Phishing attacks are becoming more sophisticated. The most common types of phishing attacks.

There are multiple types of phishing with the most common ones being spear phishing, whaling, vishing and email phishing. Phishing is one of the most common types of cyber threats organisations face. Cyber criminals send companies messages masqueraded as legitimate correspondents but with malicious intents. Some messages simply ask the recipient to click-through a bogus website that captures personal information or contains malware, others are more complex, involving the transfer of funds. Hundreds of millions of organisations are targeted each week. Hackers are getting better at tricking people into handing over credentials, sending funds to specific accounts and carrying out other ‘instructions’ in favour of cyber criminals.

Taking a closer look at the USA, more than $56m were lost in 2019 as a result of phishing, with over 100,000 falling victim to such attacks. (according to a 2020 FBI report). According to Microsoft’s security research team principal director Tanmay Ganacharya “Most of the attackers have now moved to phishing because it’s easy. If I can convince you to give me your credentials, it’s done. There’s nothing more that I need”

In this article we’ll look at how phishing has become increasingly sophisticated together with the most common types of phishing attacks.

Email Phishing

The vast majority of phishing attacks are sent via email. Attackers get their hands on web domains that mimic a genuine company and send out thousands of emails with generic requests. The fake domains usually involve character substitution such as ‘r’ and ’n’ (‘rn’ to look similar to ‘m’) – this is commonly referred to as typosquatting. Another very commonly used tactic is for attackers to use the company’s name in part of the email address. Sender’s name is set as a familiar name to deceive the receiver. Always check the email address of incoming messages that ask for a link click or attachment download.

When crafting their phishing email scammers pay a great deal of attention to detail to evade detection from email filters. Some legitimate details, such as contact information of the business they are spoofing, would be included. Phishing landing pages will most likely include a blend of malicious and good code in a bid to not come across as malicious – always with the intent of stealing funds or credentials. One of the most common ways hackers trick recipients is by including shortened links and redirects that work in delay (what is often referred to as time bombing). Brand colours and logos are used, in attack emails, to ensure familiarity.

CEO and Senior Management Fraud

Usually referred to as Whaling or CEO Fraud attacks. These attacks are very targeted in nature. Tricks in this case are not focused on fake or malicious URLs but rather attempt to imitate senior staff members. Scams involve bogus tax returns and transactions which are usually carried out on a regular basis (such as end-of-week payment runs!).

Vishing and Smishing

In both smishing and vishing the main communication medium used by hackers is not emails but telephones. Smishing involves criminals sending SMSs – the content of which is very similar in nature to email phishing.

Vishing, on the other hand, involves a telephone conversation. A commonly used vishing scam involves criminals posing as fraud investigators from financial institutions (banks or credit card companies) instructing victims that their account has been breached. Subsequently the victim is asked to provide payment card details to verify their identity (card number, expiration date and cvv code) or alternatively (and also popular with scammers worldwide!) victims are asked to transfer their funds into a ‘secure’ account, which in reality would be the black hat hacker’s criminal account.

Spear Phishing

In this case cyber criminals will already have in their possession some details about the victim, such as: name, designation, email address, and information about the victim’s job role. The sent emails will be made very familiar in content and tone of voice, and manage to get the receiver to carry out a specific action relatively easily. Recently we have experienced a serious increase in spear phishing as the return on investment compared to generic, non-target phishing is much higher.

How to protect against Phishing

The most important aspect in protecting against phishing attacks is to quickly spot the attack. Your workforce needs to be up-to-speed with the latest threats and trends utilised by cyber criminals – education in the form of cyber security awareness training is recommended. In addition phishing attacks can be emulated and actual behaviour recorded and analysed. Following such actions, instructions, procedures and the respective filters need to be rolled-out.

Phishing is always evolving – be proactive and safeguard your organisation! Spam filters have along the years proven to be unreliable and malicious emails still manage to get through regularly. Prevention includes analysing weaknesses and holes in the workforce’s behaviour – through a managed phishing as a service campaign and awareness courses.