What Are the Different Types of Phishing?
Stop more threats with Trend Micro Email Security—advanced protection for your inbox!
What are the different types of phishing attacks?
Phishing attacks are social engineering attacks, and they can have a great range of targets depending on the attacker. There are a lot of phishing examples that can go from generic scam emails to more sophisticated targeted ones.
Phishing can also be a targeted attack focused on a specific individual. The attacker often tailors an email to speak directly to you, and includes information only an acquaintance would know. An attacker usually gets this information after gaining access to your personal data. If the email is this type, it is very difficult for even the most cautious of recipients not to become a victim. PhishMe Research determined that ransomware accounts for over 97% of all phishing emails.
Types of phishing attacks range from classic email phishing schemes to more inventive approaches such as spear phishing and smishing. All have the same purpose – to steal your personal details.
Spear Phishing
Fishing with a pole may land you a number of items below the waterline – a flounder, bottom feeder, or piece of trash. Fishing with a spear allows you to target a specific fish. Hence the name.
Spear phishing targets a specific group or type of individual such as a company’s system administrator. Below is an example of a spear phishing email. Note the attention paid to the industry in which the recipient works, the download link the victim is asked to click, and the immediate response the request requires.
Whaling
Whaling is an even more targeted type of phishing that goes after the whales – a marine animal even bigger than a fish. These attacks typically target a CEO, CFO, or any CXX within an industry or a specific business. A whaling email might state that the company is facing legal consequences and that you need to click on the link to get more information.
The link takes you to a page where you are asked to enter critical data about the company such as tax ID and bank account numbers.
Vishing
Vishing has the same purpose as other types of phishing attacks. The attackers are still after your sensitive personal or corporate information. This attack is accomplished through a voice call. Hence the “v” rather than the “ph” in the name.
A common vishing attack includes a call from someone claiming to be a representative from Microsoft. This person informs you that they’ve detected a virus on your computer. You’re then asked to provide credit card details so the attacker can install an updated version of anti-virus software on your computer. The attacker now has your credit card information and you have likely installed malware on your computer.
The malware could contain anything from a banking Trojan to a bot (short for robot). The banking Trojan watches your online activity to steal more details from you – often your bank account information, including your password.
A bot is software designed to perform whatever tasks the hacker wants it to. It is controlled by command and control (C&C) to mine for bitcoins, send spam, or launch an attack as part of a distributed denial of service (DDoS) attack.
Email Phishing
Email phishing is another example of phishing and the most common one, and it has been in use since the 1990s. Hackers send these emails to any email addresses they can obtain. The email usually informs you that there has been a compromise to your account and that you need to respond immediately by clicking on a provided link. These attacks are usually easy to spot as language in the email often contains spelling and/or grammatical errors.
Some emails are difficult to recognize as phishing attacks, especially when the language and grammar are more carefully crafted. Checking the email source and the link you’re being directed to for suspicious language can give you clues as to whether the source is legitimate.
Another phishing scam, referred to as sextortion, occurs when a hacker sends you an email that appears to have come from you. The hacker claims to have access to your email account and your computer. They claim to have your password and a recorded video of you.
The hackers claim that you have been watching adult videos from your computer while the camera was on and recording. The demand is that you pay them, usually in Bitcoin, or they will release the video to family and/or colleagues.
Search Engine Phishing
Search engine phishing, also known as SEO poisoning or SEO Trojans, is where hackers work to become the top hit on a search using a search engine. Clicking on their link displayed within the search engine directs you to the hacker’s website. From there, threat actors can steal your information when you interact with the site and/or enter sensitive data. Hacker sites can pose as any type of website, but the prime candidates are banks, money transfer, social media, and shopping sites.
Smishing
Smishing attacks use short message service or SMS, more commonly known as text messages. This form of attack has become increasingly popular due to the fact that people are more likely to trust a message that comes in through a messaging app on their phone than from a message delivered via email.
Although many victims don’t equate phishing scams with personal text messages, the truth is that it is easier for threat actors to find your phone number than your email. There is a finite number of options with phone numbers – in the U.S, a phone number is 10 digits.
The hacker can simply send messages to any combination of digits that is the same length as a phone number. They can try any and all combinations of digits with no harm, no foul. Gartner reports that users read 98% of text messages and respond to 45%. This makes text very logical for hackers to use as an attack vector, especially when, as reported by Gartner, only 6% of emails receive responses.
Pharming
Pharming is an advanced cyberattack that silently redirects users from legitimate websites to fraudulent ones in order to collect sensitive information. Attackers will use malicious techniques such as Phishing to compromise the victim’s computer, the code executed from this Phishing email will compromise the victim’s computer or router and will redirect their web traffic to the attacker’s spoofed website. The aim of this website is to collect as much sensitive information as possible, such as login credentials and financial data.
Pharming attacks occur when cybercriminals manipulate the Domain Name System (DNS) or compromise a user’s device to redirect them to a fraudulent website. DNS is a system that translates domain names (like ww.example.com) into IP addresses so that browsers can load the correct website. In a pharming attack, attackers corrupt this process to redirect users to malicious websites that mimic legitimate ones.
Quishing
Quishing, a term derived from “QR code phishing”, is a type of cyberattack where cybercriminals use malicious QR codes to trick people into visiting fake websites or downloading malware onto their devices. These malicious QR codes can be embedded in emails, advertisements, flyer’s and even simply put on top of pre-existing QR codes to target an unsuspecting user. The purpose of this attack is to steal sensitive information such as passwords, financial data or to infect a user’s device with malware that can lead to further exploitation in the future.
QR codes are designed to make life easier, but this simplicity is what makes them a prime target for cybercriminals. Since the user can’t see the URL hidden in the QR code until after scanning, quishing can be challenging to detect until it’s too late.
Social Media Phishing
Social media phishing refers to an attack executed through platforms like Instagram, LinkedIn, Facebook, or X. The purpose of such an attack is to steal personal data or gain control of your social media account.
Social media has become as ubiquitous as the air we breathe. Individuals use Facebook, Instagram, X, and a multitude of other platforms to keep up with friends and family, stay on top of the latest news, date, and connect with the world.
Businesses also use social media to keep customers informed about their latest product offerings and events, for marketing, and to attract new business. This makes social media an attractive platform for threat actors to execute phishing attacks. Tools such as Hidden Eye or ShellPhish make these types of phishing attacks as easy as running an application.
Trend Micro Email Security Solution
Trend Micro™ Email Security screens out malicious senders and analyzes content to filter out spam. It examines sender authenticity and reputation and defends against malicious URLs.
Cross-generational threat defense techniques bolster protection against threats, establishing visibility and control across evolving threat landscapes.