What Are The Different Types Of Phishing?
This is the most common phishing tactic. An email is sent to multiple recipients urging them to update personal information, verify account details, or change passwords.
Typically, the email is worded to promote a sense of urgency, sometimes highlighting the recipient's need to protect themselves or their organization. The email is designed to appear to come from a legitimate source, such as customer service for PayPal, Apple, Microsoft, a bank, or other known companies.
Content Injection
A familiar-looking webpage, like an email account login page or online banking page, is injected with malicious content. The content can include a link, form, or pop-up that directs people to a secondary website where they are urged to confirm personal information, update credit card details, change passwords, etc.
Link Manipulation
A carefully worded email arrives with a malicious link to a familiar website such as Amazon or another popular website. When you click on the link, it takes you to a fake website designed to look exactly like the known website, where you are then prompted to update your account information or verify account details.
CEO Fraud
This common type of domain spoofing includes sending emails that masquerade as coming from the CEO, human resources, or a colleague. The email may ask the recipient to transfer funds, confirm an e-transfer or wire transfer, or send tax information.
Fake Websites
Hackers create fake websites that look just like highly frequented websites. This fake website has a slightly different domain, for example, outlook.you.live.com instead of outlook.live.com. People believe they're on the right website and accidentally open themselves to identity theft.
Mobile Phishing
Mobile phishing can involve fraudulent SMS, social media, voice mail, or other in-app messages informing the recipient that their account has been closed, compromised, or is expiring. The message includes a link, video, or message to steal personal information or install malware on the mobile device.
Spear Phishing
Spear phishing is advanced targeted email phishing. The criminal targets a specific individual or organization and uses focused, personalized messages to steal data that goes beyond personal credit card information. For example, infiltrating a hospital, bank, or university to steal data severely compromises the organization.
Voice Phishing
With voice phishing or vishing, a phone caller leaves a strongly worded voicemail or reads from a script that urges the recipient to call another phone number. Often these calls are designed to be urgent and encourage the recipient to act before their bank account is suspended or, worse, they may be charged with a crime.
Session Hijacking
This type of phishing requires sophisticated techniques that allow criminals to violate a web server and steal information stored on the server.
Malvertising
This type of malware uses online advertisements or pop-ups to encourage people to click a link that installs malware on the computer.
Malware
Malware happens with a person clicks an email attachment and inadvertently installs software that mines the computer and network for information. Keylogging is one type of malware that tracks keystrokes to discover passwords. A trojan horse is another type of malware that tricks someone into entering personal information.
Man-In-The-Middle
With man-in-the-middle phishing attacks, the criminal tricks two people into sending information to each other. The phisher or criminal may send fake requests to each party or alter the information being sent and received. The people involved believe they are communicating with each other and have no idea a third party is manipulating them.
Evil Twin Wi-Fi
In this phishing attack, cyber criminals create a fake Wi-Fi access point that acts as a legitimate Wi-Fi hotspot. This tactic is common in coffee shops, airports, hospitals, or locations where people routinely need Wi-Fi access. People log into this Wi-Fi access point thinking they're using a legitimate spot, allowing criminals to intercept any data communicated on this fake Wi-Fi account.
These different types of phishing are part of a greater social engineering scheme. Social engineering is a savvy way to trick people into giving up information, access, and details they know they should keep secure and private.
Related reading: 19 Examples of Common Phishing Emails
Did you know?
Social engineering and phishing are successful because they rely on the natural human tendency to trust others. People assume the password update or wire transfer request is legitimate because they recognize the source and believe they are acting in the best interests of themselves and others.
Join the Gone Phishing Tournament
The biggest phishing benchmarking event
What is Trap Phishing?
Trap phishing typically preys on security vulnerabilities in common online behavior. Such habits can include completing online transactions, sharing information on social media, and more. Trap phishing schemes lure unsuspecting users to a malicious webpage by posing as a legitimate organization or familiar business.
