and steal her personal information.
In this scenario, the cybercriminals targeted Lisa specifically, using details that made the email look genuine. This is what makes spear phishing different from regular phishing, which sends generic emails to many people.
To avoid falling for spear phishing, always be cautious with emails asking for personal information or containing links. Double-check the sender’s email address and look for signs that the email might be fake. When in doubt, contact the company directly through their official website or customer service number.
Whaling
Toughest and profitable type of phishing attack where threat actor targets BIG FIHSES (company executives) to gain access to sensitive data. cybercriminals target high-level executives or important people in a company to steal sensitive information or money.
Mr. Johnson is the CEO of a big company. One day, he gets an email that looks like it’s from the company’s legal department. The email says there’s an important legal issue that needs his attention and includes a link to view the documents.
Since the email seems urgent and comes from what looks like a trusted source, Mr. Johnson clicks on the link. The link takes him to a fake website that looks real and asks him to log in with his company credentials.
Trusting the website, Mr. Johnson enters his login information. The cybercriminals who created the fake website now have his username and password. They use this information to access sensitive company data and steal valuable information.
In this scenario, the criminals targeted Mr. Johnson specifically because he holds a high position in the company and has access to important information. This targeted attack on high-level executives is what makes whaling different from regular phishing.
To avoid falling for whaling scams, it’s important for executives to be extra cautious with emails asking for sensitive information or containing links. They should verify such requests through a separate communication channel, like a phone call to the legal department, to ensure the email is legitimate.
Vishing
The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source.
Vishing is a type of phishing attack where cybercriminals use phone calls to trick people into giving away personal information or money. Here’s an example to make it clear:
Tom gets a phone call from someone pretending to be his bank. The caller ID even shows the bank’s name, so it looks real. The caller says there has been suspicious activity on Tom’s account and they need to verify his identity to fix the problem.
Worried about his account, Tom follows the caller’s instructions. The caller asks for his account number, social security number, and other personal information to “verify” his identity.
Trusting the caller, Tom gives the information. However, the caller is actually a cybercriminal. They use Tom’s information to steal money from his account and commit identity theft.
In this scenario, the criminal used a phone call to carry out the attack, which is why it’s called vishing, a combination of “voice” and “phishing.” This is one of the types of phishing attacks that rely on social engineering to trick victims.
To avoid vishing scams, it’s important to be cautious with unsolicited phone calls asking for personal information. Always verify the caller’s identity by hanging up and calling the official phone number of the bank or company directly.
Smishing
A type of phishing attack where a threat actor uses text messages to trick users in order to obtain sensitive information or to impersonate a know source.
Sarah gets a text message that looks like it’s from her bank. The message says there’s a problem with her account and she needs to click on a link to fix it. The message looks urgent and official.
Worried about her account, Sarah clicks on the link in the text message. The link takes her to a fake website that looks just like her bank’s website. The site asks her to log in with her username and password.
Trusting the website, Sarah enters her login details. The cybercriminals who created the fake website now have her banking information. They use this information to steal money from her account.
In this scenario, the criminals used a text message to carry out the attack, which is why it’s called smishing, a combination of “SMS” (text messaging) and “phishing.” This is one of the types of phishing attacks that rely on social engineering to trick victims.
To avoid smishing scams, it’s important to be cautious with text messages asking for personal information or containing links. Always verify such requests by contacting the bank or company directly through their official phone number or website.
Closing Thoughts
Understanding each type of phishing attack is crucial in today’s digital world. Whether it’s through email, phone calls, or text messages, cybercriminals are constantly evolving their tactics. By being aware of methods like spear phishing, whaling, vishing, and smishing, you can better protect yourself and your sensitive information.
Stay vigilant, always double-check unexpected requests, and educate those around you about these common phishing attacks to create a safer online environment for everyone.