Types of Phishing Attacks

Below are 10 of the most pervasive types of phishing:

Standard Email Phishing — Arguably the most widely known form of phishing, this attack is an attempt to steal sensitive information via an email that appears to be from a legitimate organization. It is not a targeted attack and can be conducted en masse.

Malware Phishing — Utilizing the same techniques as email phishing, this attack encourages targets to click a link or download an attachment so malware can be installed on the device. It is currently the most pervasive form of phishing attack.

Spear Phishing — Where most phishing attacks cast a wide net, spear phishing is a highly-targeted, well-researched attack generally focused at business executives, public personas and other lucrative targets.

Smishing — SMS-enabled phishing delivers malicious short links to smartphone users, often disguised as account notices, prize notifications and political messages.

Search Engine Phishing — In this type of attack, cyber criminals set up fraudulent websites designed to collect personal information and direct payments. These sites can show up in organic search results or as paid advertisements for popular search terms.

Vishing — Vishing, or voice phishing, involves a malicious caller purporting to be from tech support, a government agency or other organization and trying to extract personal information, such as banking or credit card information.

Pharming — Also known as DNS poisoning, pharming is a technically sophisticated form of phishing involving the internet’s domain name system (DNS). Pharming reroutes legitimate web traffic to a spoofed page without the user’s knowledge, often to steal valuable information.

Clone Phishing — In this type of attack, a shady actor compromises a person’s email account, makes changes to an existing email by swapping a legitimate link, attachment or other element with a malicious one, and sends it to the person’s contacts to spread the infection.

Man-in-the-Middle Attack — A man-in-the-middle attack involves an eavesdropper monitoring correspondence between two unsuspecting parties. These attacks are often carried out by creating phony public WiFi networks at coffee shops, shopping malls and other public locations. Once joined, the man in the middle can phish for info or push malware onto devices.

BEC (Business Email Compromise) — Business email compromise involves a phony email appearing to be from someone in or associated with the target’s company requesting urgent action, whether wiring money or purchasing gift cards. This tactic is estimated to have caused nearly half of all cybercrime-related business losses in 2019.

Malvertising — This type of phishing utilizes digital ad software to publish otherwise normal looking ads with malicious code implanted within.

Two Ways to All but Guarantee You Don’t Fall for Any Phishing Scam

Applying these two actions consistently will help protect you from online scams:

Don’t click. Use your own link. If you use a product or service from the company apparently sending you the message, don’t click. Instead, navigate to the website via a browser bookmark or search engine. If the email is legitimate, you will see the same information when you log into your account on the legitimate site. This is the ONLY way to guarantee you land on the legitimate site.

If you use the link or phone number in an email, IM, blog, forum, voicemail, etc. where you land (or who you talk to) is their choice, not yours. The website they take you to or the “bank manager” on the phone may be a convincing copy, but if you share your information it will be stolen and abused.

Use a browser filtering extension. There are browser extensions that grade search engine results based on known characteristics or behaviors and may even prevent you from navigating to malicious sites. Generally, sites will be graded on a scale from safe to suspicious to high risk.