Often interpolating recognized branding or vocabulary, victims are enticed to click on a phishing email link and/or provide sensitive information via the malicious webpage. Though not as targeted as other phishing scams, these generic attacks can still be quite effective.
How Does Phishing Happen?
Phishing happens when an unsuspecting victim responds to fraudulent requests that demand action. This action can include downloading an attachment, clicking a link, filling out a form, updating a password, calling a phone number, or using a new Wi-Fi hotspot.
A crucial aspect of successful security awareness training is educating people about how easy it is to be tricked into giving up confidential information.
The following examples of phishing underscore how easy it is for anyone to be a victim of phishing.
6 Clues That You Are A Target Of A Phishing Email
Sender
Sender
Just because you know the person whose name is on the email doesn't make it safe.
A name is easy to fake.
Check the email address to confirm that the email is really from that person.
Salutation
Salutation
Take a good look at the salutation.
If it says "Dear client," "Dear Customer" or "Dear Valued Customer," instead of your name, beware!
Content
Content
Scammers try to create a sense of urgency so that you act rather that think (e.g., your account will be blocked!).
Poor grammar and spelling mistakes? No legitimate organization would ever let such mistakes get by it.
They ask you for personal or financial information.
They ask you to update your account or change your password. But you won't fall for that!
Report anything that seems suspicious to your IT service desk.
Link or Button
Link or Button
Emails usually try to get you to click a link or button, which takes you to a fake website or installs malware.
Unless you can confirm the sender's identity, you should never click.
Attachment
Attachment
When you open a scammer's attachment, you open the door to malware.
Malware can wreak havoc on your computer or even your organization's entire network.
Contact Information
Contact Information
Legitimate organizations want you to get in touch with them, if necessary.
They show their contact information in their email so you can call them and verify that they are who they say they are.
Try to spot the clues in the following examples of phishing emails:
Did you know?
Phishing simulations allow you to identify which employees are prone to phishing and educate your team on how easy it is for phishing to happen.
How to Prevent Phishing
To help prevent phishing, Terranova Security recommends taking the following precautions:
Educate your employees about phishing. Take advantage of free phishing simulation tools to educate and identify phishing risks.
Use proven security awareness training and phishing simulation platforms to keep employees' phishing and social engineering risks top of mind. Create internal cyber security heroes committed to keeping your organization cyber secure.
Remind your security leaders and cyber security heroes to regularly monitor employee phishing awareness with phishing simulation tools. Use phishing microlearning modules to educate, train, and change behavior.
Provide ongoing communication and campaigns about cyber security and phishing. This includes establishing strong password policies and reminding employees about the risks that can come in the format of attachments, emails and URLs.
Establish network access rules that limit the use of personal devices and the sharing of information outside of your corporate network.
Ensure that all applications, operating systems, network tools, and internal software are up-to-date and secure. Install malware protection and anti-spam software.
Incorporate cyber security awareness campaigns, training, support and education into your corporate culture.
What is a Phishing Simulation?
Phishing simulation is the best way to raise awareness of phishing risks and identify which employees are at risk for phishing.
Phishing simulation allows you to incorporate cyber security awareness into your organization in an interactive and informative format.
Real-time phishing simulations are a fast and effective way to educate people and increase alertness levels to phishing attacks. People see first-hand how CEO fraud, emails, fake websites, malware and spear phishing are used to steal personal and corporate information.
What are the Top 10 Benefits of a Phishing Simulation?
Phishing simulation gives your organization these top 10 benefits:
1. Measure the degrees of corporate and employee vulnerability
2. Eliminate the cyber threat risk level
3. Increase user alertness to phishing risks
4. Instill a cyber security culture and create cyber security heroes
5. Change behavior to eliminate the automatic trust response
6. Deploy targeted anti-phishing solutions
7. Protect valuable corporate and personal data
8. Meet industry compliance obligations
9. Assess the impacts of cyber security awareness training
10. Segment phishing simulation